Microsoft Internet Explorer Mouse Click Event Hijacking Vulnerability



Date Discovered

November 11, 2003


A vulnerability exists in Internet Explorer when handling specific DHTML events, allowing a malicious Web page to intercept mouse click events to perform unintended drag and drop operations. In particular, it is possible to simulate a mouse drag and drop event through use of the moveBy() DHTML method of the window object. This attack may also apply to the moveTo(), resizeBy(), and resizeTo() methods of the window object. This could be exploited by creating a link that when clicked will cause an object such as an executable or shortcut to be stored on the client computer, such as in the startup folder. Successful exploitation will permit execution of arbitrary code in the context of the client user. It should be noted that a later variant of this issue exists (BID 9108) that evades the fixes provided in MS03-048. This later variant is addressed by MS04-004.

Technologies Affected

  • Microsoft Internet Explorer 5.0.1
  • Microsoft Internet Explorer 5.0.1 SP1
  • Microsoft Internet Explorer 5.0.1 SP2
  • Microsoft Internet Explorer 5.0.1 SP3
  • Microsoft Internet Explorer 5.5
  • Microsoft Internet Explorer 5.5 SP1
  • Microsoft Internet Explorer 5.5 SP2
  • Microsoft Internet Explorer 6.0
  • Microsoft Internet Explorer 6.0 SP1


Run all software as a nonprivileged user with minimal access rights.
Running Internet Explorer with least privileges possible may help mitigate the impact of successful exploitation of this vulnerability.

Do not follow links provided by unknown or untrusted sources.
This and related issues could be exploited via a malicious web page. Users should be cautious about visiting links provided by untrusted or unfamiliar sources or websites of questionable integrity.

Set web browser security to disable the execution of script code or active content.
Disabling script code or active content functionality in Internet Explorer may limit exposure to this and other vulnerabilities.

Microsoft has released fixes for this issue. A later variant of this issue (BID 9108) was discovered that is addressed in MS04-004. Please see BID 9108 and MS04-004 for further information.



Discovery of this issue is credited to Liu Die Yu.

© 1995- Symantec Corporation

Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from


The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.