Microsoft KB Archive/888534

= How to help protect against the Internet Explorer Click and Scroll security issue =

Article ID: 888534

Article Last Modified on 2/14/2007

-

APPLIES TO


 * Microsoft Internet Explorer 5.0
 * Microsoft Internet Explorer 6.0

-



Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SUMMARY
''Microsoft is investigating reports of a security issue with Microsoft Internet Explorer that is known as Click and Scroll. This article contains details about this security issue. This article also describes steps that you can use to help protect your computer against this security issue.''



INTRODUCTION
We are investigating reports of a security issue with Internet Explorer that is known as Click and Scroll. This security issue affects all supported versions of Windows. This security issue could make it possible for an attacker to put a malicious file on your computer if you visit a malicious Web site. As of October 26, 2004, Microsoft is not aware of this security issue affecting any customers. Microsoft will continue to investigate this security issue to determine the appropriate steps to help protect our customers. Additionally, Microsoft is providing steps that you can use to help protect your computer against this security issue. To help protect your computer against this security issue, customers should follow these steps.

Note The following steps are described in more detail later in this article.  Obtain and install the MS04-038 cumulative Security Update for Internet Explorer. For additional information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:

834707 MS04-038: Cumulative Security Update for Internet Explorer

 Disable the Drag and Drop or copy and paste files option in the Internet and Intranet Web content zones.

You must have completed the following steps for this security issue to affect your computer:
 * Visit a malicious Web site.
 * Interact with the malicious Web site by clicking in the browser window or pressing certain keys on your keyboard.
 * Complete either of the following steps so that the malicious file runs:
 * Log off your computer, and then log on to your computer.
 * Restart your computer.

Note If you have set your Internet Security zone settings to High, this security issue does not affect you. For additional information about how to increase your browsing and e-mail safety, visit the following Microsoft Web site:

http://www.microsoft.com/athome/security/online/browsing_safety.mspx



MORE INFORMATION
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

Microsoft recommends that you use one of the following methods to help protect your computers.

Install the MS04-038 update and disable the Drag and drop or copy and paste files option
Effect of this configuration: When you try to move or copy files by using Internet Explorer or Windows Explorer after you complete the following procedure, you may receive an error message. For example, you may receive the following error message when you try to copy and paste or try to perform a drag-and-drop operation:

Security Alert

Your current security settings prohibit copying or moving files from this zone.

If you want to copy and paste or perform a drag-and-drop operation after you apply this configuration, follow the steps in the &quot;How to restore your previous drag and drop or copy and paste files setting&quot; section later in this article.

To install the MS04-038 update and disable the Drag and drop or copy and paste files option, follow these steps:  Obtain and install the MS04-038 cumulative Security Update for Internet Explorer. For additional information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:

834707 MS04-038: Cumulative Security Update for Internet Explorer

For additional information about the MS04-038 cumulative Security Update for Internet Explorer, visit the following Microsoft Web site:

http://www.microsoft.com/athome/security/update/bulletins/default.mspx

Important You must install the MS04-038 cumulative Security Update for Internet Explorer for the configuration steps that are listed in this article to be effective. Disable the Drag and drop or copy and paste files option in the Internet and local intranet zone. To do this, follow these steps:  In Internet Explorer, click Internet Options on the Tools menu, and then click the Security tab.</li> In the Select a Web content zone to specify its security settings box, click Internet, and then click Custom Level.</li> In the Settings box, locate the Drag and drop or copy and paste files option under Miscellaneous. Make a note of your current setting.</li> Under Drag and drop or copy and paste files, click Disable, and then click OK.</li> Click Yes, and then click OK two times.</li> Repeat these steps for the local intranet zone by clicking Local intranet instead of Internet in step 2b.</li></ol> </li></ol>

How to restore your previous drag and drop or copy and paste files setting
To restore your previous drag and drop or copy and paste files setting, follow these steps:
 * 1) In Internet Explorer, click Internet Options on the Tools menu, and then click the Security tab.
 * 2) In the Select a Web content zone to specify its security settings box, click Internet, and then click Custom Level.
 * 3) In the Settings box, locate the Drag and drop or copy and paste files option under Miscellaneous.
 * 4) Click the option that you noted in step 2c earlier in this article, and then click OK.
 * 5) Click Yes, and then click OK two times.
 * 6) Repeat these steps for the local intranet zone by clicking Local intranet instead of Internet in step 2.

Install the MS04-038 update and disable the Drag and drop or copy and paste files option across a domain
Potential effect of this configuration: By completing the following procedure, you may change the behavior of some Windows programs and components, and you may cause some programs to lose functionality. We recommend that you first thoroughly test the procedure before implementing it in a production environment to make sure that mission-critical programs will continue to work correctly for all users.

Important Because of business needs, Enterprise customers may not be able to disable the Drag and drop or copy and paste files option. You can still help protect computers that are running Microsoft Windows XP Service Pack 2 (SP2) by disabling the Hhctrl.ocx ActiveX control. For information about how to do this, see the &quot;How to manually disable the HTML Help control (Hhctrl.ocx ActiveX control)&quot; section later in this article.

You may still want to copy and paste or perform a drag-and-drop operation after you apply this configuration. To do this, follow the steps in the &quot;How to restore the Drag and drop or copy and paste files option across a domain&quot; section later in this article.

To install the MS04-038 update and disable the Drag and drop or copy and paste files option across a domain, follow these steps:  Obtain the MS04-038 cumulative Security Update for Internet Explorer, and then deploy the security update to all the computers in your domain. For additional information about how to obtain this security update, click the following article number to view the article in the Microsoft Knowledge Base:

834707 MS04-038: Cumulative Security Update for Internet Explorer

For additional information about how to deploy this update, see the &quot;Security Update Information&quot; section on the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS04-038.mspx

Important You must install the MS04-038 cumulative Security Update for Internet Explorer for the configuration steps that are listed in this article to be effective.</li>  Use Group Policy to disable the Drag and drop or copy and paste files option on all the computers in a Microsoft Windows 2000-based or Microsoft Windows Server 2003-based domain. To do this, use the appropriate method for your environment.

The Security Zones: Use only machine settings setting is not enabled in Group Policy
 Start the Active Directory Users and Computers snap-in. To do this, click Start on a domain controller, click Run, type dsa.msc, and then click OK.</li> Right-click the domain, click Properties, and then click the Group Policy tab.</li> Click New, type a descriptive name for the new Group Policy object (GPO), and then press ENTER. For example, click New, type Internet Explorer Click and Scroll fix, and then press ENTER.</li> Click Edit to modify the new GPO that you created in step 3.</li> Expand User Configuration, expand Windows Settings, expand Internet Explorer Maintenance, click Security, and then double-click Security Zones and Content Ratings.</li> Under Security and Privacy Settings, click Import the current security zones and privacy settings. If you are prompted to continue, click Continue.</li> Click Modify settings.</li> <li>Click Local Intranet, and then click Custom Level.</li> <li>View the Drag and drop or copy and paste files option. Make a note of the current setting, and then click Disable.</li> <li>Click OK, click Yes, and then click OK two times.</li> <li>Repeat steps 8 through 10, but click Internet Zone instead of Local Intranet in step 8.</li></ol>

Important Changes are not applied to domain user accounts until the users log on to the domain.

The Security Zones: Use only machine settings setting is enabled in Group Policy
<ol> <li>On the domain controller that you are going to run the Active Directory Users and Computers snap-in on, change the 1802 registry values to 3 based on the appropriate platform: <ul> <li>For 32-bit versions of Internet Explorer on 32-bit versions of Windows or for 64-bit versions of Internet Explorer on 64-bit versions of Windows XP or on Windows Server 2003, modify the following registry subkeys on the computers that are in your domain: <ul> <li> </li> <li> </li></ul>

Create a registry file and a batch (.bat) file. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li> Copy the following text, and then paste it into a text editor, such as Notepad: REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] &quot;1802&quot;=dword:00000003

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] &quot;1802&quot;=dword:00000003 </li> <li>Save the file as &quot;Disable1802.reg&quot;.</li> <li> Copy the following text, and then paste it into a text editor, such as Notepad: REGEDIT.EXE /S   Disable1802.reg </li> <li>Save the file as &quot;Disable1802.bat&quot;.

Note Before you deploy the batch file, make sure that the batch file works correctly by testing it on one computer.</li></ol> </li> <li>For 32-bit versions of Internet Explorer on 64-bit versions of Windows XP or on 64-bit versions of Windows Server 2003, modify the following registry subkeys on the computers that are in your domain: <ul> <li> </li> <li> </li></ul>

Create a registry file and a batch file. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li> Copy the following text, and then paste it into a text editor, such as Notepad: REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] &quot;1802&quot;=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] &quot;1802&quot;=dword:00000003 </li> <li>Save the file as &quot;Disable1802_64.reg&quot;.</li> <li> Copy the following text, and then paste it into a text editor, such as Notepad: REGEDIT.EXE /S   Disable1802_64.reg </li> <li>Save the file as &quot;Disable1802_64.bat&quot;.

Note Before you deploy the batch file, make sure that the batch file works correctly by testing it on one computer.</li></ol> </li></ul> </li> <li>Create a new GPO, and then import the settings into the new GPO. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Copy the batch file and the .reg file that you created in step 1 to the \\ \SysVol\ \Policies\ \Machine\Scripts\Startup folder.</li> <li>On the same computer that you used in step 1, start the Active Directory Users and Computers snap-in. To do this, click Start, click Run, type dsa.msc, and then click OK.</li> <li>Right-click the domain, click Properties, and then click the Group Policy tab.</li> <li>Click New, type a descriptive name for the new GPO, and then press ENTER. For example, click New, type Internet Explorer Click and Scroll fix, and then press ENTER.</li> <li>Click Edit to modify the new GPO that you created in step 2d.</li> <li>Expand Computer Configuration, expand Windows Settings, click Scripts(Startup/Shutdown), click Startup, and then click Add.</li> <li>Locate and then click the batch file that you created in step 1, and then click Add.</li> <li>Click OK, click Yes, and then click OK two times.</li></ol> </li></ol> </li></ol>

Important Changes are not applied to domain user accounts until the users log on to the domain.

How to restore the Drag and drop or copy and paste files option across a domain
You can restore the Drag and drop or copy and paste files option on all computers in a Windows 2000-based or Windows Server 2003-based domain by using Group Policy. To do this, follow these steps: <ol> <li>On the domain controller that you are going to run the Active Directory Users and Computers snap-in on, change the 1802 registry values to 0 based on the appropriate platform: <ul> <li>For 32-bit versions of Internet Explorer on 32-bit versions of Windows or for 64-bit versions of Internet Explorer on 64-bit versions of Windows XP or on Windows Server 2003, modify both of the following registry subkeys: <ul> <li> </li> <li> </li></ul>

Create a registry file and a batch file. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li> Copy the following text, and then paste it into a text editor, such as Notepad: REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] &quot;1802&quot;=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] &quot;1802&quot;=dword:00000000 </li> <li>Save the file as &quot;Enable1802.reg&quot;.</li> <li> Copy the following text, and then paste it into a text editor, such as Notepad: REGEDIT.EXE /S   Enable1802.reg </li> <li>Save the file as &quot;Enable1802.bat&quot;.

Note Before you deploy the batch file, make sure that the batch file works correctly by testing it on one computer.</li></ol> </li> <li>For 32-bit versions of Internet Explorer on 64-bit versions of Windows XP or on 64-bit versions of Windows Server 2003, modify both of the following registry subkeys: <ul> <li> </li> <li> </li></ul>

<ol style="list-style-type: lower-alpha;"> <li> Copy the following text, and then paste it into a text editor, such as Notepad: REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1] &quot;1802&quot;=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3] &quot;1802&quot;=dword:00000000 </li> <li>Save the file as &quot;Enable1802_64.reg&quot;.</li> <li> Copy the following text, and then paste it into a text editor, such as Notepad: REGEDIT.EXE /S   Enable1802_64.reg </li> <li>Save the file as &quot;Enable1802_64.bat&quot;.

Note Before you deploy the batch file, make sure that the batch file works correctly by testing it on one computer.</li></ol> </li></ul> </li> <li>Create a new GPO, and then import the settings into the new GPO. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Copy the batch file and the .reg file that you created in step 1 to the \\ \SysVol\ \Policies\ \Machine\Scripts\Startup folder.</li> <li>On the same computer that you used in step 1, start the Active Directory Users and Computers snap-in. To do this, click Start, click Run, type dsa.msc, and then click OK.</li> <li>Right-click the domain, click Properties, and then click the Group Policy tab.</li> <li>Click the new GPO that you created in step 2d of the &quot;Install the MS04-038 update and disable the Drag and drop or copy and paste files option across a domain&quot; section, and then press ENTER.</li> <li>Click Edit.</li> <li>Expand Computer Configuration, expand Windows Settings, click Scripts(Startup/Shutdown), click Startup, and then click Add.</li> <li>Locate and then click the batch file that you created in step 1, and then click Add.</li> <li>Click OK, click Yes, and then click OK two times.</li></ol> </li></ol>

How to manually disable the HTML Help control (Hhctrl.ocx ActiveX control)
If you cannot disable the Drag and drop or copy and paste files option, you can help protect Windows XP SP2-based computers by disabling the HTML Help control (Hhctrl.ocx ActiveX control).

Effect of this configuration: Disabling the Hhctrl.ocx ActiveX control helps protect against this security issue only on Windows XP SP2-based computers. Disabling Hhctrl.ocx prevents Internet Explorer from instantiating the control. This configuration causes program compatibility issues. Some examples of such issues are:
 * In Help and Support Center, the Index feature no longer works.
 * In HTML Help, features such as Related Topics and Shortcuts no longer work.
 * Features that are provided by the HTML Help control in Enterprise intranet programs no longer work.

Warning The following steps deploy this configuration to all the computers in the domain. You must complete certain steps if you have a mixed environment with computers that are running Windows 2000, Windows XP Service Pack 1 (SP1) and Windows XP SP2. For example, all the Windows XP SP2-based computers must be centrally located in an Active Directory organizational unit (OU). You must apply the Group Policy that you create in this method to that OU. After you complete the deployment of this configuration, you can move the Windows XP SP2-based computers back to their original OUs. <ol> <li> Copy the following text, and then paste it into a text editor, such as Notepad: REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{41B23C28-488E-4E5C-ACE2-BB0BBABE99E8}\]

&quot;Compatibility Flags&quot;=dword:00000400 </li> <li>Save the file as &quot;DisableHhctrl.reg&quot;.</li> <li> Copy the following text, and then paste it into a text editor, such as Notepad: REGEDIT.EXE /S   DisableHhctrl.reg </li> <li>Save the file as &quot;DisableHhctrl.bat&quot;.

Note Before you deploy the batch file, make sure that the batch file works correctly by testing it on one computer.</li> <li>Import the batch file into the GPO. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Copy the batch file that you created in step 4 and the DisableHhctrl.reg file to the \\ \SysVol\ \Policies\ \Machine\Scripts\Startup folder.</li> <li>On the computer that you want to run the Active Directory Users and Computers snap-in on, click Start, click Run, type dsa.msc, and then click OK.</li> <li>Click Edit.</li> <li>Expand Computer Configuration, expand Windows Settings, click Scripts(Startup/Shutdown), click Startup, and then click Add.</li> <li>Locate and then click the batch file that you created in step 4, and then click Add.</li> <li>Click OK, click Yes, and then click OK two times.</li></ol> </li></ol>

If you want to reset the default settings of HTML Help control after you apply this configuration, follow the steps in the &quot;How to reset the default settings of the HTML Help control&quot; section later in this article.

How to reset the default settings of the HTML Help control
To reset the HTML Help control back to the default settings, follow these steps: <ol> <li> Copy the following text, and then paste it into a text editor, such as Notepad: REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{41B23C28-488E-4E5C-ACE2-BB0BBABE99E8}\] </li> <li>Save the file as &quot;EnableHhctrl.reg&quot;.</li> <li> Copy the following text, and then paste it into a text editor, such as Notepad: REGEDIT.EXE /S   EnableHhctrl.reg </li> <li>Save the file as &quot;EnableHhctrl.bat&quot;.

Note Before you deploy the batch file, make sure that the batch file works correctly by testing it on one computer.</li> <li>Import the batch file into the GPO. To do this, follow these steps: <ol style="list-style-type: lower-alpha;"> <li>Copy the batch file that you created in step 4 and the EnableHhctrl.reg file to the \\ \SysVol\ \Policies\ \Machine\Scripts\Startup folder.</li> <li>Start the Active Directory Users and Computers snap-in. To do this, click Start on a domain controller, click Run, type dsa.msc, and then click OK.</li> <li>Right-click the domain, click Properties, and then click the Group Policy tab.</li> <li>Click the new GPO that you created in step 4 of the &quot;How to manually disable the HTML Help control (Hhctrl.ocx ActiveX control)&quot; section earlier in this article, and then press ENTER.</li> <li>Click Edit.</li> <li>Expand Computer configuration, expand Windows Settings, click Scripts(Startup/Shutdown), click Startup, and then click Add.</li> <li>Locate and then click the batch file that you created in step 4, and then click Add.</li> <li>Click OK, click Yes, and then click OK two times.</li></ol> </li></ol>

Keywords: kbsecvulnerability kbdirservices kbregistry kbsecurity kbinfo kbhowto KB888534

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.