How to help protect against the Internet Explorer Click and Scroll security issue

Article translations Article translations
Article ID: 888534 - View products that this article applies to.
Expand all | Collapse all

On This Page

SUMMARY

Microsoft is investigating reports of a security issue with Microsoft Internet Explorer that is known as Click and Scroll. This article contains details about this security issue. This article also describes steps that you can use to help protect your computer against this security issue.

INTRODUCTION

We are investigating reports of a security issue with Internet Explorer that is known as Click and Scroll. This security issue affects all supported versions of Windows. This security issue could make it possible for an attacker to put a malicious file on your computer if you visit a malicious Web site. As of October 26, 2004, Microsoft is not aware of this security issue affecting any customers. Microsoft will continue to investigate this security issue to determine the appropriate steps to help protect our customers. Additionally, Microsoft is providing steps that you can use to help protect your computer against this security issue. To help protect your computer against this security issue, customers should follow these steps.

Note The following steps are described in more detail later in this article.
  1. Obtain and install the MS04-038 cumulative Security Update for Internet Explorer. For additional information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
    834707 MS04-038: Cumulative Security Update for Internet Explorer
  2. Disable the Drag and Drop or copy and paste files option in the Internet and Intranet Web content zones.
You must have completed the following steps for this security issue to affect your computer:
  • Visit a malicious Web site.
  • Interact with the malicious Web site by clicking in the browser window or pressing certain keys on your keyboard.
  • Complete either of the following steps so that the malicious file runs:
    • Log off your computer, and then log on to your computer.
    • Restart your computer.
Note If you have set your Internet Security zone settings to High, this security issue does not affect you. For additional information about how to increase your browsing and e-mail safety, visit the following Microsoft Web site:
http://www.microsoft.com/athome/security/online/browsing_safety.mspx

MORE INFORMATION

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows


Microsoft recommends that you use one of the following methods to help protect your computers.

Consumers and non-enterprise customers

Install the MS04-038 update and disable the Drag and drop or copy and paste files option

Effect of this configuration: When you try to move or copy files by using Internet Explorer or Windows Explorer after you complete the following procedure, you may receive an error message. For example, you may receive the following error message when you try to copy and paste or try to perform a drag-and-drop operation:
Security Alert
Your current security settings prohibit copying or moving files from this zone.
If you want to copy and paste or perform a drag-and-drop operation after you apply this configuration, follow the steps in the "How to restore your previous drag and drop or copy and paste files setting" section later in this article.

To install the MS04-038 update and disable the Drag and drop or copy and paste files option, follow these steps:
  1. Obtain and install the MS04-038 cumulative Security Update for Internet Explorer. For additional information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
    834707 MS04-038: Cumulative Security Update for Internet Explorer
    For additional information about the MS04-038 cumulative Security Update for Internet Explorer, visit the following Microsoft Web site:
    http://www.microsoft.com/protect/computer/updates/bulletins/default.mspx
    Important You must install the MS04-038 cumulative Security Update for Internet Explorer for the configuration steps that are listed in this article to be effective.
  2. Disable the Drag and drop or copy and paste files option in the Internet and local intranet zone. To do this, follow these steps:
    1. In Internet Explorer, click Internet Options on the Tools menu, and then click the Security tab.
    2. In the Select a Web content zone to specify its security settings box, click Internet, and then click Custom Level.
    3. In the Settings box, locate the Drag and drop or copy and paste files option under Miscellaneous. Make a note of your current setting.
    4. Under Drag and drop or copy and paste files, click Disable, and then click OK.
    5. Click Yes, and then click OK two times.
    6. Repeat these steps for the local intranet zone by clicking Local intranet instead of Internet in step 2b.

How to restore your previous drag and drop or copy and paste files setting

To restore your previous drag and drop or copy and paste files setting, follow these steps:
  1. In Internet Explorer, click Internet Options on the Tools menu, and then click the Security tab.
  2. In the Select a Web content zone to specify its security settings box, click Internet, and then click Custom Level.
  3. In the Settings box, locate the Drag and drop or copy and paste files option under Miscellaneous.
  4. Click the option that you noted in step 2c earlier in this article, and then click OK.
  5. Click Yes, and then click OK two times.
  6. Repeat these steps for the local intranet zone by clicking Local intranet instead of Internet in step 2.

Enterprise customers

Install the MS04-038 update and disable the Drag and drop or copy and paste files option across a domain

Potential effect of this configuration: By completing the following procedure, you may change the behavior of some Windows programs and components, and you may cause some programs to lose functionality. We recommend that you first thoroughly test the procedure before implementing it in a production environment to make sure that mission-critical programs will continue to work correctly for all users.

Important Because of business needs, Enterprise customers may not be able to disable the Drag and drop or copy and paste files option. You can still help protect computers that are running Microsoft Windows XP Service Pack 2 (SP2) by disabling the Hhctrl.ocx ActiveX control. For information about how to do this, see the "How to manually disable the HTML Help control (Hhctrl.ocx ActiveX control)" section later in this article.

You may still want to copy and paste or perform a drag-and-drop operation after you apply this configuration. To do this, follow the steps in the "How to restore the Drag and drop or copy and paste files option across a domain" section later in this article.

To install the MS04-038 update and disable the Drag and drop or copy and paste files option across a domain, follow these steps:
  1. Obtain the MS04-038 cumulative Security Update for Internet Explorer, and then deploy the security update to all the computers in your domain. For additional information about how to obtain this security update, click the following article number to view the article in the Microsoft Knowledge Base:
    834707 MS04-038: Cumulative Security Update for Internet Explorer
    For additional information about how to deploy this update, see the "Security Update Information" section on the following Microsoft Web site:
    http://www.microsoft.com/technet/security/bulletin/MS04-038.mspx
    Important You must install the MS04-038 cumulative Security Update for Internet Explorer for the configuration steps that are listed in this article to be effective.
  2. Use Group Policy to disable the Drag and drop or copy and paste files option on all the computers in a Microsoft Windows 2000-based or Microsoft Windows Server 2003-based domain. To do this, use the appropriate method for your environment.
    The Security Zones: Use only machine settings setting is not enabled in Group Policy
    1. Start the Active Directory Users and Computers snap-in. To do this, click Start on a domain controller, click Run, type dsa.msc, and then click OK.
    2. Right-click the domain, click Properties, and then click the Group Policy tab.
    3. Click New, type a descriptive name for the new Group Policy object (GPO), and then press ENTER. For example, click New, type Internet Explorer Click and Scroll fix, and then press ENTER.
    4. Click Edit to modify the new GPO that you created in step 3.
    5. Expand User Configuration, expand Windows Settings, expand Internet Explorer Maintenance, click Security, and then double-click Security Zones and Content Ratings.
    6. Under Security and Privacy Settings, click Import the current security zones and privacy settings. If you are prompted to continue, click Continue.
    7. Click Modify settings.
    8. Click Local Intranet, and then click Custom Level.
    9. View the Drag and drop or copy and paste files option. Make a note of the current setting, and then click Disable.
    10. Click OK, click Yes, and then click OK two times.
    11. Repeat steps 8 through 10, but click Internet Zone instead of Local Intranet in step 8.
    Important Changes are not applied to domain user accounts until the users log on to the domain.
    The Security Zones: Use only machine settings setting is enabled in Group Policy
    1. On the domain controller that you are going to run the Active Directory Users and Computers snap-in on, change the 1802 registry values to 3 based on the appropriate platform:
      • For 32-bit versions of Internet Explorer on 32-bit versions of Windows or for 64-bit versions of Internet Explorer on 64-bit versions of Windows XP or on Windows Server 2003, modify the following registry subkeys on the computers that are in your domain:
        • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
        • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
        Create a registry file and a batch (.bat) file. To do this, follow these steps:
        1. Copy the following text, and then paste it into a text editor, such as Notepad:
          REGEDIT4
          
          [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
          "1802"=dword:00000003
          
          [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
          "1802"=dword:00000003
        2. Save the file as "Disable1802.reg".
        3. Copy the following text, and then paste it into a text editor, such as Notepad:
          REGEDIT.EXE  /S   Disable1802.reg
        4. Save the file as "Disable1802.bat".

          Note Before you deploy the batch file, make sure that the batch file works correctly by testing it on one computer.
      • For 32-bit versions of Internet Explorer on 64-bit versions of Windows XP or on 64-bit versions of Windows Server 2003, modify the following registry subkeys on the computers that are in your domain:
        • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
        • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
        Create a registry file and a batch file. To do this, follow these steps:
        1. Copy the following text, and then paste it into a text editor, such as Notepad:
          REGEDIT4
          
          [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
          "1802"=dword:00000003
          
          [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
          "1802"=dword:00000003
        2. Save the file as "Disable1802_64.reg".
        3. Copy the following text, and then paste it into a text editor, such as Notepad:
          REGEDIT.EXE  /S   Disable1802_64.reg
        4. Save the file as "Disable1802_64.bat".

          Note Before you deploy the batch file, make sure that the batch file works correctly by testing it on one computer.
    2. Create a new GPO, and then import the settings into the new GPO. To do this, follow these steps:
      1. Copy the batch file and the .reg file that you created in step 1 to the \\DomainName\SysVol\DomainName\Policies\GUID of the selected GPO\Machine\Scripts\Startup folder.
      2. On the same computer that you used in step 1, start the Active Directory Users and Computers snap-in. To do this, click Start, click Run, type dsa.msc, and then click OK.
      3. Right-click the domain, click Properties, and then click the Group Policy tab.
      4. Click New, type a descriptive name for the new GPO, and then press ENTER. For example, click New, type Internet Explorer Click and Scroll fix, and then press ENTER.
      5. Click Edit to modify the new GPO that you created in step 2d.
      6. Expand Computer Configuration, expand Windows Settings, click Scripts(Startup/Shutdown), click Startup, and then click Add.
      7. Locate and then click the batch file that you created in step 1, and then click Add.
      8. Click OK, click Yes, and then click OK two times.
Important Changes are not applied to domain user accounts until the users log on to the domain.

How to restore the Drag and drop or copy and paste files option across a domain

You can restore the Drag and drop or copy and paste files option on all computers in a Windows 2000-based or Windows Server 2003-based domain by using Group Policy. To do this, follow these steps:
  1. On the domain controller that you are going to run the Active Directory Users and Computers snap-in on, change the 1802 registry values to 0 based on the appropriate platform:
    • For 32-bit versions of Internet Explorer on 32-bit versions of Windows or for 64-bit versions of Internet Explorer on 64-bit versions of Windows XP or on Windows Server 2003, modify both of the following registry subkeys:
      • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
      • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
      Create a registry file and a batch file. To do this, follow these steps:
      1. Copy the following text, and then paste it into a text editor, such as Notepad:
        REGEDIT4
        
        [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
        "1802"=dword:00000000
        
        [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
        "1802"=dword:00000000
      2. Save the file as "Enable1802.reg".
      3. Copy the following text, and then paste it into a text editor, such as Notepad:
        REGEDIT.EXE  /S   Enable1802.reg
      4. Save the file as "Enable1802.bat".

        Note Before you deploy the batch file, make sure that the batch file works correctly by testing it on one computer.
    • For 32-bit versions of Internet Explorer on 64-bit versions of Windows XP or on 64-bit versions of Windows Server 2003, modify both of the following registry subkeys:
      • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
      • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
      1. Copy the following text, and then paste it into a text editor, such as Notepad:
        REGEDIT4
        
        [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1]
        "1802"=dword:00000000
        
        [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
        "1802"=dword:00000000
      2. Save the file as "Enable1802_64.reg".
      3. Copy the following text, and then paste it into a text editor, such as Notepad:
        REGEDIT.EXE  /S   Enable1802_64.reg
      4. Save the file as "Enable1802_64.bat".

        Note Before you deploy the batch file, make sure that the batch file works correctly by testing it on one computer.
  2. Create a new GPO, and then import the settings into the new GPO. To do this, follow these steps:
    1. Copy the batch file and the .reg file that you created in step 1 to the \\DomainName\SysVol\DomainName\Policies\GUID of the selected GPO\Machine\Scripts\Startup folder.
    2. On the same computer that you used in step 1, start the Active Directory Users and Computers snap-in. To do this, click Start, click Run, type dsa.msc, and then click OK.
    3. Right-click the domain, click Properties, and then click the Group Policy tab.
    4. Click the new GPO that you created in step 2d of the "Install the MS04-038 update and disable the Drag and drop or copy and paste files option across a domain" section, and then press ENTER.
    5. Click Edit.
    6. Expand Computer Configuration, expand Windows Settings, click Scripts(Startup/Shutdown), click Startup, and then click Add.
    7. Locate and then click the batch file that you created in step 1, and then click Add.
    8. Click OK, click Yes, and then click OK two times.

How to manually disable the HTML Help control (Hhctrl.ocx ActiveX control)

If you cannot disable the Drag and drop or copy and paste files option, you can help protect Windows XP SP2-based computers by disabling the HTML Help control (Hhctrl.ocx ActiveX control).

Effect of this configuration: Disabling the Hhctrl.ocx ActiveX control helps protect against this security issue only on Windows XP SP2-based computers. Disabling Hhctrl.ocx prevents Internet Explorer from instantiating the control. This configuration causes program compatibility issues. Some examples of such issues are:
  • In Help and Support Center, the Index feature no longer works.
  • In HTML Help, features such as Related Topics and Shortcuts no longer work.
  • Features that are provided by the HTML Help control in Enterprise intranet programs no longer work.
Warning The following steps deploy this configuration to all the computers in the domain. You must complete certain steps if you have a mixed environment with computers that are running Windows 2000, Windows XP Service Pack 1 (SP1) and Windows XP SP2. For example, all the Windows XP SP2-based computers must be centrally located in an Active Directory organizational unit (OU). You must apply the Group Policy that you create in this method to that OU. After you complete the deployment of this configuration, you can move the Windows XP SP2-based computers back to their original OUs.
  1. Copy the following text, and then paste it into a text editor, such as Notepad:
    REGEDIT4
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{41B23C28-488E-4E5C-ACE2-BB0BBABE99E8}\]
    
    "Compatibility Flags"=dword:00000400
    
  2. Save the file as "DisableHhctrl.reg".
  3. Copy the following text, and then paste it into a text editor, such as Notepad:
    REGEDIT.EXE  /S   DisableHhctrl.reg
    
  4. Save the file as "DisableHhctrl.bat".

    Note Before you deploy the batch file, make sure that the batch file works correctly by testing it on one computer.
  5. Import the batch file into the GPO. To do this, follow these steps:
    1. Copy the batch file that you created in step 4 and the DisableHhctrl.reg file to the \\DomainName\SysVol\DomainName\Policies\GUID of the selected GPO\Machine\Scripts\Startup folder.
    2. On the computer that you want to run the Active Directory Users and Computers snap-in on, click Start, click Run, type dsa.msc, and then click OK.
    3. Click Edit.
    4. Expand Computer Configuration, expand Windows Settings, click Scripts(Startup/Shutdown), click Startup, and then click Add.
    5. Locate and then click the batch file that you created in step 4, and then click Add.
    6. Click OK, click Yes, and then click OK two times.
If you want to reset the default settings of HTML Help control after you apply this configuration, follow the steps in the "How to reset the default settings of the HTML Help control" section later in this article.

How to reset the default settings of the HTML Help control

To reset the HTML Help control back to the default settings, follow these steps:
  1. Copy the following text, and then paste it into a text editor, such as Notepad:
    REGEDIT4
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{41B23C28-488E-4E5C-ACE2-BB0BBABE99E8}\]
    
  2. Save the file as "EnableHhctrl.reg".
  3. Copy the following text, and then paste it into a text editor, such as Notepad:
    REGEDIT.EXE  /S   EnableHhctrl.reg
  4. Save the file as "EnableHhctrl.bat".

    Note Before you deploy the batch file, make sure that the batch file works correctly by testing it on one computer.
  5. Import the batch file into the GPO. To do this, follow these steps:
    1. Copy the batch file that you created in step 4 and the EnableHhctrl.reg file to the \\DomainName\SysVol\DomainName\Policies\GUID of the selected GPO\Machine\Scripts\Startup folder.
    2. Start the Active Directory Users and Computers snap-in. To do this, click Start on a domain controller, click Run, type dsa.msc, and then click OK.
    3. Right-click the domain, click Properties, and then click the Group Policy tab.
    4. Click the new GPO that you created in step 4 of the "How to manually disable the HTML Help control (Hhctrl.ocx ActiveX control)" section earlier in this article, and then press ENTER.
    5. Click Edit.
    6. Expand Computer configuration, expand Windows Settings, click Scripts(Startup/Shutdown), click Startup, and then click Add.
    7. Locate and then click the batch file that you created in step 4, and then click Add.
    8. Click OK, click Yes, and then click OK two times.
Note This is a "FAST PUBLISH" article created directly from within the Microsoft support organization. The information contained herein is provided as-is in response to emerging issues. As a result of the speed in making it available, the materials may include typographical errors and may be revised at any time without notice. See Terms of Use for other considerations.

Properties

Article ID: 888534 - Last Review: July 1, 2010 - Revision: 5.0
APPLIES TO
  • Microsoft Internet Explorer 6.0
  • Microsoft Security Essentials
Keywords: 
kbsecvulnerability kbdirservices kbregistry kbsecurity kbinfo kbhowto KB888534

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com