It's now almost 18 months ago that i posted my first security advisory "What 
A Drag! -revisited-", seems to be a good time to post "What A Click!".

Both bugs had about the same exploit potential, but i assume this one will 
have far less impact and media response (which i consider a great thing for 
various reasons). Thanks to everybody who researched, worked, chatted, 
discussed and got drunk with me in the last months to make this change 
happen - you know who you are.

__Summary

Using custom Microsoft Agent characters it is possible to cover any kind of 
windows, including security or download dialogs. This is an expected feature 
of the Microsoft Agent control. To quote the product homepage: "Animations 
are drawn on top of any underlying application window, characters are not 
bounded within their own, separate window" 
(http://www.microsoft.com/msagent/prodinfo/datasheet.asp). Custom characters 
can be created with tools downloadable from that homepage.

Because custom characters are fully scriptable, can have any kind of shape 
and are downloaded automaticly, this can be used as a flexible tool to cover 
and/or spoof any kind of window and lure the user to execute arbitrary code 
by performing one or two clicks (depening on security zone configuration and 
Windows version).

__Proof-of-Concept

http://www.mikx.de/fireclicking/

The PoC is designed for Internet Explorer 6 on Windows XP SP2 in Windows 
classic theme. By clicking on the button in the upper left corner you start 
the download of a hta file. The download dialog gets covered by a Microsoft 
Agent character which fakes a button (basicly a large white image with a 
button border in the middle). Move the character by dragging to see how it 
uses a "transparent spot" to make room for clicking on the underlying dialog 
through the button space. Transparent areas in characters are really "not 
there", meaning you can click through them.

When you click that button you execute arbitraty code in the hta file, in 
this case you create the folder "c:\booom!". The button in the upper left 
corner is only need to get around the "drive by download" protection of 
Windows. When this protection is not in place (e.g. on Windows 2000) this 
PoC could be reduced to a single click interaction to execute arbitrary 
code.

__Status

The bug got fixed as part of the Microsoft Security Bulletin MS05-032 (yeah, 
last summer).

The patch adds an additional security dialog before loading a custom agent 
character. Be aware that in trusted zones that dialog might not raise.

2004-10-04 Vendor informed
2004-10-06 Vendor opened case, could not repro
2004-10-06 Vendor got new testcase
2004-10-12 Vendor confirmed bug
2005-06-14 Vendor relased patch and advisory
2006-01-22 Public disclosure

__Affected Software

Internet Explorer on Windows 98, 98 SE, ME, XP, 2000, Server 2003 with 
different severity. See Microsoft Security Bulletin MS05-032 for details.

__Contact

Michael Krax <mikx@mikx.de>
http://www.mikx.de/

mikx