Dr. Dobb's | IE Flaw Affects Windows XP SP2 Systems

IE Flaw Affects Windows XP SP2 Systems

Another flaw in Internet Explorer apparently leaves users open to attack, even those who had updated Windows XP with SP2.

August 20, 2004
URL:http://www.drdobbs.com/ie-flaw-affects-windows-xp-sp2-systems/30000082

Another flaw in Internet Explorer has been uncovered by Danish security firm Secunia, which said that the gaffe left all users open to attack, even those who had updated Windows XP with the massive Service Pack 2 upgrade.

According to the alert Secunia posted Thursday on its Web site, the vulnerability affects Internet Explorer 5.01, 5.5, and 6.0 on fully-patched PCs running either Windows XP SP1 or the newer SP2.

Microsoft just began sending Service Pack 2 (SP2) to Windows XP Home users this week, and although the update has been touted as a major security upgrade, the Secunia alert isn't the first problem that SP2 has faced. Microsoft has already issued a hotfix to SP2 that addresses problems some virtual private network (VPN) users have encountered.

Dubbing the flaw "Highly Critical," Secunia said that proof-of-concept code has been published, and that the vulnerability -- which stems from "insufficient validation of drag and drop events issued from the 'Internet' zone" -- can be used by hackers to plant executable files in a Windows XP machine if the user is enticed to a malicious Web site.

"Even though the proof-of-concept depends on the user performing a drag and drop event, it may potentially be rewritten to use a single click as user interaction instead," Secunia warned.

Its recommendations were the more-or-less standard dire advice: Either disable Active Scripting within IE or use another browser until the problem's patched.

This newest flaw in IE, said Secunia, is a close cousin of one discovered by a Chinese security researcher last September; those bugs have since been squashed.