According to the alert Secunia posted Thursday on its Web site, the vulnerability affects Internet Explorer 5.01, 5.5, and 6.0 on fully-patched PCs running either Windows XP SP1 or the newer SP2.
Microsoft just began sending Service Pack 2 (SP2) to Windows XP Home users this week, and although the update has been touted as a major security upgrade, the Secunia alert isn't the first problem that SP2 has faced. Microsoft has already issued a hotfix to SP2 that addresses problems some virtual private network (VPN) users have encountered.
Dubbing the flaw "Highly Critical," Secunia said that proof-of-concept code has been published, and that the vulnerability -- which stems from "insufficient validation of drag and drop events issued from the 'Internet' zone" -- can be used by hackers to plant executable files in a Windows XP machine if the user is enticed to a malicious Web site.
"Even though the proof-of-concept depends on the user performing a drag and drop event, it may potentially be rewritten to use a single click as user interaction instead," Secunia warned.
Its recommendations were the more-or-less standard dire advice: Either disable Active Scripting within IE or use another browser until the problem's patched.
This newest flaw in IE, said Secunia, is a close cousin of one discovered by a Chinese security researcher last September; those bugs have since been squashed.
