Channels ▼

IE Flaw Affects Windows XP SP2 Systems

Another flaw in Internet Explorer has been uncovered by Danish security firm Secunia, which said that the gaffe left all users open to attack, even those who had updated Windows XP with the massive Service Pack 2 upgrade.

According to the alert Secunia posted Thursday on its Web site, the vulnerability affects Internet Explorer 5.01, 5.5, and 6.0 on fully-patched PCs running either Windows XP SP1 or the newer SP2.

Microsoft just began sending Service Pack 2 (SP2) to Windows XP Home users this week, and although the update has been touted as a major security upgrade, the Secunia alert isn't the first problem that SP2 has faced. Microsoft has already issued a hotfix to SP2 that addresses problems some virtual private network (VPN) users have encountered.

Dubbing the flaw "Highly Critical," Secunia said that proof-of-concept code has been published, and that the vulnerability -- which stems from "insufficient validation of drag and drop events issued from the 'Internet' zone" -- can be used by hackers to plant executable files in a Windows XP machine if the user is enticed to a malicious Web site.

"Even though the proof-of-concept depends on the user performing a drag and drop event, it may potentially be rewritten to use a single click as user interaction instead," Secunia warned.

Its recommendations were the more-or-less standard dire advice: Either disable Active Scripting within IE or use another browser until the problem's patched.

This newest flaw in IE, said Secunia, is a close cousin of one discovered by a Chinese security researcher last September; those bugs have since been squashed.

Related Reading

More Insights

Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.