Security researchers are warning of a bug in Internet Explorer that could allow attackers to infect a PC by persuading a user to click on a Web image.
The vulnerability affects even Windows XP machines patched with Microsoft's security-oriented update, Service Pack 2 (SP2), making it the most serious hole discovered in SP2 to date.
IE versions 5.01, 5.5 and 6 aren't effective enough in the way they screen drag-and-drop events, allowing attackers to potentially slip code from the "Internet" zone to the local machine, according to researchers. In a demonstration posted online by a "white-hat" hacker using the Internet pseudonym http-equiv, who discovered the flaw, a user drags a graphic from one part of a Web page to another, and this action implants code in the user's startup folder, to be run the next time Windows launches.
The exploit could be simplified even further, making it more dangerous, according to IT security firm Secunia. "Though the (proof-of-concept) depends on the user performing a drag and drop event, it may potentially be rewritten to use a single click as user interaction instead," the firm said in its advisory.
In the absence of a fix from Microsoft, Secunia recommended users to disable active scripting or use a different browser. Instructions on disabling active scripting can be found on their Web site.
Secunia considers the bug "highly critical", but Microsoft doesn't agree -- the company said the exploit requires so much user interaction that it is effectively impossible to carry out. Microsoft hasn't issued a patch, but said it is continuing to investigate.
The reaction is similar to that received by an earlier bug discovered in SP2 shortly after its release. German security firm Heise Security warned that a new alert system warning users of potentially dangerous files could be bypassed.
In that case, most researchers -- including Heise itself -- said that an exploit would require an unrealistic degree of social engineering. "I think that Microsoft could have found a better solution that would cause less chance of 'mishaps', but it doesn't make it a vulnerability," said Secunia CTO Thomas Kristensen.
SP2 is designed to improve Windows security -- and Microsoft's reputation -- through extensive changes to Windows XP's default security settings, new security tools and a new patch management system. Because of the scale of the changes, which Microsoft admits are likely to break many existing applications, businesses say they are putting the service pack through a more rigorous testing procedure than with other service packs.
IT managers are mainly enthusiastic about SP2, but a significant minority say they have no plans to implement it, according to two recent surveys, one in the U.K., the other in the U.S. However, they are sanguine about the impact on applications, seeing it as the price you have to pay for added security.