Security firm Secunia has detailed a new flaw in Internet Explorer that affects users running Windows XP Service Pack 2. The vulnerability involves drag-and-drop, which can be used within a Web page to place a malicious program in the Windows startup folder.
Secunia has branded the issue "highly critical" and says it comes from "insufficient validation of drag and drop events issued from the "Internet" zone." Users are advised to disable Active Scripting, or use a Web browser other than Internet Explorer.
The security researcher who discovered the flaw has posted proof-of-conccept code, which involves dragging an image across a Web page. But Secunia says it could be simplified to require just one mouse click. Microsoft, however, brushed off concerns over the potential issue. "Given the significant amount of user action required to execute an attack, Microsoft does not consider this to be a high risk for customers," the company said.