The flaw affects the latest version of Internet Explorer running on Windows XP, even after the latest major update -- known as Service Pack 2 -- is applied. An attacker using the flaw could install a program on a victim's computer after convincing the person to visit a malicious Web site and click on a graphic.
The attacker's program would be placed in the Windows startup folder and would run the next time the user restarted the computer. The security researcher who discovered the flaw, known by the online nickname "http-equiv," posted an example to show the power of the flaw.
"If you look at the Web page, all you see are two red lines and an image; drag the image across the two lines and drop it," he said. "What you have actually done is drop (a program) into your startup folder. Next time you switch the computer on it runs the program."
Security information company Secunia believes the program that takes advantage of the issue could be simplified to only require a single click from the user. Secunia rated the flaw as "highly critical," its second-highest rating of vulnerability threats.
Microsoft said the issue did not pose a serious risk to users because it requires an attacker to trick people into visiting a Web site and taking some action at the site.
"Given the significant amount of user action required to execute an attack, Microsoft does not consider this to be a high risk for customers," a company representative said, adding that the software giant's security experts are continuing to research the issue.
Security researchers predicted that vulnerabilities would quickly be found in Windows XP Service Pack 2, or SP2. The drag-and-drop flaw is perhaps the most serious found to date in computers that have been patched with Microsoft's major security update.
Service Pack 2 promises to add better security to Windows XP's handling of network data, program memory, browsing activity and email messages, by changing the system's code and configuration. A revamped firewall, for example, attempts to prevent malicious applications on a PC from connecting to the Internet by requiring that the user give specific permission for each attempt.
The SP2 software, which took almost a year to develop, is seen by many as a response to the attack launched by the MSBlast worm on 11 August, 2003. Almost 26 days before, Microsoft had issued a patch for the security hole exploited by the worm. However, many people did not install the fix, even though there was widespread expectation that a virus would be created to take advantage of the flaw.
Ironically, this time around, most people have not had a chance to update their computers with the security patch. The update became available only on Wednesday and will require almost a month to reach every Windows XP user who wants the software, Microsoft said.
Even so, security researcher "http-equiv" believes that the software giant's latest patch does its job.
"The patch really does lock down the machine nicely, and whatever anyone finds now will be completely different to the previous year's findings," he said.
In order to post a comment you need to be registered and logged in
Log in or create your ZDNet UK account below
By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Membership FAQ
Hi Jamie, I'm sorry your comment got caught in the spam filter. We use an industry standard blacklist for this. I suspect that the comment may...
2 hours ago by Karen Friar on Spam? Filter Changed?
Pop - Neither have I. Ever, under any circumstances. I'm much more accustomed to Windows slowly, but inexorably, consuming more and more disk...
3 hours ago by J.A. Watson on Can you believe it - 2765 kB will be freed?
Apple are currently pushing to get tv content on the iPad by April 3rd. This could possibly be seen as a spoiler for that announcement I suppose....
16 hours ago by John Molloy
Hey - presume you mean something that builds on Apple's existing TV device? Apple have already had a couple of runs at building Apple TV and it's...
21 hours ago by Andrew Donoghue on Google's TV timing may reveal more to come
Google, Sony, Intel may build TV project www.zdnet.co.uk/news/emerging-tech/2010/03/18/google-sony-intel-may-build-tv-project-40088359/
22 hours ago on Twitter by BVE2011
70,0000 to 90,0000 computers? A very small number considering some of these botnets are in the millions, and there are so many of them operating,...
23 hours ago by ator1940 on Microsoft says it decimated Waledac botnet I agree Roger, and why can't they write secure code? What will happen when they find stolen code in windows? They have a track record of...
23 hours ago by ator1940 on Microsoft lashing out at Linux, open source Do you think it will really take days?
23 hours ago by ator1940 on Microsoft previews Internet Explorer 9 with HTML 5 support
Wonder how many days it will take before somebody codes an exploitive hack for IE9?
1 day ago by Xwindowsjunkie on Microsoft previews Internet Explorer 9 with HTML 5 support
There are some really good people in Microsoft and I wonder, how embarassing it must be for them to see how the organisation behaves from it's...
2 days ago by roger andre on Microsoft lashing out at Linux, open source On further inspection, it looks like some things are missing, is it possible that there was a time lag between whatever state the site was in that...
2 days ago by J.A. Watson on Welcome to the new ZDNet UK community!
Ok. Now I'm getting annoyed. Previously I could just click on just about any item or comment I saw and get a reply box. How do I manage that...
2 days ago by Tezzer on ZDNet UK: faster, smarter, still IT all the way hey Roger. Think I have spotted a bug as when I click on my name it takes me to the same page as if I had clicked on "Edit Profile". i.e...
2 days ago by Andrew Donoghue on ZDNet UK - Now cleaner than an Archbishop's conscience
Great new look for ZDNET UK web-site http://bit.ly/9R5eAA to check it out @ZDNetUK #zdnet
2 days ago on Twitter by ajclarke
Microsoft previews Internet Explorer 9 with HTML 5 support - zdnet.co.uk http://bit.ly/9FSh23
2 days ago on Twitter by feedfrog
We were just pondering on when IE will get HTML5 and CSS3 onboard! this is excellent
2 days ago by kencogold on Microsoft previews Internet Explorer 9 with HTML 5 support
RT @suziedaniels: relaunched www.zdnet.co.uk raises the bar yet again! its so fast it makes my eyes bleed.
2 days ago on Twitter by riptari This is brilliant - I borrowed one and straight away saw that a few AP`s were set up to the wrong country. It gives interference levels on each...
2 days ago by Bob Preece on Fluke Networks AirCheck Wi-Fi Tester
http://www.zdnet.co.uk/news/networking/2010/03/11/european-parliament-votes-down-acta-treaty-40085614/ (Where does this leave #Debill?)
2 days ago on Twitter by _SimonArnoldmeFor multi-store outlets, including retail, banking, grocery, gas, hospitality, convenience stores and others, reducing (or avoiding) the cost of in-store system support and maintenance while maintaining compliance with PCI and other requirements has become a strategic challenge.
Speaker: Dr. Chenxi Wang, Principal Analyst, Security and Risk Management, Forrester Research, Inc. As Enterprises are increasingly connected to the Internet and as hard organizational boundaries are fast disappearing, security professionals are facing fresh challenges in Enterprise computing.
This tutorial is for new MindManager users and teaches you how to get started, by creating maps, reading maps and organizing your information.
