Security researchers are warning of a bug in Internet Explorer that could
allow attackers to infect a PC by persuading a user to click on a Web image.
The vulnerability affects even Windows XP machines patched with Microsoft's
security-oriented update, Service Pack 2 (SP2), making it the most serious
hole discovered in SP2 to date.

IE versions 5.01, 5.5 and 6 aren't effective enough in the way they screen
drag-and-drop events, allowing attackers to potentially slip code from the
"Internet" zone to the local machine, according to researchers. In a
demonstration posted online by a "white-hat" hacker using the Internet
pseudonym http-equiv, who discovered the flaw, a user drags a graphic from
one part of a Web page to another, and this action implants code in the
user's startup folder, to be run the next time Windows launches.

The exploit could be simplified even further, making it more dangerous,
according to IT security firm Secunia. "Though the (proof-of-concept)
depends on the user performing a drag and drop event, it may potentially be
rewritten to use a single click as user interaction instead," the firm said
in its target='_blank'>advisory.

In the absence of a fix from Microsoft, Secunia recommended users to disable
active scripting or use a different browser. Instructions on disabling
active scripting can be found href='http://support.microsoft.com/default.aspx?scid=kb;en-us;q154036'
target='_blank'>here.

Secunia considers the bug "highly critical", but Microsoft doesn't agree -
the company said the exploit requires so much user interaction that it is
effectively impossible to carry out. Microsoft hasn't issued a patch, but
said it is continuing to investigate.

The reaction is similar to that received by an earlier bug discovered in SP2
shortly after its release. German security firm Heise warned that a new
alert system warning users of potentially dangerous files could be bypassed.
In that case, most researchers - including Heise itself - said that an
exploit would require an unrealistic degree of social engineering. "I think
that Microsoft could have found a better solution that would
cause less chance of 'mishaps', but it doesn't make it a vulnerability,"
said Secunia CTO Thomas Kristensen.

SP2 is designed to improve Windows security - and Microsoft's reputation -
through extensive changes to Windows XP's default security settings, new
security tools and a new patch management system. Because of the scale of
the changes, which Microsoft admits are likely to break many existing
applications, businesses say they are putting the service pack through a
more rigorous testing procedure than with other service packs.

IT managers are mainly enthusiastic about SP2, but a significant minority
say they have no plans to implement it, according to href='http://www.techworld.com/opsys/news/index.cfm?newsid=2127'>two recent
surveys, one in the UK, the other in the US. However, they are sanguine
about the impact on applications, seeing it as the price you have to pay for
added security.

Taken off guard by the large number of business customers who rely on the
Windows Automatic Updates feature for patches, Microsoft last week postponed
automatic distribution of the mammoth service pack, but has now href='http://www.techworld.com/opsys/news/index.cfm?NewsID=2118'>resumed
delivery.