In an advisory, network security consultancy Pivx Solutions described the vulnerability as "extremely high risk". It said a hacker could run programs, read files, and steal cookies from a user's machine.
In testing, Pivx has demonstrated the flaw in IE 5.5 running on both Windows 98 and Windows NT and on IE6 running on Windows 2000. The flaw also affects the Outlook and Outlook Express e-mail clients. Pivx suggested a quick workaround for end users would involve disabling ActiveX, or setting "Script ActiveX controls marked safe for scripting" to Prompt or Disable within IE and the Outlook software.
The flaw occurs in the way the Microsoft software performs "cross domain security checks" on embedded HTML documents. According to Pivx, while Microsoft checks embedded HTML, it does not check when a Web browser ActiveX control is embedded within the HTML. This control could be used to take control of a user's PC.