Security researchers are warning of a bug in Internet Explorer that could allow attackers to infect a PC by persuading a user to click on a web image.
The vulnerability affects even Windows XP machines patched with Microsoft's Service Pack 2 (SP2), making it the most serious hole discovered in SP2 to date.
IE versions 5.01, 5.5 and 6 are not effective enough in the way they screen drag-and-drop events, allowing attackers to potentially slip code from the "internet" zone to the local machine, according to researchers.
In a demonstration posted online by a "white-hat" hacker using the internet pseudonym http-equiv, who discovered the flaw, a user drags a graphic from one part of a web page to another, and this action implants code in the user's startup folder, to be run the next time Windows launches.
The exploit could be simplified even further, making it more dangerous, said IT security firm Secunia. "Though the [proof-of-concept] depends on the user performing a drag-and-drop event, it may potentially be rewritten to use a single click as user interaction instead," the firm said in its advisory.
In the absence of a fix from Microsoft, Secunia recommended users to disable active scripting or use a different browser. Instructions on disabling active scripting can be found on Secunia's website.
Secunia considers the bug "highly critical", but Microsoft does not agree. The company said the exploit requires so much user interaction that it is effectively impossible to carry out. Microsoft has not issued a patch, but said it is continuing to investigate.
The reaction is similar to that received by an earlier bug discovered in SP2 shortly after its release. German security firm Heise Security warned that a new alert system warning users of potentially dangerous files could be bypassed.
In that case, most researchers - including Heise itself - said an exploit would require an unrealistic degree of social engineering. "I think that Microsoft could have found a better solution that would cause less chance of 'mishaps', but it does not make it a vulnerability," said Secunia chief technology officer Thomas Kristensen.
SP2 is designed to improve Windows security - and Microsoft's reputation - through extensive changes to Windows XP's default security settings, new security tools and a new patch management system.
Because of the scale of the changes, which Microsoft admits are likely to break many existing applications, businesses say they are putting the service pack through a more rigorous testing procedure than with other service packs.
IT managers are mainly enthusiastic about SP2, but a significant minority say they have no plans to implement it, according to two recent surveys, one in the UK, the other in the US. However, they are sanguine about the impact on applications, seeing it as the price you have to pay for added security.
Taken off guard by the large number of business customers who rely on the Windows Automatic Updates feature for patches, Microsoft last week postponed automatic distribution of the mammoth service pack, but has now resumed delivery.
Matthew Broersma writes for Techworld