According to the alert that Secunia posted Thursday on its Web site, the vulnerability affects Internet Explorer 5.01, 5.5, and 6 on fully patched PCs running either Windows XP SP1 or the newer SP2.
Microsoft just began sending Service Pack 2 to Windows XP Home users this week, and although the update has been touted as a major security upgrade, the Secunia alert isn't the first problem that SP2 has faced. Microsoft has already issued a fix for SP2 that addresses problems some VPN users have encountered.
Grading the flaw "highly critical," Secunia says that proof-of-concept code has been published, and that the vulnerability--which stems from "insufficient validation of drag-and-drop events issued from the 'Internet' zone"--can be used by hackers to plant executable files in a Windows XP machine if the user is enticed to a malicious Web site.
"Even though the proof-of-concept depends on the user performing a drag-and-drop event, it may potentially be rewritten to use a single click as user interaction instead," Secunia warns.
It recommends either disabling Active Scripting within IE or using another browser until the problem is patched.
This flaw, says Secunia, is a close cousin of one discovered by a Chinese security researcher last September; those bugs have since been squashed.