Internet News
By Ryan Naraine
August 19, 2004

A security bug in Microsoft Internet Explorer's drag-and-drop feature could put millions of Web surfers at risk of malicious hacker attacks, researchers warned on Thursday.

According to a Secunia alert, the flaws, detected and reported by http-equiv, affect IE versions 5.01, 5.5 and 6.0 on fully patched systems running Microsoft Windows XP SP1 or SP2.

Secunia rated the flaws "highly critical" and urged IE users to disable the browser's Active Scripting feature.

The company said the vulnerability is caused by insufficient validation of drag-and-drop events issued from the "Internet" zone to local resources. An attacker could potentially plant a harmful executable file in a user's startup folder, which will execute the next time Windows boots. [ Read more ]