The vulnerability could be exploited by an attacker who tricks a user into visiting a malcious website. When the user drags a program masquerading as an image, an executable file is planted in the user's start-up file, which is opened the next time Windows is started.
IT security-services firm Secunia rated the flaw, discovered by a security researcher named "http-equiv," as highly critical.
Even though the proof-of-concept exploit demonstrated by http-equiv requires a user to drag and drop, it could be rewrittent to use a single click, according to Copenhagen-based Secunia.
The IE flaw has been confirmed in a system equipped with IE 6.0 and Windows XP SP1/SP2, Secunia said. The vulnerability also affects IE 5.01 and 5.5.