A newly discovered flaw in Microsoft Internet Explorer (IE) affects various IE releases, including the version in Windows XP Service Pack 2 (SP2), leaving users of the incredibly buggy browser open to attack. The flaw, which security firm Secunia disclosed this weekend, affects IE 6, 5.5, and 5.01 and Windows XP SP2 and SP1.
  
Secunia describes the flaw as "highly critical," which is apparently more serious than "critical" but less serious than "wicked critical." The firm says that it created a proof-of-concept attack
based on the flaw, which requires users to drag and drop content from a malicious Web site onto their hard disks, thus bypassing IE's security-zone protection. Secunia recommends that IE users disable Active Scripting until Microsoft issues a patch. A more proactive solution would be to use a more secure Web browser: I recommend Mozilla Firefox .
  
Curiously, Microsoft is downplaying the flaw's risk, citing the amount of user interaction required to exploit it. "Given the significant amount of user action required to execute an attack, Microsoft does not consider this to be a high risk for customers," a Microsoft representative said, noting that the company is still investigating the flaw.
  
Meanwhile, a new version of Download.Ject that's circulating on the Web affects all pre-XP versions of Windows. Users who have upgraded to XP SP2 are invulnerable to the attack, according to security researchers. The original Download.Ject surfaced in June, and Microsoft modified SP2 to handle that style of attack.