Unpatched Explorer flaw 'extremely critical'

Browser flaw allows arbitrary code to be executed

Security experts from UK company Computer Terrorism have released a proof-of-concept exploit for a security flaw in Microsoft's Internet Explorer that could allow an attacker to take control of a system. 

An advisory published by security firm Secunia gave the vulnerability its most severe rating of 'extremely critical'. 

Computer Terrorism used a security flaw in the way that Internet Explorer handles JavaScript to launch an application when an individual visits a website. 

The vulnerability was first reported on 31 May 2005 but was initially believed to be 'merely' a denial of service flaw that could crash a system. 

The proof-of-concept code that Computer Terrorism showed elevated the threat level of the vulnerability because it now allows arbitrary code to be executed.

The new concept demonstrates how the calculator application was launched when a user visits a website (see test link below).

An attacker could exploit the flaw by crafting a website that downloads and installs spyware or software that turns the system into a zombie computer.

Security researchers recommend users to disable JavaScript when they visit untrusted websites, or switch to an alternative browser such as Firefox or Opera. 

The JavaScript flaw in Internet Explorer is unrelated to the exploit of a vulnerability in Windows XP SP1 or Windows 2000 about which vnunet.com reported on Monday.

• The Internet Explorer vulnerability can be tested here.