The Explorer problem involves the way the javaprxy.dll COM object works with object tags, according to SEC Consult, but is part of a wider problem. "We found that at least 20 of the objects available on an average XP system either lead to an instant crash or an exception after a few reloads," the firm said in an advisory.
Crashes are one thing, but the javaprxy.dll flaw may also allow an attacker to run malicious script code, although neither Microsoft nor SEC Consult could confirm that this was more than a potential outcome. "An attacker who successfully exploited this vulnerability could run malicious script code on the local system. This could allow an attacker to take complete control of the affected system," said Microsoft in an advisory.
Microsoft claim to be investigating the flaw, which was first reported by Danish security notification firm Secunia, but denies any reports of actual attacks based on this flaw, maintaining that it is still at "proof of concept" level. Users of Internet Explorer versions 5.01, 5.5, and 6.0 are all at risk.