A zero-day exploit for IE has been published which means that computer users can be attacked simply by visiting a website. The attack allows a remote cracker to take complete control of a Windows system, a proof-of-concept exploit of which has been made available by Computer Terrorism.

The flaw is based on a Javascript Window() vulnerability which Microsoft has known about for several months. However Vole has been mistakenly treating it as a low-priority denial-of-service flaw, a spokesman for Computer Terrorist said.

The exploit works on fully patched Windows XP systems with default IE installations and could be good-night Vienna to anyone using the Microsoft browser.
Microsoft has confirmed that systems running Windows 2000 SP4 and Windows XP SP2 are at risk, but claims that Windows Server 2003 and Windows Server 2003 SP1 systems are safe. The problem does not extend to Firefox or other browsers.