The security hole in MetaTrader 4 is nothing but its new MQ4 Expert Language. The new language allows external API calls to any MQ4 and DLL files, which introduce many posibilties on expert developments: close-source expert, for example, since some developers don't want to expose their creations to the public.
While giving such benefit, it also gives off a security issue to users. It is extremely dangerous to allow such calls. If you're unlucky, you will run malicious expert without realising what would happen. Believe it or not, API calls can infect your pc with viruses, spy on your keyboard activities, delete your files, and even format your harddisk.
I've attached an expert that makes two api calls: first it open thebugs.ws website, and second it attempts to send a blank email to me. This expert is safe and worth to demostrate.
Note: Luckily, the "Allow DLL imports" checkbox must be checked for any expert to call external api.