Microsoft says it is investigating public reports of a
vulnerability in older versions of Internet Explorer that could
enable attackers to inject their own code onto Windows PCs.
In a security advisory, Microsoft says the vulnerability primarily
affects Internet Explorer 6 and 7, as well as related service
packs. The older IE 5.01 Service Pack 4 and the newer IE 8 are not
affected.
"The vulnerability exists as an invalid pointer reference of
Internet Explorer," Microsoft says. "It is possible under certain
conditions for a CSS/Style object to be accessed after the object
is deleted. In a specially-crafted attack, Internet Explorer
attempting to access a freed object can lead to running
attacker-supplied code."
Although the vulnerability is public and no patch is yet available,
Microsoft says it does not know of any active exploits yet. Once it
finishes its investigation, Microsoft says it will respond,
possibly through an out-of-cycle update or a scheduled Patch
Tuesday release.
Microsoft also says it is working with partners to "monitor the
threat landscape and take action against malicious sites that
attempt to exploit this vulnerability."
As a workaround, Microsoft says users of the affected versions of
IE could run their browsers in restricted mode (Enhanced Security
Configuration). Microsoft also says systems configured with fewer
user rights may be less likely to be affected.