Microsoft warns of zero-day Internet Explorer bug

Microsoft says a serious zero-day flaw is being actively exploited by attackers, affecting Internet Explorer 6 and 7.

The vulnerability was announced on Tuesday, the same day that Microsoft released its monthly patches, distributing two patches to address eight vulnerabilities in Windows and Microsoft Office. Microsoft ranked both patches as "important".

Microsoft said it is investigating public reports of the flaw in IE6 and IE7, which could allow an attacker to execute malicious code remotely on a user's system — for instance, by tricking the user into visiting a malicious web page.

The latest version of the browser, IE8, is not affected by the flaw, nor is IE5.01 Service Pack 4 on Windows 2000 Service Pack 4, Microsoft said in an advisory.

The bug is due to an invalid pointer reference being used in IE, according to Microsoft.

"It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted," the company stated. "In a specially crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution."

Microsoft acknowledged that attackers are attempting to exploit the bug. The company said it may provide a patch through its monthly security updates or via an out-of-cycle update.

Microsoft said the use of Protected Mode — a security feature in Windows Vista and Windows 7 — would give a successful attacker very limited system access.

The company also noted that all supported versions of Microsoft Outlook, Microsoft Outlook Express and Windows Mail open HTML email messages in the Restricted Sites zone, meaning an attacker would not be able to carry out an attack via an email message.

Independent security firm Secunia said in an advisory that the bug is "extremely critical", and advised users against visiting untrusted sites.