Zero-day loophole in older IE browsers found

Microsoft is looking into a vulnerability in older versions of its Internet Explorer (IE) browser which, when exploited, could give the attacker administrative user rights on the computer and host malicious Web sites.

In a security advisory issued last Saturday, the software giant said it is investigating public reports of the zero-day loophole in Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8. Newer versions IE9 and IE10 are not affected by this vulnerability, it added.

The company said the remote code execution vulnerability lies in the way "IE accesses an object in memory that has been deleted or has not been properly allocated".

"An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," Microsoft stated.

Once administrative rights are gotten, they could then launch malicious Web sites targeting unsuspecting Internet users.

"In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site," Redmond added.

Once investigations are completed, Microsoft said it will take the "appropriate action" to protect its customers, which may include providing a patch through its usual monthly security update process or an out-of-cycle security update.