Microsoft said on Wednesday that it has identified a new vulnerability affecting all versions of Internet Explorer.

The flaw could allow malicious users to run unauthorised code remotely inside the iexplore.exe process. Proof-of-concept code is currently available that exploits the vulnerability. The code bypasses ASLR and DEP security protections in Windows. Security firm Vupen warned of the vulnerability earlier this month.

The flaw allows remote attackers to take complete control of a vulnerable system. The issue is caused by a use-after-free error within the mshtml.dll library when processing webpages featuring CSS that use “@import” rules. Attacks can exploit the flaw by executing arbitary code via a specially crafted web page. Microsoft confirmed the issue in a Security Advisory on Wednesday. “The vulnerability exists due to the creation of uninitialized memory during a CSS function within Internet Explorer. It is possible under certain conditions for the memory to be leveraged by an attacker using a specially crafted Web page to gain remote code execution.” The vulnerability affects Internet Explorer 8 on Windows 7, Windows Vista SP2 and Windows XP SP3. Internet Explorer 6 and 7 are also affected on Windows XP SP3.

Microsoft says it is “unaware of any active exploitation of this vulnerability.” The software giant has offered workarounds for customers including advising users to set Internet and Local intranet security zone settings to “High” to block ActiveX Controls and Active Scripting in these zones. Microsoft is currently conducting an investigation into the vulnerability and may issue a patch monthly security update or or an out-of-cycle security update, depending on customer needs.