Microsoft said on Wednesday that it is investigating reports of a new 0-day vulnerability in all supported versions of Internet Explorer.
The vulnerability, which exists in IE 6 through to 8, exists due to an invalid flag reference within Internet Explorer. Microsoft officials said it’s possible, under certain conditions, for the invalid flag reference to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.
Microsoft says it’s not aware of any targeted attacks using the latest vulnerability but the software giant has issued a Security Advisory with further details. The flaw affects Internet Explorer 6, 7 and 8 across Windows XP through to Windows 7. Both 32-bit and 64-bit versions are affected. Microsoft’s latest browser Internet Explorer 9, currently in beta testing, is not affected.
Microsoft group manager of response communications Jerry Bryant said that the exploit code was discovered on a single Web site which is no longer serving the malicious code. “These kinds of attempts to exploit systems and the people using technology are the activity of criminals. Microsoft takes this very seriously and where possible, we will take legal action against those responsible,” said Bryant.
Microsoft is currently working on a security update to address the flaw but confirmed the issue does not meet the criteria for an out-of-band release. Microsoft says it’s monitoring the threat landscape very closely and if the situation changes they will update partners and customers immediately.