Microsoft Investigating New IE Flaw

A new vulnerability has been discovered within Internet Explorer 6 for Windows XP that could open up computers to attack through the execution of arbitrary code from a malicious Web site.

What's worse is that code to exploit the vulnerability is already available on the Internet, according to the French Security Incident Response Team. The group discovered the flaw and disclosed it on Wednesday.

The security hole is created through a memory corruption error when executing an instance of the msdds.dll object as an ActiveX control. A hacker could theoretically use the DLL to take control of an affected user's computer after a Web page designed to exploit the vulnerability is opened.

Microsoft issued its standard statement in response to the discovery and disclosure of the flaw, saying it was "aggressively investigating" the issue. While it has not been made aware of any attacks so far exploiting the vulnerability, Microsoft said would work towards releasing a patch as soon as possible.

It is unknown whether FrSIRT took appropriate measures to alert Microsoft, as the Redmond company said it was "concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk."

Also unknown is how common the DLL file is on machines. So far, the group has only found the file included with Microsoft's Visual Studio program, but they are continuing to investigate whether it may also be included in more common software.

Thursday's disclosure of a new vulnerability in Internet Explorer comes just a week and a half after Microsoft patched critical flaws in the browser that could have resulted in similar consequences.

According to security researchers, several variants of an exploit for those flaws are currently circulating on the Internet.