New Variant of Critical IE Flaw Found

A new flaw has been found in Internet Explorer by security firm Secunia through research into another vulnerability present in the browser. The issue was initially believed to be a successful exploit of a problem discovered last week, however Microsoft said it was actually a new flaw.

Researcher Anreas Sandblad discovered the vulnerability, which Secunia has issued an advisory for and rates as "highly critical." Like the previous problem, the bug is in the handling of the OBJECT HTML tag. In this flaw, memory can be corrupted to compromise the user's system.

The vulnerability has been confirmed to exist in a fully patched computers with Internet Explorer 6 and Windows XP SP2, Secunia said in its advisory. The firm recommended avoiding untrusted Web sites until Microsoft issues a patch for the flaw.

The new problem is being called a "variant" of the original OBJECT vulnerability discovered by researcher Michal Zalewski. "Successful exploitation may allow execution of arbitrary code, but has not been proven," Secunia said in it's advisory.

Microsoft has not said whether it plans to issue a fix during this month's Patch Tuesday update cycle. That update is scheduled for May 9, although the company will provide advance notification of fixes on Thursday.