Microsoft finds new hole in old IE

Microsoft said it is is investigating new, public reports of a vulnerability in Internet Explorer 6 and Internet Explorer 7.

The firm confirmed it was "aware of targeted attacks attempting to use this vulnerability," and in addition to publishing workarounds, the firm recommends updating to IE 8, which it says in unaffected.

"In a web-based attack scenario, an attacker could host a web site that contains a web page that is used to exploit this vulnerability," the firm said in an advisory posting. "In addition, compromised web sites and web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability."

The threat from the vulnerability is one of remote code execution.

The vulnerability exists due to an invalid pointer reference being used within Internet Explorer. It is possible, a red-faced Vole said, "under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution."

Internet Explorer 8 and Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 are not affected, but Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 are vulnerable.

Microsoft today released two "important" security updates as part of its monthly patching regime. One fixed vulnerabilities in Microsoft's Movie Maker, a second patched up Microsoft Office. The new vulnerability is unpatched and is in addition to the IE vulnerability outed last week in which malware can persuade users to hit the F1 button, with remote access consequences.