Danish company Secunia posted details of the alleged flaw, which could be used in combination with an reported by the company.
A Microsoft representative said the company was investigating the report but was not aware of any exploits involving the supposed flaw. The representative also echoed previous criticisms of security researchersbefore software makers can adequately investigate and remedy the problems. "Microsoft continues to encourage the responsible disclosure of vulnerabilities," the representative said.
The new flaw could allow the owner of a malicious Web site to deliberately misidentify a downloadable file, so a malicious program file could be made to appear as if it were a secure file. Visitors might think they were downloading a document based on Adobe's portable document format (PDF), for instance, but actually receive a malicious, self-executing program such as the.
Secunia's advisory includes an online test showing how the flaw could be exploited. The company said it identified the hole in the current version 6 of Internet Explorer, but previous releases also could be affected. Secunia representatives did not immediately respond to a request for comment.
The alleged flaw could be particularly effective if used in combination with another IE hole identified by Secunia last month. That flaw lets Web site owners disguise the identity of their site by displaying a false address in the Internet Explorer address and status bars.
Get Up to Speed on...
Get the latest headlines and
company-specific news in our
expanded GUTS section.
Microsoft's delay in addressing that flaw has drawn criticism from security experts and led an open-source programming group tofor the flaw.
Microsoft last year instituted a new, deciding to cluster fixes in a single monthly release rather than distributing piecemeal updates.