The security hole is in the company's popular Web browser on Windows 95/98 and allows the execution of arbitrary programs on computers when users visit a Web page or receive Outlook email. It does so by creating, overwriting, and putting content in local files.
The problem may take "full control over the user's computer," according to Georgi Guninski, a Bulgarian programmer who discovered the problem over the weekend. Guninski has reported a number of bugs from various browser makers in the past.
The security hole is related to an ActiveX control that ships with IE5. That control could potentially pose a security risk to customers if it is used improperly by a malicious hacker, Microsoft confirmed.
The software giant has not received any reports of customers being affected by the security hole and plans to have a patch posted to its Windows Update site within the week. In the meantime, customers concerned with this issue can disable the ActiveX controls and plug-ins using the "Internet Options" setting in IE5.
The problem with the ActiveX Control and allowing new content to be put in files means an HTML application file may be created, implanted with information that can exploit files, and written to the StartUp folder, Guninski said.
The next time the user reboots, the code in the HTML application file will be executed. This vulnerability can be exploited via email as well, Guninski said.
To encounter this issue, Microsoft insists, a user would need to visit a Web site where a malicious hacker has misused this ActiveX control in an effort to gain access to a user's hard drive. Users could also encounter the problem through HTML mail that is scripting enabled.
ActiveX is component software technology from Microsoft that provides tools for linking desktop applications to the Web. Using a variety of programming tools--including Java, Visual Basic, and C++--developers can create interactive Web content. For instance, ActiveX technology can allow users to view Word and Excel documents directly in a browser.
ActiveX has been criticized in the past for being less secure than other component models.
"The deal with ActiveX is it is fundamentally unsecured," said Gary McGraw, an analyst with Reliable Software Technologies. "ActiveX doesn't have a security model built into it like Java. It just has those dialogue box warnings," so security problems with ActiveX have become more and more common, he said.
ActiveX was originally envisioned by Microsoft as a Web-based component architecture for building Internet applications. The company has since recast ActiveX as a technology best suited for use across corporate networks, although public Web sites using ActiveX still exist.
Earlier in the year, Microsoft acknowledged another ActiveX-related security flaw. In that case, the flaw circumvented a browser security feature that requires users to type in the name of a file before a Web site can load it.