Microsoft warns of unpatched IE flaw

Software giant issues security advisory after a research firm publishes a working exploit of the vulnerability.

Dawn Kawamoto Former Staff writer, CNET News

Dawn Kawamoto covered enterprise security and financial news relating to technology for CNET News.

Dawn Kawamoto

July 1, 2005 10:05 a.m. PT

Microsoft has issued a security advisory for Internet Explorer, after a research firm published a working exploit to demonstrate how attackers could take advantage of the flaw.

The vulnerability, discovered by SEC Consult, mean that attackers could cause the browser to unexpectedly exit and execute arbitrary code. Versions of IE affected by the flaw include IE 6.0 on Windows 2000 with Service Pack 1, 3 and 4, and on Windows XP with Service Pack 1 and 2.

"Microsoft is investigating a new public report of a vulnerability affecting Internet Explorer. We have not been made aware of any attacks attempting to use the reported vulnerability or customer impact at this time," Microsoft said Thursday in its advisory. "But we are aggressively investigating the public report."

A patch for the flaw is not available. As an interim measure, the software giant advises people to set their Internet and local intranet security zone settings to "high" before running ActiveX controls.

The alert is part of a recently launched Microsoft program to confirm reports of security problems and provide a workaround until a fix is delivered.

The discovery of this latest IE flaw comes two weeks after Microsoft released several "critical" security patches, including one for IE.Those patches addressed vulnerabilities that allowed for remote execution of code.