A security researcher has publicly disclosed a security flaw in Internet Explorer, the second unpatched vulnerability in the Microsoft browser to be disclosed publicly within a week.
The flaw lies in the way IE, the world's most used Web browser, handles certain dialogs, bug hunter Matthew Murphy wrote in an advisory sent to the Full Disclosure mailing list earlier this week.
"As a result, it may be possible for a malicious Web site to install software on a visiting system or take other actions that may compromise the privacy or the security of the visitor," he wrote. Microsoft was informed in October last year, Murphy wrote.
Microsoft acknowledges the issue, but said it does not plan to issue a security update for it. "The vulnerability cannot be used to execute code on a user's system without multiple user actions that are uncommon in typical Web browsing scenarios," a company representative said in an e-mailed statement.
Due to the mitigating factors and the testing needed for the change, Microsoft has determined that the issue should be addressed in a service pack, rather than a security update, the company said, adding that it is not aware of any attacks that use the reported vulnerability at this time.
The French Security Incident Response Team, or FrSIRT, rates the bug "high risk," one notch below its highest risk rating. The security monitoring company does specify that users would have to be lured to a malicious Web site and perform actions such as writing specific text in a field to be compromised.
This is the second IE flaw publicly released within a week. Michal Zalewski over the weekend disclosed a flaw that could be exploited to hijack a vulnerable Windows computer. Monitoring company Secunia deems that flaw "highly critical."