Yet another flaw hits IE browser

IE logo

Microsoft has admitted another vulnerability in older versions of its Internet Explorer browser, with attacks already taking advantage of the problem.

The flaw only affects IE6 and IE7, not IE8. Naturally, Microsoft has again advised users to upgrade to IE8.

The Microsoft bulletin said the flaw is linked to an invalid pointer reference. "It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution."

Microsoft said hackers are already making use of the flaw. "At this time, we are aware of targeted attacks seeking to exploit this vulnerability against Internet Explorer 6," communications head Jerry Bryant said on the Microsoft security blog.

The firm noted that the Internet Explorer Protected Mode in IE7 running on Vista helps to "mitigate" the problem, while instances of the browser running on Server 2003 and 2008 should also be safe because of default security settings.

Microsoft said it is still investigating the flaw, and will offer an update either through the monthly patching cycle - not due again until April - or an out-of-band patch.

Read on for more about the problems facing Internet Explorer.