Just days after releasing its monthly patch update, Microsoft warned Thursday of a new Internet Explorer flaw attackers could exploit to crash machines or take them over.
"Microsoft is investigating new public reports of a vulnerability [that] may allow an attacker to execute code on a user's machine by convincing them to visit a malicious Web site using Internet Explorer," a Microsoft spokesman said in an email. The software giant confirmed exploit code has been publicly released but said it is not aware of any attacks attempting to use it.
Microsoft has released an advisory outlining steps users can take to protect their machines.
The French Security Incident Response Team (FrSIRT) said in an advisory that the flaw is due to a memory corruption error when processing a specially crafted argument passed to the "KeyFrame()" method of a "DirectAnimation.PathControl" (daxctle.ocx) ActiveX object. Attackers could exploit this condition to cause a denial of service or launch malicious commands by convincing a user to visit a malicious Web page.
FrSIRT said it successfully exploited the security hole on a fully patched Windows XP SP2 system.
To mitigate the threat, IT administrators should only allow trusted Web sites to run ActiveX controls, Danish vulnerability clearinghouse Secunia said in an advisory. FrSIRT recommended administrators disable Active Scripting in the Internet and local intranet security zones, though certain Web sites won't work properly if this is done.
The appearance of a new exploitable flaw immediately after Microsoft's monthly patch release has become a familiar pattern.