Microsoft is investigating a claim that attackers could exploit a new Internet Explorer (IE) flaw to launch malicious code or cause a denial of service.
The flaw, outlined in an advisory yesterday from the Xsec vulnerability research organization, is caused by the way IE tries to instantiate certain COM objects' ActiveX controls.
Attackers can allegedly exploit the flaw by constructing a malicious Web page and tricking a user into visiting it. In an advisory sent to customers of its DeepSight Threat Management Service, Cupertino, Calif.-based antivirus giant Symantec Corp. noted that such a Web page would invoke the COM objects in a manner that would trigger the vulnerability. The malicious page could then pass content to the control, such as embedded memory addresses and executable instructions.
Symantec has warned that proof-of-concept code that demonstrates how to exploit the flaw is available.
Xsec said in its advisory that the vulnerability affects Windows 2000, Windows XP and Windows 2003. XSec did not immediately respond to a request for more details.
Microsoft said it is investigating the flaw report and will provide guidance to customers as needed.
"Microsoft is not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time," a company spokesman said in an email exchange Monday. "Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include issuing a security advisory or providing a security update through our monthly release process."
In the meantime, Symantec recommended IT administrators and users:
Microsoft also has a list of workarounds to help IT administrators mitigate vulnerabilities like this one. They include: