In addition to the patches it released earlier today, Microsoft has confirmed that it is investigating another security vulnerability in its Internet Explorer Web browser. The flaw is potentially a serious one, since under certain conditions it could allow an attacker to execute arbitrary code remotely:
The vulnerability exists due to an invalid pointer reference being used within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.
According to Microsoft, the vulnerability does not affect Internet Explorer, version 8 (the latest version), but it does affect the earlier versions 6 and 7, on all supported Windows versions except Windows 7 (which ships with Intenet Explorer 8).
Microsoft says it is only aware of “targeted” attacks (ones focused on a specific organization or individual) against this vulnerability at present, but it is fairly common for attacks to become steadily more widespread, as more of the Bad Guys learn how to work the exploit.
There is no fix available at present; the Security Advisory contains some suggested mitigation steps. If you are using Internet Explorer, you should upgrade to version 8 if you have not already done so, or consider switching to a more secure browser, such as Firefox or Opera.
Update, Thursday, 11 March, 15:30 EST
The German online magazine Heise is reporting (in German) that an exploit for this vulnerability has been published on the Internet, in the form of a module for the Metasploit framework. So far as I am able to tell, there is no patch available yet.