Microsoft on Monday issued a security advisory describing a new remote code execution vulnerability in various versions of its Internet Explorer (IE) web browser. While the company admits that there is exploit code in the wild, it says there are no actual attacks in the wild at this time. Still, it is investigating the issue and determining how it should respond.
The flaw does not affect the latest IE version, IE 8, which ships as part of Windows 7 and is available separately for users of Windows XP and Vista. It does, however, affect IE 6 on Windows 2000 with Service Pack (SP) 4, and IE 6 and IE 7 on Windows XP, Windows Server 2003, Vista, and Server 2008.
"Microsoft has activated its Software Security Incident Response Process (SSIRP) and continues to investigate this vulnerability," a statement from the software giant reads. "While Microsoft is not currently aware of active attacks, the company recommends customers review and implement the workarounds outlined in the advisory until a comprehensive security update is released."
Those workarounds include such things as upgrading to IE 8, changing the security zone under which ActiveX controls run, configuring IE to prompt before running an ActiveX control, and enabling Data Execution Protection (DEP) in IE 6 with SP2 or IE 7. More details about the flaw and Microsoft's workarounds are available in the security advisory