A new, unpatched flaw in Internet Explorer could let miscreants surreptitiously run malicious code on Windows PCs, according to the discoverer of the bug.
The problem affects Internet Explorer 6–the latest version of Microsoft’s Web browser–on computers running Windows XP with Service Pack 2 and all security patches installed, Tom Ferris, an independent security researcher in Mission Viejo, Calif., said in an interview Monday. Other versions of Windows and IE may also be vulnerable, he said.
The security hole allows for “full-blown remote code execution,” Ferris said. “If a user browses to a bad Web site, malicious software can be installed on their PC without their knowledge.” Ferris claims credit for discovering the problem and said he informed Microsoft of the flaw on Aug. 14. He reported some basics of the bug on his Security Protocols Web site Saturday, but he is not sharing more details to prevent information from getting into the wrong hands.
A Microsoft representative late Monday confirmed the company received Ferris’ report. The Redmond, Wash., software giant can’t confirm whether the flaw exists, but it is investigating the report, the representative said. “At this time, there are not any attacks, and there are not any risks” to users, she said.
Ferris said he provided Microsoft with details on the bug, including computer code to prove the existence of the problem. On his Web site, Ferris shows a screen shot of a crashing IE 6 Web browser, which he said was caused by the same bug.
Upon completion of the investigation, Microsoft will take the appropriate action to protect users, the representative said. This may include providing a security update through its monthly patch release or providing an out-of-cycle security update, she said.