Microsoft is investigating reports of limited, targeted attacks against customers of Internet Explorer 6, using a vulnerability in Internet Explorer.
Microsoft’s investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are vulnerable.
The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.
At this time, Microsoft’s experts are aware of limited, targeted attacks attempting to use this vulnerability against Internet Explorer 6. “We have not seen attacks against other versions of Internet Explorer. We will continue to monitor the threat environment and update this advisory if the situation changes. On completion of this investigation, Microsoft will take appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update”, – the report says.
