New IE flaw rated as "critical"

Microsoft is investigating a report of a new, unpatched flaw in Internet Explorer that could expose users of the ubiquitous web browser to attacks.

An attacker could craft a malicious website that takes advantage of the flaw and gain control over the PCs that visit the website, or install malicious software on those systems, a representative of the French Security Incident Response Team (FrSIRT) said on Wednesday. FrSIRT rates the issue "critical", its most serious classification.

Exploit code for the flaw is available on the internet, according to FrSIRT. The availability of exploit code typically raises the risk to users because it could aid miscreants in setting up attacks.

Microsoft is investigating the report of the new IE flaw, a representative of the company said in a statement late on Wednesday. The software maker is not aware of attacks that use the reported flaw, she said. After the investigation, the company will take the appropriate action to protect users, which could include a security update, she added.

Internet security monitoring company Websense has added detection mechanisms for this latest potential IE flaw to its software. As of Wednesday afternoon the company had not found any malicious websites that take advantage of it, said Dan Hubbard, senior director of security and research at Websense in San Diego.

The flaw is similar to security vulnerabilities Microsoft fixed as part of its monthly patch release last week and in July, the FrSIRT representative said. The problem exists because IE inappropriately lets websites instantiate other pieces of Microsoft software on the PC.

It is not clear which users may be at risk. Exploiting this flaw requires a file called "Msdds.dll" to be present on the Windows PC. FrSIRT, which is a security research organisation, is still investigating how common that file is. It appears to be installed with Microsoft's Visual Studio developer tools but it may also be installed with more common software, the FrSIRT representative said.

The FrSIRT representative added: "Microsoft said that this library is installed with Visual Studio but we do not have Visual Studio installed on our lab machines." The group has confirmed the vulnerability on a system with IE 6 on Windows XP with Service Pack 2 and all current patches, this person said.

Meanwhile, Websense has found websites that exploit security flaws Microsoft offered patches for last week and in July. The malicious code embedded in the websites installs a backdoor on the computer of the person who visits it with IE on a vulnerable Windows computer, Hubbard said.

There are "a couple of dozen" sites that exploit the IE flaw disclosed last week in Microsoft Security Bulletin MS05-038, according to Websense. The hole fixed with Security Bulletin MS03-037 a month ago is exploited by a couple of hundred websites, Hubbard said.

Microsoft rated both those fixed flaws "critical" and has urged users to apply software patches.

Joris Evers writes for CNET News.com