Attack code alert over unpatched IE flaw

Computer code that could be used to hijack Windows PCs via a yet-to-be-patched Internet Explorer flaw has been posted on the net, experts have warned.

The code was published on public websites, where it is accessible to miscreants who might use it to craft attacks on vulnerable Windows computers. Microsoft is investigating the issue, a company representative said in a statement on Thursday.

The representative said: "Microsoft's initial investigation reveals that this exploit code could allow an attacker to execute memory corruption." As a workaround to protect against potential attacks, Microsoft suggests Windows users disable ActiveX and active scripting controls.

The flaw is due to an error in an ActiveX control related to multimedia features and could be exploited by viewing a rigged web page, Symantec said in an alert sent to users of its DeepSight security intelligence service on Thursday. An attacker could commandeer a Windows PC or cause IE to crash, according to the security company.

IE versions 5.01 and 6 on all current versions of Windows are affected, the French Security Incident Response Team, or FrSirt, a security-monitoring company, said in an alert on Wednesday. FrSirt deems the issue "critical", its most serious rating. Microsoft noted that Windows 2003 running Enhanced Security Configuration is not affected.

Upon completion of its investigation, Microsoft may issue a patch for the flaw as part of its monthly release process, the company said. Microsoft is not aware of any attacks that attempt to exploit the new IE vulnerability at this time, it said.

The warning of the new flaw comes only days after Microsoft released its September patches. On Tuesday it released three updates, two for Windows and one for Office. The software maker also released a third version of an Internet Explorer fix after it botched the first two versions of the patch.

In recent months, word of new attacks has repeatedly followed shortly after 'Patch Tuesday'. Some experts believe the timing of the new attack is no coincidence, suggesting attackers look to take advantage of a full month before Microsoft is scheduled to release its next bunch of fixes.

Joris Evers writes for CNET News.com