In a security advisory, Microsoft says the vulnerability primarily affects Internet Explorer 6 and 7, as well as related service packs. The older IE 5.01 Service Pack 4 and the newer IE 8 are not affected.
"The vulnerability exists as an invalid pointer reference of Internet Explorer," Microsoft says. "It is possible under certain conditions for a CSS/Style object to be accessed after the object is deleted. In a specially-crafted attack, Internet Explorer attempting to access a freed object can lead to running attacker-supplied code."
Although the vulnerability is public and no patch is yet available, Microsoft says it does not know of any active exploits yet. Once it finishes its investigation, Microsoft says it will respond, possibly through an out-of-cycle update or a scheduled Patch Tuesday release.
Microsoft also says it is working with partners to "monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability."
As a workaround, Microsoft says users of the affected versions of IE could run their browsers in restricted mode (Enhanced Security Configuration). Microsoft also says systems configured with fewer user rights may be less likely to be affected.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.