Microsoft Warns Of Another IE Bug

Specifically, the IE bug affects users running Windows XP, or those who have disabled IE Protected Mode. Affected versions of Microsoft's Web browser include IE 6, IE 7 and IE 8 on supported editions of Windows XP.

Protected Mode runs by default on versions of IE running on Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008. The protected mode function mitigates the effects of the vulnerability on those systems by restricting access to processes, files and registry keys, which reduces the ability for an attacker to install code or write, alter or destroy data on a user's machine.

The IE vulnerability enables attackers to access users files with an already known file name and location. Specifically, an attacker who exploited the IE flaw could infiltrate a user's computer by hosting a malicious Web site and then enticing users to open the page, typically through an infected link embedded in a phishing e-mail or IM message. An attacker could also infect users by contaminating an existing legitimate Web site with malicious code.

An attacker could then break into a user's machine to access data stored on a remote hard drive, if they knew the exact file name and location.

The attacker then "could redirect the contents of the locally stored file and force the local content to be rendered as an HTML document, making it visible remotely," Microsoft said in its advisory.

Microsoft said in its advisory that researchers are actively investigating the flaw. Thus far, Microsoft researchers said that they are unaware of any current attacks exploiting the vulnerability, but said that they would "continue to monitor the threat environment." A fix for the IE bug will either be issued as a regularly scheduled security update release or as an out-of-band patch.

Until a patch is released, Microsoft advises users to enable their firewall, apply software updates and install antivirus and antispyware on their computers to protect themselves from future attacks.