A pair of newly discovered security flaws in Microsofts Internet Explorer and Outlook programs could put millions of users at risk of code execution attacks, a private research outfit warned Thursday.
The vulnerabilities were reported to Microsoft Corp. by private research outfit eEye Digital Security, and basic details on the risks and the affected products have been released on eEyes upcoming advisories Web page.
A spokeswoman for the software giant confirmed that engineers at the Microsoft Security Research Center were investigating the eEye discoveries.
"At this time, Microsoft is not aware of any malicious attacks attempting to exploit the reported vulnerabilities, and there is no customer impact based on this issue," she said.
Once the investigation is done, she said Microsoft would "take the appropriate action" to protect affected users.
Under normal circumstances, Microsoft patches are released on a monthly cycle, but in cases of emergency, the company could release an out-of-cycle update.
Since adopting the monthly patching cycle in October 2003, Microsoft has released three out-of-cycle patches, all for "critical" flaws in the Internet Explorer browser.
Marc Maiffret, chief hacking officer at eEye, said the flaws were rated "high-severity" because malicious hackers could run a successful exploit from anywhere on the Internet.
"These are client-side vulnerabilities that could allow attacks via a Web browser or the Outlook client. The risk of a zero-day attack is quite high," Maiffret said in an interview with eWEEK.com.
He said Microsoft was alerted to the first vulnerability March 16.
That bug was found in default installations of IE and Outlook and could allow malicious code to be executed, contingent upon minimal user interaction, he explained.
According to the eEye advisory, the vulnerabilities affect all versions of Windows NT 4.0, Windows 2000 and Windows XP, including Service Pack 2 (SP2).