The hole, if left unpatched, could allow remote attackers to take control of Windows XP machines running Service Pack 2 and Internet Explorer 6 using silent attacks that are launched from malicious Web pages.
The remotely exploitable hole can be used to compromise fully patched Windows XP SP2 computers and there is no way to block attacks, according to Tom Ferris, the independent researcher who found the vulnerability.
News of the critical, unpatched hole comes just weeks after a report on another critical Windows hole from Ferris, who uses the online name "badpack3t."
"Its a pretty nasty flaw," Ferris said on Tuesday.
"If a user visits a malicious Web site, the [attack] code can be executed without them even knowing about it—theres no pop-up or crash screen," he said.
Microsoft Corp. acknowledged in an e-mail that it received Ferriss report and is "aggressively investigating" the flaw.
The Redmond, Wash., company is not aware of attacks that try to use the reported vulnerabilities or of any customer impact, according to a company spokesperson.
Ferris declined to give details about where in IE he found the hole, but said it is not a variant of other known flaws in the widely used Web browser.
"Its not like any other flaw in IE—its definitely different," Ferris said.
Ferris, an independent security researcher who lives in Mission Viejo, Calif., and operates the SecurityProtocols.com Web site, said he told Microsoft about it on Aug. 14 using the firstname.lastname@example.org e-mail address and has exchanged e-mail with a company researcher since then, but hasnt heard anything from the company in a week.
He said staff at Microsoft appeared to be struggling to understand the flaw.
"Ive given them more than enough information to understand it … but they keep asking for more details," he said.
Ferris did not provide proof-of-concept code that shows how the hole can be used to gain remote access to affected machines, but did provide proof-of-concept code that crashes IE.
"Its a blatant access violation crash," he said.
Microsoft said it would take action to address Ferriss report when it completes its investigation.
If Ferriss reported vulnerability holds up, possible remedies could include an unscheduled security patch or a patch released on the companys regular monthly schedule, according to the Microsoft spokeswoman.
Ferris hasnt tested the hole on other versions of Windows XP or Internet Explorer and doesnt know if it will work on other versions of those products.
He said he doesnt believe that other people have discovered the hole, though he acknowledged that he might not be the only researcher who had discovered it.
Windows XP SP2 users who also use Internet Explorer Version 6 have few options for protecting themselves from attacks that use the vulnerability.
Changing the Internet Explorer security settings will not stop attack code from executing on affected systems, and firewall and host intrusion detection products that Ferris tested did not detect the exploit, he said.
Ferris suggested IE users concerned about being attacked using the flaw should switch to other Web browsers until Microsoft has patched the hole.
Microsoft encourages security researchers like Ferris to follow "responsible disclosure" practices and not to publicize holes before a patch is available.
Ferris said he is aware of the companys position and considers himself in a "grey area," because he has not released any details about the vulnerability he found.
Ferris said that he publicized the existence of a hole to warn IE users, who might consider refraining from using the browser until the hole is fixed.