eEye Flags Another IE Code Execution Flaw

The private security research outfit flags a sixth unpatched code execution flaw in Microsoft products.

Microsoft Corp. on Tuesday confirmed it was investigating a new "high risk" vulnerability in the widely used Internet Explorer Web browser.

The software giants acknowledgement follows the release of a brief advisory from Aliso Viejo, Calif.-based eEye Digital Security that the flaw could put millions of users at risk of code execution attacks.

"A vulnerability in default installations of the affected software allows malicious code to be executed," eEye said in a notice placed on its Upcoming Advisories Web page.

The company rated the flaw as "high risk" and warned that users of Internet Explorer, Windows 2000, Windows 2003, Windows XP and Windows XP SP1 were affected.

"[We] can confirm that Microsoft has received a new report of a possible vulnerability through our standard vulnerability reporting mechanism. We are investigating the report and will take appropriate action to help protect customers as part of our normal security response process," a Microsoft spokesperson said in a statement sent to Ziff Davis Internet News.

The vulnerability was brought to Microsofts attention on Monday and is among a list of six Windows flaws discovered by eEye that have not yet been patched.

/zimages/2/28571.gifClick here to read more about eEyes discovery of IE and Outlook flaws.

One of the unpatched vulnerabilities, which affected IE and Microsoft Outlook users, is 66 days overdue, according to eEyes calculations. The company typically gives a software vendor 30 days to release a patch before determining that the fix is overdue.

All six of the unpatched flaws could lead to code execution attacks, according to eEye, and three are listed as overdue.

Under normal circumstances, Microsoft patches are released on a monthly cycle, but in an emergency, the company could release an out-of-cycle update. Since adopting the monthly patching cycle in October 2003, Microsoft has released three out-of-cycle patches, all for "critical" IE flaws.

/zimages/2/28571.gifRead more here about the security enhancements added to the IE 7 beta.

The latest browser bugs come at a time when Microsoft is pushing ahead with plans for a new version of its dominant IE browser. Last week, the company shipped two slightly different IE 7.0 test versions, one as part of the Windows Vista beta and another stand-alone beta to developers.

In Windows Vista, the new browser will include a "defense-in-depth feature" known as "low-rights."

According to Microsoft, "low-rights IE" will back up and support several security-related browser enhancements that include technology to thwart phishing and malware attacks.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.