Microsoft confirms yet another critical IE vulnerability

Microsoft has identified and confirmed a critical vulnerability in Internet Explorer 6 and 7 that has already been exploited by hackers.

However, versions 8 and 5.01 of the popular browser remain unaffected.

“The vulnerability exists due to an invalid pointer reference being used within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted,” Microsoft confirmed in an official statement.

“In a specially-crafted attack, in attempting to access a freed object, IE can be caused to allow remote code execution. At this time, we are aware of targeted attacks attempting to use this vulnerability. We will continue to monitor the threat environment and update this advisory if this situation changes.”

Meanwhile, Andrew Storms, director of security operations at nCircle Network Security, told ComputerWorld that it was too early to know whether or not Microsoft would rush a patch to users.

“Generally, one of the indicators is if an exploit has gone public,” Storms said.

“That often determines how quickly they’ll patch. Of course, the way the Internet moves, [an exploit] could be posted in minutes, and then the story changes completely.”