Security monitoring firm Secunia ranked the flaw, discovered by Polish security researcher Michael Zalewski, "highly critical" in an advisory today. The vulnerability is related to how IE processes certain HTML formatting codes, known as nested OBJECT tags.
"At first sight, this vulnerability may offer a remote compromise vector, although not necessarily a reliable one," Zalewski said in an internet forum posting Sunday. "The error is convoluted and difficult to debug in absence of sources; as such, I cannot offer a definitive attack scenario, nor rule out that my initial diagnosis will be proved wrong. As such, panic, but only slightly."
The vulnerability has been confirmed to exist on a fully patched system running IE 6.0 and Microsoft Windows XP SP2, according to the Secunia advisory. Other Windows versions also may be affected.
In lieu of a patch, Secunia recommended users avoid visiting untrusted websites.
The announcement of the bug comes as Microsoft today re-released the MS06-015 update, which seeks to fix the previous patch that caused applications to crash on older Hewlett-Packard systems.
"The targeted re-release of MS06-015 is ready," said Stephen Toulouse, a security program manager posting today on Microsoft's Security Response Center blog. "If you are configured for Automatic Update, no need to take any actions. It will detect if you have the problem and deliver the update to you. If you have not yet installed MS06-015, the revised version will be offered to you."