
The researcher explained that the flaw targets a component in IE7 which handles XML tags. When the page confirms that the user is running a vulnerable browser and operating system, a specially crafted tag is loaded.
Zdrnja said that the attack is not believed widespread, but public exploit code has been made available. He also noted that a special feature of the attack, waiting six seconds to launch, could make the exploit even more potent.
"This was probably added to thwart automatic crawlers by anti-virus vendors, " Zdrnja said of the feature.
A Microsoft spokesperson told vnunet.com that the company is investigating reports of an Internet Explorer vulnerability.
If confirmed, the IE flaw would be the second unpatched vulnerability to emerge for a Microsoft product this month. Attached to yesterday's security release was a note from the company that a flaw in Word 97 had yet to be patched as well.
Though the company prefers to release patches on a monthly basis to lighten the maintenance burden on administrators, special "out of cycle" updates are sometimes released when a high-risk or widespread security issue is reported.