Microsoft's internal investigation reveals that the latest version of the browser, Internet Explorer 8, is not affected. Likewise, Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected.

Here's a quick list of affected versions for IT administrators looking to implement a workaround to mitigate the risk: Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7.

"In addition to Microsoft's Patch Tuesday updates today, the company also issued an advisory for a new zero-day vulnerability affecting Internet Explorer," said Josh Talbot, security intelligence manager for Symantec Security Response. "Symantec has observed exploitation of this vulnerability in the wild and has created Trojan.Malscript!html and JS.Downloader detection to mitigate this attack."

The Root of the Problem

Microsoft said the vulnerability exists due to an invalid pointer reference being used within Internet Explorer. Under certain conditions, it's possible for the invalid pointer to be accessed after an object is deleted, according to a March 9 Microsoft security advisory. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.

"At this time, we are aware of targeted attacks attempting to use this vulnerability. We will continue to monitor the threat environment and update this advisory if this situation changes," Microsoft said. "On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs."

Mitigating Factors

IT administrators can take heart in the mitigating factors that may protect their organizations from zero-day attacks. First, Microsoft said the protected mode in Internet Explorer on Windows Vista and later Windows operating systems helps to limit the impact of the vulnerability, as an attacker who successfully exploited this vulnerability would have very limited rights on the system.

"In a web-based attack scenario, an attacker could host a web site that contains a web page that is used to exploit this vulnerability. In addition, compromised web sites and web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these web sites," Microsoft said. "Instead, an attacker would have to convince users to visit the web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's web site."

By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. Microsoft said this mode sets the security level for the Internet zone to high. This is a mitigating factor for web sites that have not been added to the Internet Explorer trusted sites zone.

Finally, supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the restricted sites zone by default. Microsoft said this removes the risk of an attacker being able to use this vulnerability to execute malicious code.