Fully patched Windows systems may be at risk from an unpatched, high-risk security hole affecting the latest version of Internet Explorer.
The bug, reported by security researcher Tom Ferris on his website, security-protocols.com, affects Internet Explorer 6 on a fully-patched Windows Server 2003 and Windows XP with Service Pack 2.
FrSIRT, the French Security Incident Response Team, confirmed the report and gave the flaw a "critical" rating, its most severe.
An attacker could exploit the bug to execute malicious code and take over a user's system, Ferris said. He said the attack works via a specially crafted Web page, doesn't need any user interaction and doesn't give the user any warning that code has been executed. The bug isn't related to previous Explorer flaws, Ferris said.
Microsoft has confirmed it is investigating the flaw, but hasn't yet said what action it will take, if any. Possible actions could include a patch included with the company's monthly patching cycle, or an out-of-cycle patch, if warranted, Microsoft said in a statement.
As of Wednesday afternoon, the company hadn't yet issued an advisory of its own, a relatively new practice it reserves for unpatched bugs.
Ferris said he won't release any more details of the flaw until Microsoft has fixed the problem, but wanted to warn Explorer users of the existence of a serious, unpatched bug. Ferris provided Microsoft with details of the vulnerability, and published a screenshot displaying the use of the hole to crash Explorer.
Ferris has recently disclosed remotely exploitable flaws involving Windows' Remote Desktop Protocol and AOL Instant Messenger buddy icons.