Microsoft says a serious zero-day flaw is being actively exploited by attackers, affecting Internet Explorer 6 and 7.
The vulnerability was announced on Tuesday (9 March), the same day that Microsoft released its monthly patches, distributing two patches to address eight vulnerabilities in Windows and Microsoft Office. Microsoft ranked both patches as “important”.
Microsoft said it is investigating public reports of the flaw in IE6 and IE7, which could allow an attacker to execute malicious code remotely on a user’s system – for instance, by tricking the user into visiting a malicious web page.
The latest version of the browser, IE8, is not affected by the flaw, nor is IE5.01 Service Pack 4 on Windows 2000 Service Pack 4, Microsoft said in an advisory.
The company also noted that all supported versions of Microsoft Outlook, Microsoft Outlook Express and Windows Mail open HTML email messages in the Restricted Sites zone, meaning an attacker would not be able to carry out an attack via an email message.
