Microsoft yesterday announced a zero-day exploit that affects Internet Explorer. The Zero Day Security weblog describes it well:

*"A UK group known as 'Computer Terrorism' has released a proof of concept zero day exploit for fully patched Windows systems running Internet Explorer 5.5 & 6.x that takes advantage of a previously known JavaScript vulnerability. Microsoft Security Advisory 911302 covers the essentials. The only Windows systems seeming not affected are Windows Server 2003 and Windows Server 2003 with SP1. *

"Of course, to be compromised the user must first browse to a malicious web site. According to Computer Terrorism: Contrary to popular beliefs, the aforementioned security issue is susceptible to remote, arbitrary code execution, yielding full system access with the privileges of the underlying user.

"Several informative sites include Microsoft, FrSIRT, MITRE, US-CERT, InfoWorld, eWeek and SANS (which suggests disabling Java or using another browser and has a BleedingSnort Rule on their site).

"Get ready for a patch blast from Microsoft on this one."

Microsoft's comments have been updated with the latest information. From their Security Advisory 911302 information page:

"...We have also been made aware of proof of concept code targeting the reported vulnerability but are not aware of any customer impact at this time. We will continue to investigate these public reports.

"Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

"This issue was originally publicly reported in May as being a stability issue that caused the browser to close. Since then, new information has been posted that indicates remote code execution could be possible. Microsoft is concerned that this new report of a vulnerability in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk. We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests..."