A Chinese research team has discovered a zero-day vulnerability in
Internet Explorer 6 that is being actively exploited to conduct
cross-domain scripting attacks.
The zero-day bug is caused by an input validation error that could
allow a remote attacker to execute arbitrary code into the browser of a
user while they are on a trusted site, according to an
advisory
from tracking firm Secunia, which graded the vulnerability "moderately
critical."
"The vulnerability may allow a remote, unauthenticated attacker to
execute arbitrary script in the context of another domain," said a US-CERT
advisory published on Thursday. "This could allow an attacker to
take a variety of actions, including stealing cookies, hijacking a web
session, or stealing authentication credentials."
The flaw, which does not impact the latest IE browser, version 7, was
discovered by a Chinese research group known as Ph4nt0m Security Team.
Users are suggested to upgrade to IE7 or disable scripting in the IE6 browser, according to McAfee Avert Labs researchers.
A Microsoft spokeswoman said the company was investigating the issue.
"We're currently unaware of any
attacks trying to use the claimed vulnerability or of customer impact," she said. "We will
take steps to determine how customers can protect themselves should we confirm
the vulnerability."