The hole, if left unpatched, could allow remote attackers to take control of Windows XP machines running Service Pack 2 and Internet Explorer 6 using silent attacks that are launched from malicious Web pages.

The remotely exploitable hole can be used to compromise fully patched Windows XP SP2 computers and there is no way to block attacks, according to Tom Ferris, the independent researcher who found the vulnerability.

News of the critical, unpatched hole comes just weeks after a report on another critical Windows hole from Ferris, who uses the online name "badpack3t."

"It's a pretty nasty flaw," Ferris said on Tuesday.

"If a user visits a malicious Web site, the [attack] code can be executed without them even knowing about it—there's no pop-up or crash screen," he said.

Microsoft Corp. acknowledged in an e-mail that it received Ferris's report and is "aggressively investigating" the flaw.

The Redmond, Wash., company is not aware of attacks that try to use the reported vulnerabilities or of any customer impact, according to a company spokesperson.

Ferris declined to give details about where in IE he found the hole, but said it is not a variant of other known flaws in the widely used Web browser.

"It's not like any other flaw in IE—it's definitely different," Ferris said.

Click here to read about test versions of Internet Explorer 7.0.

Ferris, an independent security researcher who lives in Mission Viejo, Calif., and operates the SecurityProtocols.com Web site, said he told Microsoft about it on Aug. 14 using the secure@microsoft.com e-mail address and has exchanged e-mail with a company researcher since then, but hasn't heard anything from the company in a week.

He said staff at Microsoft appeared to be struggling to understand the flaw.

Read the full story on TKTK: Microsoft Investigates New IE Hole

Discuss Microsoft Investigates New IE Hole   >>> Be the FIRST to comment on this article!

>>> More Web Design Articles          >>> More By Paul F. Roberts