A new exploit targeting Internet Explorer was announced by Microsoft yesterday, and Microsoft has released an advisory with information and workarounds.
According to Microsoft's investigation so far, Internet Explorer 5.01 Service Pack 4 and Internet Explorer 8 on all supported versions of Microsoft Windows are not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6 and Internet Explorer 7 on supported editions of Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008 are affected.
The vulnerability exists as an invalid pointer reference of Internet Explorer. It is possible under certain conditions for a CSS/Style object to be accessed after the object is deleted. In a specially-crafted attack, Internet Explorer attempting to access a freed object can lead to running attacker-supplied code.
Security firm Symantec has also confirmed that it affects Internet Explorer versions 6 and 7.
On completion of Microsoft's investigation, the conmpany may include providing a solution through its monthly security update release process, or an out-of-cycle security update.