The vulnerability exists as an invalid pointer reference of Internet Explorer. It is possible under certain conditions for a CSS/Style object to be accessed after the object is deleted. In a specially-crafted attack, Internet Explorer attempting to access a freed object can lead to running attacker-supplied code.
Security firm Symantec has also confirmed that it affects Internet Explorer versions 6 and 7.
On completion of Microsoft's investigation, the conmpany may include providing a solution through its monthly security update release process, or an out-of-cycle security update.