The flaw was reported to the company earlier this month by Jeffrey van der Stad, a 25-year-old Dutch programmer. The problem is related to the way the browser processes so-called HTA files, Microsoft said in an e-mailed statement. HTA files are associated with Web applications.
The vulnerability affects Internet Explorer 6 on Windows 98, Windows XP and Windows 2003 Server, according to Van Der Stad's Web site. "With this vulnerability it is possible to run an hta file without the user's permission," he wrote.
Initially, Van Der Stad provided more details on his Web site, but he removed those at Microsoft's request, he wrote. A proof-of-concept exploit will be published when Microsoft issues a fix for the problem, he wrote.
Microsoft is investigating the issue, the company said. At this time, the company is not aware of any attacks attempting to use the reported vulnerability, it said.
Once it completes its inquiry, Microsoft said, it may issue a security advisory or provide a patch through its monthly release process. On his Web site, Van Der Stad wrote that Microsoft told him a fix is in the works.
This is the second IE flaw within a week that Microsoft has said it is investigating and may issue a patch for. On Monday the company said it was looking into a bug that could cause the browser to crash. Microsoft's next scheduled Patch Tuesday is on April 11.
