Internet Explorer users are at risk from a newly discovered and unpatched vulnerability in older versions of Microsoft's browser.

A security flaw involving a dangling pointer in Microsoft's HTML Viewer (mshtml.dll) creates a possible mechanism for hackers to crash the browser and inject malware, providing they can trick marks into visiting maliciously constructed sites designed to exploit the vulnerability. Poor reliability exploits targeting the flaw were posted on underground websites late last week. Better quality attacks are more than likely to follow.

Tests by Symantec have confirmed the 0-day flaw affects Internet Explorer 6 and 7. IE8 users are reckoned to be in the clear.

Surfers using older versions of IE (why the heck is anyone still using IE6 anyway?) are advised to disable JavaScript and to stay away from untrusted websites. Alternatively they could upgrade to IE8 or use an alternative browser instead.

More on the threat can be found in a write-up by the SAN Institute's Internet Storm Centre here. ®

Related stories

• Updated Browsium rescues HMRC from IE6 – and multimillion-pound bill (4 April 2012)
• MS to release emergency IE fix on Tuesday (29 March 2010)
• Anti-Internet Explorer 6 protests grow with online petition (2 February 2010)
• UK.gov unmoved by Internet Explorer 6 security concerns (1 February 2010)
• British government ignores MS browser fears (18 January 2010)
• Zero-day IE fix stars in last Patch Tuesday of the decade (4 December 2009)
• Zero-day fixes star in biggest ever Patch Tuesday (9 October 2009)
• Updated Unpatched Firefox flaw lets fox into henhouse (14 July 2009)
• Windows users ambushed by attack on fresh IE flaw (6 July 2009)
• Updated Unofficial patch plugs 0-day Adobe security vuln. (24 February 2009)
• Microsoft issues emergency patch warning for IE (16 December 2008)
• IE zero day bites broader group of users (12 December 2008)
• Updated In-the-wild attacks find hole in (fully-patched) IE 7 (9 December 2008)