Security researchers said the IE vulnerability has been known for the past six months, but had previously been seen as a conduit for denial-of-service attacks rather than the remote execution of code. DOS attacks, which attempt to crash a system by flooding it with data, are typically considered less-severe security risks.
"The vulnerability itself has been known about for a while, but it was only a problem for a denial-of-service attack that would sometimes cause IE to crash," said Johannes Ullrich, chief research officer for the Sans Institute. "Up until now, no one knew how to mark the code and find it in memory to execute a remote code attack...."
Because the flaw was initially believed to involve only a potential DOS attack, Microsoft never issued a patch for the problem, Ullrich said. He added it is not yet known whether Microsoft will spin out a patch for the flaw immediately or wait for its monthly patch cycle.