Information about a new vulnerability in Internet Explorer has just been made public. This can enable code execution on the victim's computer when visiting a malicious web site, as well as when opening malicious emails under certain circumstances.

This issue was originally made public in May this year and was then presumed to be able to crash the browser only. Since then far more severe implications have been discovered.

Since this is a vulnerability where no antidote is available, it has the potential for so-called "day zero attacks". Proof-of-concept program code has already been published on the Internet.

Microsoft has issued a security advisory with more details about this vulnerability. This advisory is available here (link opens in a separate browser window).

This security advisory from Norman will be updated as more information is made available.

Update 14 December 2005:

In its security update in December 2005 Microsoft has released updates that addresses this vulnerbaility. More information in Microsoft's security bulletin MS05-054 here (link opens in a separate browser window).

Per Olav Førland