The zero-day bug is caused by an input validation error that couldallow a remote attacker to execute arbitrary code into the browser of auser while they are on a trusted site, according to an advisoryfrom tracking firm Secunia, which graded the vulnerability "moderatelycritical."
"The vulnerability may allow a remote, unauthenticated attacker toexecute arbitrary script in the context of another domain," said a US-CERTadvisory published on Thursday. "This could allow an attacker totake a variety of actions, including stealing cookies, hijacking a websession, or stealing authentication credentials."
The flaw, which does not impact the latest IE browser, version 7, wasdiscovered by a Chinese research group known as Ph4nt0m Security Team.
Users are suggested to upgrade to IE7 or disable scripting in the IE6 browser, according to McAfee Avert Labs researchers.
A Microsoft spokeswoman said the company was investigating the issue.
"We're currently unaware of anyattacks trying to use the claimed vulnerability or of customer impact," she said. "We willtake steps to determine how customers can protect themselves should we confirmthe vulnerability."