Ryan Naraine at PC Magazine:
Microsoft plans to release a pre-patch advisory with workarounds for a “highly critical” vulnerability that could put millions of Internet Explorer users at the mercy of malicious hackers.
The advisory, which will be posted here, acknowledges a code execution hole that was discovered and publicly reported by Secunia Research of Copenhagen, Denmark.
“This can be exploited by a malicious Web site to corrupt memory in a way that allows the program flow to be redirected to the heap,” Secunia said in the alert, warning that successful exploitation allows execution of arbitrary code whenever the target visits the rigged Web site.
The advisory has now been posted here. To be completely safe, you need to turn off Active Scripting in IE6 and some betas of IE7. Microsoft is still investigating and will determine later what form a patch will take.
Update: Elinor Mills reports at ZDNet UK at that exploit code is already circulating.