A newly discovered threat that doesn't yet have any patch can allow for a Web-based attack against up-to-date Internet Explorer 6 and 7 browsers, according to security companies.

Both Symantec and Vupen Security have posted alerts about the bug, which involves the way IE handles cascading style sheets, or CSS. According to the posts, browsing a Web site with embedded attack code would trigger the assault. The site could be a specifically created malicious site, or one that was hijacked and had the attack code inserted.

According to Vupen's post, the flaw affects both IE 6 and 7 on a fully patched XP SP3 computer and could allow for running any command on a vulnerable system, such as installing malware. There aren't yet any reports of active attacks, but exploit code is publicly available.

More: http://pcworld.com/article/182860/