It appears that Microsoft's Internet Explorer 6.0 has another critical bug that may be used by cyber-criminals to capture keystrokes and steal confidential information. The bug is somehow connected with the cross-site scripting mechanism, but Microsoft seems to be reluctant to give any comment on that matter.

This problem with Internet Explorer 6.0 was first discussed at MS on-site Blue Hat security conference last month. Manuel Caballero, a former Microsoft's employee, confessed he found a way to capture any browser action, including password typing keystrokes. Moreover, the vulnerability may be exploited in all browsers that display Flash animation. All, except Internet Explorer 7, said Caballero.

A McAfee specialist explained that the vulnerability consists in evoking input validation error when handling the 'location' or 'location.href' property of a window object. A malicious Web site may use the vulnerability to open a trusted site and run an arbitrary script code in a user's browser session in context of the trusted site.

Until Microsoft produces a patch for the older browser, users should update to IE7, but it seems that it will take Microsoft some time before they come up with any solution.