A bug that emerged last month in Microsoft's IIS server software appears also to point to a widespread cross-site scripting (XSS) problem with Internet Explorer, according to the SANS Institute.

In a Thursday advisory, SANS' Internet Storm Center (ISC) said a bug Microsoft warned of in September affects more users than is immediately apparent. Last month, in update MS06-053, Microsoft fixed a bug in Windows' Indexing Service that could allow attackers to steal information from a user's system via a cross-site scripting attack.

However, the Indexing Service problem may be "the tip of the iceberg", according to SANS. Microsoft's advisory indicates there's also a problem with IE that allows the attacks to work, and recommends users turn off IE's automatic page encoding detection as a workaround.

"The confusion is really if this is a server problem or a client problem," the ISC's Swa Frantzen said in an advisory. "There is no ignoring that you do not need an Indexing Service, nor an IIS server in the picture, in fact all you need is Microsoft's browser."

The loophole in IE introduced by the way it handles page encoding auto-detection could be exploited relatively simply for cross-site scripting attacks, Frantzen said.

"Not giving encoding back and including some seemingly innocent strings... - based on user input - is enough to create a XSS vulnerability for visitors using MSIE," he wrote.

Microsoft downplayed the threat, saying that users are only at risk if they visit untrusted or compromised Web sites.

SANS recommends disabling page encoding auto-detection in IE, and gives instructions on how to do so in its advisory.