Researchers at a unit of Verizon Communications claim to have located a security hole in recent versions of Internet Explorer (IE) that could leave users open to remote code attacks.

A white paper published by the researchers targets a security feature that Microsoft (NASDAQ: MSFT) calls "Protected Mode," which is found in IE8 and IE7.

According to Microsoft, Protected Mode is designed to help keep rogue Active X controls or browser add-ons from being installed on the user's computer without the user's permission.

However, the white paper, which was written by researchers at Verizon Business, a unit of Verizon Communications (NYSE: VZ), says that the feature has a flaw that, in some circumstances, could let the opposite occur, while the user thought she or he was safe.

"As a result of this research, a bypass of the feature was discovered along with a number of generic attack patterns which must be protected against to prevent future circumvention of the feature," the white paper, entitled "Escaping from Microsoft's Protected Mode Internet Explorer," said.

"A clearer description is that the feature attempts to protect the integrity of the client machine in the event the browser is compromised in an attack and prevent malware from being persisted on the targeted machine," the white paper stated.

"Given the current set of potential ways to bypass Protected Mode's protection by locally escalating from low to medium integrity, it can be concluded that the mechanism currently provides little in the way of reliable protection from remote code execution attacks."

One section of the document describes a "generic" exploit on how to elevate an attacker's user privileges from low to medium, using the flaw. "One generic and reliable method for escalating privilege from low to medium integrity was discovered which required no user interaction," the white paper said.

Among the white paper's recommendations as to what to do while waiting to see if something that Microsoft will fix are to make sure that Windows User Account Control (UAC) is not disabled since disabling UAC also turns off Protected Mode.

Other security suggestions include making sure that PC end users do not have administrator's privileges, and to enable Protected Mode in all zones where it's possible.

IE Protected Mode has been related to vulnerabilities once before -- or rather, PCs with Protected Mode turned off -- back in February.

The company will issue its December patch release on Tuesday.

IE Protected Mode has been related to vulnerabilities once before -- or rather, PCs with Protected Mode turned off -- back in February.

Microsoft officials disagreed with the white paper's conclusions, saying that Protected Mode was doing the job it was designed for. "Protected Mode is not a security boundary – it does not provide direct protection, only a chance for a user to verify an action before it happens," Jerry Bryant, Microsoft group manager for response communications, said in an email to InternetNews.com.

"In order to use this method, an attacker would first need to be able to exploit an unpatched vulnerability on the target computer," Bryant added.

Stuart J. Johnston is a contributing writer at InternetNews.com, the news service of Internet.com, the network for technology professionals. Follow him on Twitter @stuartj1000.

Keep up with browser security news. Follow eSecurityPlanet on Twitter: @eSecurityP.