Microsoft investigates new bug

Microsoft is investigating an unpatched bug in VBScript that hackers could exploit to plant malware on Windows XP machines running Internet Explorer.

The flaw threatens users of Internet Explorer 7 and 8, and could be used by attackers to inject malicious code onto victims' PCs, said the security researcher who revealed the vulnerability and posted attack code on Friday.

Microsoft reacted on its Security Response Center (MSRC) blog, confirming that they are investigating the issue. The post said that "users running Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista, are not affected".

"The issue in question involves the use of VBScript and Windows Help files in Internet Explorer. Windows Help files are included in a long list of what we refer to as >>unsafe file types<<", the article said. The flaw "could allow an attacker to host maliciously crafted web page and run arbitrary code if they could convince a user to visit the web page and then get them to press the F1 key in response to a pop up dialog box".

Microsoft was not aware of attacks exploiting the bug. The software giant urged researchers "to report vulnerabilities directly to vendors without further disclosure".

Sources: Computerworld, Microsoft.