Microsoft disclosed on Wednesday that Internet Explorer (IE) suffers from an unpatched vulnerability that could lead to information exposure.
The bug, which affects machines running Windows XP or those that have disabled IE's Protected Mode, can allow an attacker to access files containing an already-known name and location, according to an advisory from Microsoft.
The software giant admitted to the vulnerability after researchers at Core Security Technologies, provider of penetration testing software, revealed the issue during a presentation this week at the Black Hat conference in Washington, D.C. The talk, titled ‘Internet Explorer turns your personal computer into a public file server', was delivered by Core engineer Jorge Luis Alvarez Medina.
Medina could not immediately be reached for comment on Wednesday.
The flaw is caused by 'content being forced to render incorrectly from local files in such a way that information can be exposed to malicious websites', the advisory said.
Microsoft is not aware of any active attacks. IE running on newer versions of Windows is not affected.
"Customers running Internet Explorer 7 or Internet Explorer 8 in their default configuration on Windows Vista or later operating systems are not vulnerable to this issue as they benefit from Internet Explorer Protected Mode, which protects from this issue," Jerry Bryant, senior security program manager at Microsoft, said on Wednesday in a blog post.
He encouraged customers to upgrade to IE 8.
Bryant did not say when customers should expect a patch. Microsoft's next round of fixes are due out on Tuesday.
"As with any update, we have to balance overall quality and ensure application compatibility before we release it," he said.