Microsoft has published an advisory regarding a vulnerability that affects all versions of Windows.

It said that the vulnerability in the MHTML handler allows the execution of a cross-site scripting (XSS) attack from a web page going through Internet Explorer. The attack can be used to run JavaScript code on the user's Internet Explorer instance, which gives the attacker a way to get at information stored in the browser and a mechanism to trick users into installing unwanted code through social engineering.

Microsoft said that the vulnerability was originally disclosed by wooyun.org. It is currently investigating the flaw and upon completion it may provide a security update through its monthly release process or provide an out-of-cycle security update, depending on customer needs.

Wolfgang Kandek, CTO of Qualys, said: “While the vulnerability is located in a Windows component, Internet Explorer is the only known attacker vector. Firefox and Chrome are not affected in their default configuration, as they do not support MHTML without the installation of specific add-on modules.” 

Andrew Storms, director of security operations for nCircle, said: “2011 is not off to an auspicious start for Microsoft's security staff. In early January Jonathan Ness posted an explanation of five public security bugs Microsoft was tracking to the SRD blog. Today, just two short weeks later, we have another one to add to the list.

“At first glance today's advisory looks grim because it affects every supported Windows platform. However, even though the proof of concept code is public, carrying out an attack using this complicated cross-site scripting-like bug will not be easy.

“Because of this, attacks are probably not imminent but users should still follow the mitigation advice in the advisory. Locking down the MHTML protocol is likely to have a nominal impact on most users and will go a long way toward protecting their browsing experience.”