Microsoft released an advisory on Wednesday for a URI and URL handling flaw in Windows XP and Server 2003 operating systems with Internet Explorer 7 (IE7) installed.The corporation revealed that it is working on a patch for the issue, and is not aware of any attacks exploiting the flaw.
Mark Miller, Microsoft director of security response communications, said in a statement that a remote attacker could take control of a PC by tricking a user into clicking on an emailed link.
“In order for this attack to be carried out, a user must trigger an unvalidated, specially crafted URL or URI in an application,” he said. “For example, a user could click on a link in an email message, which could allow arbitrary code to be run in the context for the logged-on user.”
The vulnerability exists because IE7 updates a Windows component, modifying the relationship between the browser and Windows shell when handling URLs and URIs. Applications that pass the URIs or URLs on to Windows, such as browsers, can be leveraged for exploitation, according to Microsoft's advisory.
The vulnerability does not exist on PCs running Windows Vista, or those that do not have IE7 installed.
Jonathan Ness, a member of the Secure Windows Initiative Team, said on the Microsoft Security Response Team blog that the software giant is working on a fix, noting that the issue “is not a vulnerability in any specific protocol handler.”