Microsoft finds new critical flaw in Windows

Microsoft has issued a warning about a bug in Windows that could leave all versions of the OS vulnerable to nefarious exploits.

The flaw in Windows' handling of some MHTML routines could allow a remote attacker to gain access to users' PCs. The vulnerability exists in all current versions of Windows, from XP to Windows 7 and including Windows Server 2008.

Microsoft confessed that the vulnerability could allow an attacker to trigger malicious scripts on a remote machine, through a dodgy web site, possibly resulting, it says, in 'information disclosure'. Microsoft said it is aware of published information and proof-of-concept code that attempts to exploit the flaw but says it has not yet seen any active exploitation of the code.

The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. Under certain conditions an attacker could inject a client-side script in the response of a Web request run in the victim's Internet Exploder.

The firm said it is trying to come up with a work-around and hopes to devise a patch in due course. Meanwhile, users should follow its general guidelines in the hope of staying safe while surfing.

There more information on Microsoft's security page here.