Microsoft has confessed to a three-year old critical vulnerability affecting Windows XP that has yet to be fixed.
Proof-of-concept attack code has already been posted on a Polish security web site, but Microsoft said it is not yet aware of any end users being hit by the crack.
The zero-day vulnerability was publicly disclosed on Friday, but the researcher behind the finding said that it was first discovered over three years ago, in February 2007.
The hack requires the user to press the F1 key in response to a dialogue box popped up by a web page controlled by the attacker, according to Microsoft security communications manager Jerry Bryant.
The attacker can then execute the malware of their choice on their victim's machine. The vulnerability is in Windows Help, and how it interacts with VBScript, according to iSec Security Research, which disclosed the bug. While Windows XP has been found vulnerable, newer versions of the OS are thought safe.
Microsoft also took the opportunity today to engage in a bit of finger-wagging against iSec, with Bryant deploying Microsoft's boilerplate warning about the risks of irresponsible disclosure.