Microsoft has warned of a Windows zero-day vulnerability, affecting all versions of the operating system.
The Redmond giant said it had seen a proof-of-concept attempting to exploit the vulnerability, which could conceivably harm Internet Explorer users on Windows.
Nothing has been seen yet in the wild.
The flaw resides in the MIME Encapsulation of Aggregate HTML protocol handler, used by applications to render certain kinds of documents.
"An attacker could construct an HTML link designed to trigger a malicious script and somehow convince the targeted user to click it," Angela Gunn, from Microsoft's Trustworthy Computing division, hypothesised in a blog post.
"When the user clicked that link, the malicious script would run on the user's computer for the rest of the current Internet Explorer session. Such a script might collect user information (e.g. email), spoof content displayed in the browser, or otherwise interfere with the user's experience."
A patch has not yet been offered but Microsoft has issued a workaround in its advisory for administrators to ensure nothing goes awry.
"The workaround we are recommending customers apply locks down the MHTML protocol and effectively addresses the issue on the client system where it exists," Gunn added.
"We are providing a Microsoft Fix-it package to further automate installation."
Microsoft did not confirm when a patch would be released, but said it was working on an update to address the vulnerability.
Just earlier this month, Microsoft warned about yet another zero-day flaw affecting Windows.
The vulnerability, affecting the Windows Graphics Rendering Engine, could have allowed malware to be installed on a computer if users viewed a malicious image in a browser or document.
-
Hounslow Council partners with Amazon Web Services (AWS) to build resilience and transition away from legacy techSpomsored One of the most diverse and fastest-growing boroughs in London has completed a massive cloud migration project. Supported by AWS, it was able to work through any challenges
-
Salesforce targets better data, simpler licensing to spur Agentforce adoptionNews The combination of Agentforce 360, Data 360, and Informatica is more context for enterprise AI than ever before
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
