Attackers are using a new, unpatched security flaw in Internet Explorer to compromise machines running a number of versions of Windows, including Vista.
Microsoft has confirmed the attacks that affect Internet Explorer 7, Vista and other versions of the operating system in a security advisory .
"Microsoft is investigating new public reports of targeted attacks exploiting a vulnerability in the way Windows handles animated cursor (.ani) files," the company said in its advisory. "In order for this attack to be carried out, a user must either visit a Web site that contains a Web page that is used to exploit the vulnerability or view a specially crafted email message or email attachment sent to them by an attacker."
The French Security Incident Response Team (FrSIRT) said in an advisory that the problem is a memory corruption error that surfaces when the operating system renders malformed cursors, animated cursors or icons. Attackers could exploit this to run malicious commands on a victim's machine. The flaw affects:
- Windows 2000 Service Pack 4
- Windows XP Service Pack 2
- Windows XP 64-Bit Edition Version 2003 (Itanium)
- Windows XP Professional x64 Edition
- Windows Server 2003
- Windows Server 2003 (Itanium)
- Windows Server 2003 Service Pack 1
- Windows Server 2003 SP1 (Itanium)
- Windows Server 2003 x64 Edition
- Windows Vista
- Internet Explorer 6
- Internet Explorer 7
"As a best practice, users should always exercise extreme caution when opening or viewing unsolicited emails and email attachments from both known and unknown sources," Microsoft said, adding that Windows Live OneCare's safety scanner has been updated to remove any malware that exploits the flaw.
Microsoft acknowledged last week that it's investigating reports of another flaw in Vista.
That flaw reportedly affects Windows Mail on all versions of Vista. Cupertino, Calif.-based antivirus giant Symantec Corp. said attackers could potentially exploit a design flaw to delete files or shut down the victim's computer.