The flaw could be used by attackers to inject malicious code onto victims' PCs, said Maurycy Prodeus, the Polish security analyst with iSEC Security Research who revealed the vulnerability and posted attack code on Friday.
[ InfoWorld's Roger Grimes explains how to stop data leaks in an enlightening 30-minute Webcast, Data Loss Prevention, which covers the tools and techniques used by experienced security pros. ]
Users running IE7 or the newer IE8 are at risk, said Prodeus.
Microsoft noted it's already on the case. "Microsoft is investigating new public claims of a vulnerability involving the use of VBScript and Windows Help files within Internet Explorer," said Jerry Bryant, a senior manager with the Microsoft Security Response Center (MSRC), in an e-mail Sunday. *The current state of our investigations shows that Windows Vista, Windows 7 , Windows Server 2008, and Windows Server 2008 R2, are not affected."
Bryant added that Microsoft has not yet seen any evidence of attacks exploiting the vulnerability.
Prodeus called the bug a "logic flaw," and said attackers could exploit it by feeding users malicious code disguised as a Windows help file -- such files have a ".hlp" extension -- then convincing them to press the F1 key when a pop-up appeared. He rated the vulnerability as "medium" because of the required user interaction.
"First an attacker needs to force a victim to visit a malicious Web page," Prodeus said in an e-mail Sunday. "The victim must be using Windows XP [and] Internet Explorer. A bit of social engineering is required to persuade the victim to push F1 button when [a] VBScript pop-up is displayed."
Another security researcher, Cesar Cerrudo, confirmed that Prodeus' proof-of-concept exploit works. "I tried the exploit and I can confirm it reliably works on IE8 with Windows XP fully patched," said Cerrudo, the head of Argeniss Information Security, an Argentinean security consultancy.
Cerrudo thought that the flaw was more serious than did Prodeus. "I would say the vulnerability is 'high severity,' not 'medium,'" said Cerrudo in an e-mail. "It's not critical since it needs user interaction, the user pressing F1 key when a message dialog is displayed. [But] I would say that there is a high probability a regular user will press F1 key if asked, since an attacker can annoy the user with hundred of messages telling the user to press F1 to continue."
According to Cerrudo, Prodeus' attack is successful because it abuses the VBScript "MsgBox()" function.
"Windows Help files are included in a long list of what we refer to as 'unsafe file types'," acknowledged Microsoft's Bryant in a follow-up on the MSRC blog later on Sunday. "These are file types that are designed to invoke automatic actions during normal use of the files. While they can be very valuable productivity tools, they can also be used by attackers to try and compromise a system."
Bryant didn't provide a timeline for a fix, but used Microsoft boilerplate in his e-mail to say that the company might address the vulnerability with a regularly-scheduled fix, a so-called "out-of-band" update or other guidance.
Microsoft's next scheduled security release date is March 9.
Although Microsoft has not yet recommended any defensive steps Windows XP users can take until a patch is available, Prodeus said blocking the outbound TCP port 445 would stymie attacks. "However, it is worth to note that blocking this port doesn't solve the problem, because there might be [an]other attacking vector, for example, uploading an arbitrary file to the victim's machine at known path location using some third-party browser plug-ins," he said.
Another workaround, said Cerrudo in a Friday tweet , is to ditch IE for another browser.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com .
Read more about security in Computerworld's Security Knowledge Center.
This story, "New zero-day involves IE, puts Windows XP users at risk" was originally published by Computerworld.