Microsoft released an advisory late Thursday for a exploitable flaw in supported versions of Windows.
Customers running Windows Server 2003 and Windows 2003 Service Pack 1 as default configurations – with enhanced security configurations turned on – are not affected.
The flaw exists in Windows Shell and is exposed by Web View, according to Microsoft's advisory.
Microsoft was in the midst of busy week to begin with, fighting off exploits to the VML flaw by releasing an out-of-cycle patch.
Microsoft is aware of proof-of-concept exploit code published for the flaw, but not of any attacks, a company spokesperson said today.
The spokesperson added that Microsoft is working on a patch for its Oct. 10 release.
To infect a PC, a malicious user would have to lure him or her to a specially crafted site and use social engineering to get them to click on a link to the attack site.
"The threat landscape for this vulnerability is distinctively different from the former VML vulnerability resulting in an out-of-cycle patch earlier this week," he said. "Additionally, public disclosure of this exploit code occurred after VML attacks. As a result, WebViewFolderIcon is temporarily overshadowed by attackers concentrating on VML attacks while the harvest is fruitful for unpatched machines. WebViewFolderIcon has potential to become a large risk if exploitation ramps up in the wild."
Click here to email Frank Washkuch Jr.