Microsoft warns of zero-day Windows Shell flaw

The latest Windows flaw could allow remote code execution

Microsoft has issued IT managers with a new advisory concerning the security of its Windows operating system.

So far the firm is only investigating reports of the vulnerability, which it said could affect a range of Windows products.

Microsoft explained in a security advisory that the vulnerability is caused by the way Windows parses shortcuts.

The firm added that the operating system does this "in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut".

The list of possibly susceptible systems includes Windows XP Service Pack 3, Windows Vista Service Pack 1 and Service Pack 2, and Windows 7 for 32-bit and 64-bit systems, but not XP Service Pack 2 or Windows 2000.

The fact that the last two are not mentioned drew the attention of Wolfgang Kandek, chief technology officer at security company Qualys, who suggested that this might cause more problems.

"Microsoft ended support for both operating systems last Tuesday," he said. "We assume the attack works against both of them, and attackers will surely take advantage of this security hole," he said in a blog post.

"We recommend upgrading your existing Windows XP SP2 installations to SP3 as soon as possible."

Companies still using Windows 2000 would face a "bigger hurdle", Kandek added, as this would require them to upgrade their operating system wholesale if they are to avoid falling foul of the bug.

Microsoft admitted that it is investigating reports of exploits already being used, and warned that, if an attack is successful, the miscreant responsible would be able to take over user rights on the computer.

In the absence of a security patch, which could follow shortly, Microsoft has released information on workarounds.