Details of a vulnerability in Microsoft's Internet Explorer (IE) browser were released today after a 30-day 'cooling off' period to allow users to install the patch.
Depending on who you talk to, the bug reported on security mailing lists on 14 December is either the biggest hole ever to be found in IE or just an everyday glitch.
But the crux of the vulnerability is that by simply placing the characters %00, otherwise known as a null byte, into a filename on a maliciously configured web server, a user could be tricked into opening dangerous content.
Online Solutions, the security firm credited with discovering the flaw, explained that a filename such as 'README.TXT%00PROG.EXE' would appear to open Readme.txt but, in reality, could open the potentially malicious Prog.exe.
Combine this with another issue in the content disposition header and Mime type, and the browser could be tricked into downloading and running a program without any download dialogs or warnings at all.
Microsoft has acknowledged that IE versions 5.5 and 6 are vulnerable and has given the flaw a 'critical' rating.
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago