Microsoft is warning users and administrators of a new exploit that could allow an attacker to control which sites a user can visit.
The vulnerability lies within the Web Proxy Auto Discover (WPAD) component used to connect a PC to a web proxy server.
Microsoft disclosed the flaw earlier this year and issued a patch. The company has also issued a tutorial for administrators on how to configure DNS servers to prevent attackers from setting up the malicious proxy.
An attacker could exploit the security hole through a specially crafted website or email message that installs a malformed WPAD file on the user's system.
The malicious file then directs the user's PC to connect to a Domain Name System or Windows Internet Names Service server run by the attackers, giving them total control over their internet traffic.
Vince Wong, a group product manager for Symantec, said that the ramifications of a user running through an attacker's proxy would be similar to those of a cross-site-scripting attack.
Users could be redirected to phishing sites or sent to pages that may attempt to exploit other vulnerabilities.
Although there is little danger at the moment, users should install Microsoft's latest patches and keep their security software up to date, he recommended.
"Patching this is highly recommended, and it is almost critical at this point," Wong told vnunet.com.
"Right now it's a low risk, but it's not unimaginable that unsuspecting users could get duped."
Trained on curated data from Moorfields Eye Hospital, the neural networks show clinicians how they reached their decisions
Yokohama National University demonstrate technology that could lead to a fault-tolerant universal quantum computer
Top-of-the-range Threadripper 2990WX now available from Scan, Ebuyer, Overclockers, Novatech and Amazon
Neil Martin of Panda Security discusses Epic Games' decision to avoid the Google Play Store in its Android release of its popular game Fortnite