Microsoft is to issue a fix for a bug in Internet Explorer 7 that leaves users vulnerable to attack.
Members of Microsoft's Secure Windows Initiative team explained the issue in an article posted to a company blog.
The problem exists in IE7's handling of uniform resource indicators (URIs) in Windows XP and Server 2003.
The URI is the first part of an address, used to specify which application runs a file or link. One example is the 'mailto:' command which launches an email client.
After the URI link is clicked, Windows calls a component known as 'ShellExecute' which then runs the URI instructions.
Previous versions of Internet Explorer checked the URI within the browser. If an address was malformed or invalid, the process would fail and the URI would not run.
With the new version of the browser, however, a malformed URI is "cleaned up " in order to be run. This, say researchers, allows attackers to run potentially malicious code hidden within the URI.
The Secure Windows Initiative developers said that a security component prevents Windows Vista from running the URI scripts, protecting IE7 from the attack on Vista. No such protections exist Within IE7 on Windows XP and 2003, however.
The developers believe that the ShellExecute component will need to be redesigned in order to be "more strict" in its handling of URLs.
Microsoft gave no expected release date for the update, and recommended that developers take matters into their own hands to secure their applications in the meantime.
Microsoft seizes control of phishing sites linked with Russian state hackers
Fitness trackers over-estimate the number of steps their users take, analysis of 67 research reports suggests
Everything we think we know about the imminent Apple iPhone 9, iPhone 11 and iPhone 11 Plus launches
All the latest rumours about Apple iPhone Displays, CPUs, launch dates and even prices
Nvidia brings Turing microarchitecture into the high-end gaming segment