Microsoft is to issue a fix for a bug in Internet Explorer 7 that leaves users vulnerable to attack.
Members of Microsoft's Secure Windows Initiative team explained the issue in an article posted to a company blog.
The problem exists in IE7's handling of uniform resource indicators (URIs) in Windows XP and Server 2003.
The URI is the first part of an address, used to specify which application runs a file or link. One example is the 'mailto:' command which launches an email client.
After the URI link is clicked, Windows calls a component known as 'ShellExecute' which then runs the URI instructions.
Previous versions of Internet Explorer checked the URI within the browser. If an address was malformed or invalid, the process would fail and the URI would not run.
With the new version of the browser, however, a malformed URI is "cleaned up " in order to be run. This, say researchers, allows attackers to run potentially malicious code hidden within the URI.
The Secure Windows Initiative developers said that a security component prevents Windows Vista from running the URI scripts, protecting IE7 from the attack on Vista. No such protections exist Within IE7 on Windows XP and 2003, however.
The developers believe that the ShellExecute component will need to be redesigned in order to be "more strict" in its handling of URLs.
Microsoft gave no expected release date for the update, and recommended that developers take matters into their own hands to secure their applications in the meantime.
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago