Microsoft confirmed Friday afternoon that it's investigating reports of a Windows Vista flaw attackers could exploit to compromise PCs by tricking the user into opening a malicious email attachment. The problem reportedly affects Windows Mail on all versions of Vista.
Cupertino, Calif.-based antivirus giant Symantec Corp. warned customers of its DeepSight threat management service early Friday that Vista's native email client will execute any script or program file that has an associated folder by the same name.
"An attacker can deliver an email message containing a malicious link that references a local executable," Symantec said in an email advisory. "If the victim clicks on this link the native program is executed with no further action required."
The vendor said an attacker could potentially exploit the design flaw to delete files or shut down the victim's computer. Other attacks are also possible. However, Symantec noted that the flaw can only be used to execute programs or scripts that natively reside on a computer and also have a folder in place by the same name.
"There is the possibility that an attacker could execute custom malicious binaries, yet they would have to first ensure that a malicious file is placed on a target system by some means," the company said. "To exploit this issue, an attacker must entice an unsuspecting user to click a malicious link in an email."
"Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary," she said in an email exchange. "Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include issuing a security advisory or providing a security update through our monthly release process, depending on customer needs."
She added that users should always be cautious when clicking on links in unsolicited emails. Symantec agreed. "Do not accept or execute files from untrusted or unknown sources," the company advised.
Symantec also recommended users modify their default configuration files to disable any unwanted behavior. "Disabling HTML email capabilities within mail client applications may reduce the likelihood of successful attacks," the company said.
Finally, to reduce the impact of latent vulnerabilities, IT administrators should limit user privileges to the least amount possible. "This can reduce the likelihood of privileged functions being executed," Symantec said.