Microsoft late Wednesday issued a security advisory warning about a dangerous command execution vulnerability affecting users of Windows XP and Windows Server 2003 with the latest version of Internet Explorer installed.
Mark Miller, director of security response communications for Microsoft said the software giant is investigating public reports of the remote code execution vulnerability. Miller said Microsoft is not aware of active attacks that try to use the reported vulnerability or of customer impact.
"Microsoft is continuing to track this issue through the Software Security Incident Response Process and working on a security update to resolve it," Miller said.
In its security advisory, Microsoft said a flaw in Windows XP and Server 2003 fails to properly validate URIs and URLs, allowing an attacker to execute arbitrary commands. If Internet Explorer 7 is installed malicious URIs may be passed through it via several third party applications like Adobe Acrobat Reader, mIRC, Mozilla Firefox, Skype or Miranda IM.
In order for an attack to be carried out, an attacker must embed a malicious URI in a Web page or email and trick the user to follow the link.
Additional information about the flaw can be found at the Microsoft Security Response Center blog. The response center team called the vulnerability extremely complex and said they have been studying the issue since it was first reported in July.
The vulnerability was first discovered in July by independent security researcher Billy Rios, who said on his blog that the vulnerability could be delivered through the Firefox browser.
As a result of the latest advisory, Cupertino, Calif.-based antivirus giant Symantec Corp. maintained its ThreatCon at Level 2. It was raised to Level 2 earlier in the week as a result of four updates released as part of Microsoft's monthly batch of patches to address critical vulnerabilities.
"Users are advised to be wary of any suspicious or unsolicited documents and are urged not to blindly follow any links received via email or instant messaging," Symantec said in its advisory.Microsoft released its monthly security update on Tuesday, issuing four updates that address critical vulnerabilities attackers could exploit to run malicious code on targeted machines. IT administrators said attackers are most likely to go after the flaws outlined in Microsoft's MS07-057 bulletin, which fixes four different flaws, the most serious of which could allow remote code execution if a user views a specially crafted Web page using IE.
Senior News Writer Bill Brenner contributed to this report.