Microsoft has issued a rare out-of-pocket security alert concerning the current version of Internet Explorer. The newly discovered vulnerability affects Windows XP, Server 2003 and Windows 2000 but not Vista, and it does affect Internet Explorer 6.0 or earlier. It only involves XP/2000/Server 2003 running IE 7.
In a posting to its security blog, Microsoft said the threat presents itself when Windows does not correctly handle specially crafted URLs or URIs that are passed to it.
Internet Explorer 7 updates a Windows component, which modifies the interaction between Internet Explorer and Windows Shell when handling URLs and URI’s. Applications that pass un-validated URIs or URLs to Windows can be leveraged to exploit this vulnerability.
In order for an attack to be carried out, a user must trigger an un-validated, specially crafted URL or URI in an application. For example, a user could click on a link in an e-mail message, which could allow arbitrary code to be run in the context for the logged on user.