Microsoft confirms zero day bug

Software giant Microsoft has confirmed it’s investigating an unpatched Windows XP bug that allows hackers could exploit to plant malware on Windows XP machines running Internet Explorer.

Maurycy Prodeus, the Polish security analyst with iSEC Security Research announced on Friday that the flaw could be used by attackers to inject malicious code onto victims’ PCs.

Those using Windows XP and IE7 or IE8 are at risk, Prodeus warned.

Redmond said that it is investigating the vulnerability involving the use of VBScript and Windows Help files within Internet Explorer.

Jerry Bryant, a senior manager with the Microsoft Security Response Center (MSRC) has confirmed that Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2, are not affected.

He did say that Redmond has not seen the attack exploited yet.

The bug is a “logic flaw,” which attackers could exploit it by feeding users malicious code disguised as a Windows help file. It then convinces them to press the F1 key when a pop-up appeared.

It is a bit tricky to pull off because the attacker needs to force a victim to visit a malicious Web page.

Other insecurity experts have confirmed that the exploit works.