In a issued Friday, Microsoft acknowledged that a bug in Windows' MHTML (MIME HTML) protocol handler can be used by attackers to run malicious scripts within Internet Explorer (IE).

"The best way to think of this is to call it a variant of a cross-side scripting vulnerability," said Andrew Storms, director of security operations at nCircle Security.

Cross-site scripting bugs, often shortened to XSS, can be used to insert malicious script into a Web page that can then take control of the session.

"An attacker could pretend to be the user, and act if as he was you on that specific site," said Storms. "If you were at Gmail.com or Hotmail.com, he could send e-mail as you."

Microsoft elaborated on the threat.