Microsoft warns of new Windows zero-day bug

Microsoft today warned Windows users of a new unpatched vulnerability that attackers could exploit to steal information and dupe people into installing malware.

In a issued Friday, Microsoft acknowledged that a bug in Windows' MHTML (MIME HTML) protocol handler can be used by attackers to run malicious scripts within Internet Explorer (IE).

"The best way to think of this is to call it a variant of a cross-side scripting vulnerability," said Andrew Storms, director of security operations at nCircle Security.

Cross-site scripting bugs, often shortened to XSS, can be used to insert malicious script into a Web page that can then take control of the session.

"An attacker could pretend to be the user, and act if as he was you on that specific site," said Storms. "If you were at or, he could send e-mail as you."

Microsoft elaborated on the threat.