"Such a script might collect user information, for example e-mail, spoof content displayed in the browser or otherwise interfere with the user's experience," said Angela Gunn, a Microsoft security spokeswoman, in a post to the (MSRC) blog.

The vulnerability went public last week when the Chinese Web site WooYun.org published proof-of-concept code.

MHTML is a Web page protocol that combines resources of several different formats -- images, Java applets, Flash animations and the like -- into a single file. Only Microsoft's IE and Opera Software's Opera support MHTML natively: Google's Chrome and Apple's Safari do not, and while Mozilla's Firefox can, it requires an add-on to read and write MHTML files.

Wolfgang Kandek, the chief technology officer at Qualys, pointed out that IE users are most at risk.

"While the vulnerability is located in a Windows component, Internet Explorer is the only known attacker vector," said Kandek in an e-mail message. "Firefox and Chrome are not affected in their default configuration, as they do not support MHTML without the installation of specific add-on modules."