The flaw could be used by attackers to inject malicious code onto victims' PCs, said Maurycy Prodeus, the Polish security analyst with iSEC Security Research who and posted attack code on Friday.

Users running IE7 or the newer IE8 are at risk, said Prodeus.

noted it's already on the case. "Microsoft is investigating new public claims of a vulnerability involving the use of VBScript and Windows Help files within Internet Explorer," said Jerry Bryant, a senior manager with the Microsoft Security Response Center (MSRC), in an e-mail Sunday. *The current state of our investigations shows that Windows Vista, , Windows Server 2008, and Windows Server 2008 R2, are not affected."

Bryant added that Microsoft has not yet seen any evidence of attacks exploiting the vulnerability.

Prodeus called the bug a "logic flaw," and said attackers could exploit it by feeding users malicious code disguised as a Windows help file -- such files have a ".hlp" extension -- then convincing them to press the F1 key when a pop-up appeared. He rated the vulnerability as "medium" because of the required user interaction.