Microsoft issued a warning for a newly discovered security vulnerability which affects the MHTML component of Internet Explorer. The flaw could be abused to inject code to be run in the same security context as Internet Explorer. All versions of Windows including Windows 7 are affected, the vulnerability is not thought to be under active exploitation but sample attack code was recently published in a Chinese-language security magazine.
According to Microsoft's recently-published Security Advisory, the vulnerability exists due to the manner in which MHTML interprets certain MIME-format requests for portions of a document. By modifying the requests in a certain way, an attacker can inject code to be run on the client's system in the same security context as Internet Explorer.
The company warns that the flaw is capable of spoofing website content, disclosing information from the victim's computer and interacting with websites without user-input.
Microsoft has not yet decided whether an update will be provided through the monthly release process or an out-of-cycle update. Temporary fixes are described at Microsoft's website.