An attacker could send an e-mail with a malicious link that, when clicked on, would execute a program on the PC without warning, according to a description of the problem published Friday on a widely read security mailing list called Full Disclosure. Windows Mail is the successor to Outlook Express, Microsoft's free e-mail client, and ships with Vista.
Microsoft is investigating the issue, a company representative said in an e-mailed statement. "As a best practice, users should always exercise extreme caution when clicking on links in unsolicited e-mail from both known and unknown sources," the representative said.
Depending on what the malicious link tells Windows Mail to do, the threat to Vista users could be significant, said Dave Marcus, security research and communications manager at software maker McAfee. "Theoretically, attackers can do a lot of things; they will be able to pass any command through it," Marcus said.
However, the risk is mitigated because Vista is not widely used, Marcus said. "I don't think they will see a lot of exploitation simply because there is so little Vista deployed," he said. "I think Microsoft would take this seriously and wrap this up in their next patch."
Vista has been available to consumers since late January. Since then, Microsoft has issued one security update for the operating system to repair a "critical" vulnerability in the scanning engine for Windows Defender, the built-in antispyware tool.
Microsoft is not aware of any attacks that actually attempted to use the newly reported Windows Mail vulnerability, it said. Upon completion of its investigation, the company could issue a security update or provide guidance in another way, the representative said.
