Reports have begun circulating online that the flaw could give a remote attacker access to the user's computer. Windows Mail is an e-mail and newsgroup client that Microsoft built and dropped into its Windows Vista operating system.
"Microsoft is not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time," said a Microsoft spokesman in an e-mailed response to an InformationWeek inquiry. "Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary. Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include issuing a security advisory or providing a security update through our monthly release process, depending on customer needs."
The spokesman then warned users to always use "extreme caution" when clicking on links in unsolicited e-mail from known and unknown sources.
A hacker known as "Kingcope" published proof-of-concept code to show that remote code execution is possible if a user clicks on a malicious prepared link.
"Vista's Mail Client will execute any executable file if a folder exists with the same name," wrote Kingcope on the Web page. "For example, the victim has a folder in C:\ named blah and a batch script named blah.bat also in C:\. Now if the victim clicks on a link in the e-mail message with the URL target set to C:\blah the batch script is executed without even asking."
Microsoft's spokesman said if customers think they have been affected by this, they can contact Product Support Services, through either 1-866-PCSAFETY or at this Web site.