Microsoft has released its monthly security update with a patch to repair a new "important" vulnerability in Windows that can allow remote code execution in Windows Explorer. Windows 2000 SP3 and 4 are affected but not XP or Server 2003.
The vulnerability is in Windows 98/98SE and Windows Millennium, but the company no longer provides security updates for those older operating systems unless they are rated "critical".
Microsoft Security Bulletin MS05-024 said the patch fixes a remote code-execution vulnerability found in Windows Explorer's file management utility. It involves the way Web View in Explorer handles certain HTML characters in preview fields.
Microsoft rates the vulnerability as "important," the third-highest level of its four-level Maximum Severity Rating system.
Stephen Toulouse, a security program manager for Microsoft's Security Response Center, said the vulnerability could allow an attacker to run or install malicious software on a user's computer, or it could allow an attacker to view or delete files remotely.
Such an attack, however, would require user intervention, he said, because a user would have to click to execute and open a file sent by an attacker. "It's not an automated attack," he noted.
The vulnerability was identified about four weeks ago on a security mailing list before Microsoft had an opportunity to create a patch to repair it. "We believe it puts people at risk," Toulouse said of the public announcement before the patches were made available.