Microsoft has confirmed that it is investigating a public disclosure of a flaw in Windows Mail, the email client distributed with Windows Vista.
The bug - a design flaw, according to security researchers - could allow an attacker to trick a user into executing an executable file, bypassing Windows security measures intended to prevent such actions.
The bug is one of the first serious security flaws to emerge in the new Windows Vista operating system
The flaw was discussed on the Full Disclosure mailing list on Friday by a researcher using the handle Kingcope.
The email client will launch an executable file if a folder exists with the same name, according to the disclosure. "For example the victim has a folder in C:\ named blah and a batch script named blah.bat also in C:\. Now if the victim clicks on a link in the email message with the URL target set to C:\blah the batch script is executed without even asking," Kingcope wrote.
According to Kingcope, the bug could be used with UNC addresses to allow remote code execution.
SecurityFocus, owned by security firm Symantec, confirmed the existence of the bug. "Windows Mail is prone to a local file-execution vulnerability due to a design error," said Security Focus in an advisory.
"An attacker may exploit this issue to execute local files. The attacker must entice a victim into opening a maliciously crafted link using the affected application."
SecurityFocus and Kingcope both provided proof-of-concept exploit code for the bug. However, SecurityFocus said it had not yet been able to reproduce the issue on a default Vista installation.
Microsoft said it is investigating the flaw, and emphasised there are currently no known attacks exploiting the bug.