Microsoft today warned Windows users of a new unpatched vulnerability that attackers could exploit to steal information and dupe people into installing malware.

In a security advisory issued Friday, Microsoft acknowledged that a bug in Windows' MHTML (MIME HTML) protocol handler can be used by attackers to run malicious scripts within Internet Explorer (IE).

"The best way to think of this is to call it a variant of a cross-side scripting vulnerability," said Andrew Storms, director of security operations at nCircle Security.

Cross-site scripting bugs, often shortened to XSS, can be used to insert malicious script into a Web page that can then take control of the session.

"An attacker could pretend to be the user, and act if as he was you on that specific site," said Storms. "If you were at Gmail.com or Hotmail.com, he could send e-mail as you."

Microsoft elaborated on the threat.

"Such a script might collect user information, for example e-mail, spoof content displayed in the browser or otherwise interfere with the user's experience," said Angela Gunn, a Microsoft security spokeswoman, in a post to the Microsoft Security Response Center (MSRC) blog.

Full story: Computerworld