The vulnerability can be exploited via a special-coded ActiveX--a scripting language created by Microsoft to make interactivity to Web sites and applications easier--inserted into hypertext markup language (HTML), the lingua franca of the Web. To fall victim to attack, a PC user would have to browse a Web site, or open an HTML e-mail, specifically set up to take advantage of the vulnerability.
The flaw "could enable a Web page, through an extremely complex process, to invoke the (ActiveX) control in a way that would delete certificates on a user?s system," Microsoft warned in an advisory released late Wednesday.
Such digital certificates are used to hold encryption keys used in e-mail, the encrypted files system (ESS) that is shipped with certain versions of Windows, and in the Secure Sockets Layer communications protocol used by many e-commerce Web sites. ESS is shipped in Windows 2000 and in Windows XP Professional. Though the flaw doesn't allow a malicious vandal to steal the certificates, it does allow the attacker to corrupt the data, rendering it useless to the PC's owner.
Depending on the certificates corrupted, the act would prevent the victim from encrypting and decrypting e-mail, encrypting files and complicating the use of secure Web sites, Microsoft advised. The flaw occurs in the Certificate Enrollment ActiveX Control.
Microsoft suggests that all users of Windows 98, Windows 98 Second Edition, Windows Millennium, Windows NT 4.0, Windows 2000 and Windows XP patch their systems immediately.
The latest advisory brings the number of such warnings by the software giant to 48 for the year.