SAN FRANCISCO: Microsoft Corp. on Wednesday warned Windows users of a critical flaw that could allow someone to take control of a computer by luring victims to open an e-mail or Web page with malicious code on it.
Microsoft said has heard of no reports of attacks from the vulnerability, which has several mitigating factors, said Iain Mulholland, security program manager for Microsoft's Security Response Center.
While someone using an older version of the Outlook or Outlook Express e-mail programs would be at risk by merely opening an e-mail message, service packs for the programs eliminate that threat, he said.
Windows XP users are not affected by the e-mail flaw, and to exploit the flaw via a Web site, victims would have to visit the site on their own, he added.
In addition, computers configured to disable active scripting in Internet Explorer are not susceptible.
"User discretion when choosing what Web sites to visit, or links to click in e-mail, will offer the best protection from this class of attack," a Microsoft security bulletin said.
The flaw is in the Windows Script Engine that allows Windows to execute JScript code, or Microsoft's version of the Java scripting language that adds functionality to Web pages.
Microsoft has released a patch for the vulnerability at: (http://www.microsoft.com/technet/treeview/default.asp?url=/tec hnet/security/bulletin/MS03-008.asp?tag=nl).