The warning is part of the software giant’s emerging reaction to an unpatched vulnerability that hackers could exploit to hijack PCs that run Internet Explorer.

Microsoft is investigating new public reports of a vulnerability in VBScript that is exposed on supported versions of Microsoft Windows 2000, Windows XP, and Windows Server 2003 through the use of Internet Explorer.

But good news for Vista and Win7 users: Their investigation has shown that the vulnerability cannot be exploited on Windows 7, Windows Server 2008 R2, Windows Vista or Windows Server 2008.

The main impact of the vulnerability is remote code execution.

The vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer. If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed.

On systems running Windows Server 2003, Internet Explorer Enhanced Security Configuration is enabled by default, which helps to mitigate against this issue.

Until a patch is ready, users can protect themselves by not pressing the F1 key if a Web site tells them (repeatedly) to do it.

Another workaround: Disable Windows Help by modifying the ACL on winhlp32.exe to be more restrictive on Windows 2000, Windows XP and Windows Server 2003 by running the following command from an administrative command line:

echo Y | cacls "%windir%\winhlp32.exe" /E /P everyone:N

With rare speed and nearly unprecedented cooperation, Microsoft, Cisco Systems and other IT vendors have released software patches aimed at addressing a fundamental design flaw in the Domain Name System (DNS) protocol used to direct traffic on the Internet.

The so-called DNS cache-poisoning flaw was found earlier this year by a researcher at security services firm IOActive Inc., but the vulnerability wasn’t publicized until yesterday.

The vulnerability could let attackers to redirect Web traffic and e-mails to systems under their control, according to the researcher, Dan Kaminsky, who says the flaw exists at the DNS protocol level and affects numerous products from multiple vendors.

Nearly every domain name server that resolves IP addresses on the Internet is vulnerable to this flaw and needs to be patched against it as soon as possible to avoid potentially serious problems. Companies could wind up having all of their network traffic rerouted to malicious Web sites or having employee e-mails captured by attackers, Kaminsky said.

Because of the seriousness of the issue, Kaminsky first alerted the U.S. Computer Emergency Readiness Team (US-CERT) and the vendors, all of which agreed to keep the discovery quiet until they had patches ready to go.

Kaminsky told Computerworld that security researchers from 16 companies met at Microsoft’s Redmond, Wash., campus in March to discuss a fix for the problem as well as a strategy for minimizing the potential damage that could result once the vulnerability’s existence was disclosed.

Microsoft issued a patch for the DNS flaw as part of its monthly Patch Tuesday software updates.

Cisco and the Internet Systems Consortium Inc., which maintains the widely used Berkeley Internet Name Domain technology, did as well.

Despite the potential seriousness of the DNS cache-poisoning problem, there is no indication that it has been discovered by malicious hackers yet, says Kaminsky. And he said that with patches available for the flaw, much of the immediate risk has been mitigated. Kaminsky noted that the patches have been designed in such a way as to minimize the chances of them being reverse-engineered in order to exploit the vulnerability.

Kaminsky and others said the vulnerability is a bona fide threat to users. “It’s not good when the DNS goes bad,” Kaminsky said. “At the end of the day, the DNS controls where people go on the Internet. Everything depends on it.”

To read the CERT advisory, click here.