PC World posted a news story of a new zero-day Windows XSS vulnerability
Microsoft released security advisory 2501696, titled "Vulnerability in MHTML Could Allow Information Disclosure" today. The advisory addresses a flaw in the MHTML protocol handler which opens all versions of Windows to potential cross-site scripting (XSS) attacks.Windows Vulnerable to Zero-Day XSS Attacks
The Microsoft Security Response Center (MSRC) blog explains how an attack might work in more detail once a user receives a malicious link targeting this vulnerability. "When the user clicked that link, the malicious script would run on the user's computer for the rest of the current Internet Explorer session. Such a script might collect user information (eg., e-mail), spoof content displayed in the browser, or otherwise interfere with the user's experience."