Windows flaw adds to Microsoft's zero-day trouble

In addition to a trio of zero-day bugs in Office, a yet-to-be-patched vulnerability has been reported in Windows.

Sample code that exploits a flaw in the way Windows handles help system files has been posted to the Internet.

"This is another heap-overflow flaw that might be exploited for code execution," McAfee reported on its Avert Labs blog late Tuesday.

Microsoft said it is aware of the issue and advises caution with ".hlp" files, which are as unsafe as ".exe," as both file types are executable, it said.

Word of the flaws comes just as Microsoft issued five security bulletins as part of its monthly patch cycle. The company is also still dealing with the aftermath of an emergency patch released last week. That patch fixed another Windows zero-day, one that is actively being exploited in attacks on Windows PCs.

None of the newly reported bugs are being used in cyberattacks, according to Microsoft. Not yet, at least.

You can read more on the Patch Tuesday zero-day parade in a story I wrote on Tuesday that has been recently updated.