Microsoft was made aware Monday of a security flaw in older versions of Windows that could, if exploited, allow hackers to run malicious code on unsuspecting computers. The vulnerability is caused ‘due to a boundary error in the “UpdateFrameTitleForDocument()” function of the CFrameWnd class in mfc42.dll.
According to Secunia, a computer can be exploited by hackers by passing an overly long title string argument to the effected function which will cause a stack-based buffer overflow.
Affected operating systems confirmed by Secunia are Windows 2000 Professional SP4 that includes mfc42.dll version 6.0.9586.0 and Windows XP SP2/SP3 that include mfc42.dll version 6.2.4131.0, they have also noted other versions may be affected as well. Currently known to present valid attack vectors is PowerZip version 7.2 Build 4010 (when e.g. entering an overly long directory in an opened archive
Microsoft announced via the Microsoft Security Response Team Twitter post that they had been made aware of the vulnerability and are now investigating the issue.
Until Microsoft issues a fix for this the recommended solution from Secunia is to restrict access to applications allowing user-controlled input to be passed to the vulnerability.