A new vulnerability has been found in Outlook Express’ successor, Windows Mail. The vulnerability is rated as critical.

A person known as Kingscope said “Remote Code Execution is possible if a user clicks on a malicious prepared link. Vistas Mail Client will execute any executable file if a folder exists with the same name. For example the victim has a folder in C:\ named blah and a batch script named blah.bat also in C:\. Now if the victim clicks on a link in the email message with the URL target set to C:\blah the batch script is executed without even asking. There is for example a CMD script by default in C:\Windows\System32\ named winrm.cmd (and also a folder named winrm inside System32).”

For more info, read the full article on iTWire’s website.