There is a wave of ongoing attacks against a bug in MHTML that affects all of the current versions of Windows, and there seems to be little recourse for sites trying to protect their users from the attacks.
The current spate of attacks is targeting users of Internet Explorer, and experts are recommending that users install the FixIt mitigation that Microsoft released in January to help protect against the attacks. Attackers have been targeting the MHTML vulnerability since at least January, and the bug itself may have been known in some corners of the security community for several years.
“The vulnerability exists due to the way MHTML interprets MIME-formatted
requests for content blocks within a document. It is possible under
certain conditions for this vulnerability to allow an attacker to inject
a client-side script in the response of a Web request run in the
context of the victim’s Internet Explorer. The script could spoof
content, disclose information, or take any action that the user could
take on the affected Web site on behalf of the targeted user,” Microsoft sad in its advisory from January.
In the last few days, researchers at Google have seen a renewed effort by attackers to target the MHTML flaw and they’re warning users that they should implement Microsoft’s FixIt as an interim solution until a full fix is available, although it’s unclear when that may happen.
“To help protect users of our services, we have deployed various
server-side defenses to make the MHTML vulnerability harder to exploit.
That said, these are not tenable long-term solutions, and we can’t
guarantee them to be 100% reliable or comprehensive. We’re working with
Microsoft to develop a comprehensive solution for this issue,” a team of Google security researchers said in a blog post.
“The abuse of this vulnerability is also interesting because it
represents a new quality in the exploitation of web-level
vulnerabilities. To date, similar attacks focused on directly
compromising users’ systems, as opposed to leveraging vulnerabilities to
interact with web
services.”
Michal Zalewski, a Google researcher, said in a separate post on his personal blog that there are some experimental server-side mitigations that can help sites, but they’re not necessarily perfect long-term solutions.
“It appears that the affected sites generally have very little recourse to
stop the attack: it is very difficult to block the offending input patterns
perfectly, and there may be no reliable way to distinguish between MHTML-related
requests and certain other types of navigation (e.g., <embed>
loads). A highly experimental server-side workaround devised by Robert Swiecki may involve returning HTTP
code 201 Created
rather than 200 OK
when encountering
vulnerable User-Agent
strings – as these codes are recognized by
most browsers, but seem to confuse the MHTML fetcher itself,” Zalewski wrote.