Microsoft is warning its users about a dangerous flaw in the way that Windows handles certain MHTML operations, which could allow an attacker to run code on vulnerable machines. The bug affects all of the current versions of Windows, from XP up through Windows 7 and Windows Server 2008.
Microsoft issued an advisory about the MHTML vulnerability, which has been discussed among security researchers in recent days. There is some exploit code available for the bug, as well. In addition to the advisory, Microsoft has released a FixIt tool, which helps mitigate attacks against the vulnerability in Windows.
“The vulnerability could allow an attacker to cause a victim to run
malicious scripts when visiting various Web sites, resulting in
information disclosure. This impact is similar to server-side cross-site
scripting (XSS) vulnerabilities. Microsoft is aware of published
information and proof-of-concept code that attempts to exploit this
vulnerability. At this time, Microsoft has not seen any indications of
active exploitation of the vulnerability,” the company said in the advisory.
“The vulnerability exists
due to the way MHTML interprets MIME-formatted requests for content
blocks within a document. It is possible under certain conditions for
this vulnerability to allow an attacker to inject a client-side script
in the response of a Web request run in the context of the victim’s
Internet Explorer. The script could spoof content, disclose information,
or take any action that the user could take on the affected Web site on
behalf of the targeted user.”
The FixIt workaround that Microsoft released for the MHTML vulnerability enables the Network Protocol Lockdown in Internet Explorer for all of the security zones. The side effects from enabling the FixIt workaround are minor, Microsoft officials said.
“In our testing, the only side effect we have encountered is script
execution and ActiveX being disabled within MHT documents. We expect
that in most environments this will have limited impact. While MHTML is
an important component of Windows, it is rarely used via mhtml:
hyperlinks. Most often, MHTML is used behind the scenes, and those
scenarios would not be impacted by the network protocol lockdown. In
fact, if there is no script content in the MHT file, the MHT file would
be displayed normally without any issue. Finally, for legitimate MHT
files with script content that you would like to be rendered in IE,
users can click the information bar and select “Allow All Protocols”,” the company said.