Zero Day: New Windows Vulnerability

Wednesday, February 2, 2011 @ 05:02 PM gHale

A new unpatched vulnerability in Windows means attackers could exploit it and steal information and dupe people into installing malware.

In a security advisory issued, Microsoft said attackers can use a bug in Windows’ MHTML (MIME HTML) protocol handler to run malicious scripts within Internet Explorer (IE).

Cross-site scripting bugs (XSS) can insert malicious script into a Web page that can then take control of the session.

“Such a script might collect user information, for example e-mail, spoof content displayed in the browser or otherwise interfere with the user’s experience,” said Angela Gunn, a Microsoft security spokeswoman, in a Microsoft Security Response Center (MSRC) blog.

The vulnerability became clear when the Chinese Web site published proof-of-concept code.

MHTML is a Web page protocol that combines resources of several different formats — images, Java applets, Flash animations, etc. — into a single file. Only Microsoft’s IE and Opera Software’s Opera support MHTML natively: Google’s Chrome and Apple’s Safari do not, and while Mozilla’s Firefox can, it requires an add-on to read and write MHTML files.

That means IE users are most at risk.

All supported versions of Windows, including Windows XP, Vista and Windows 7, contain the flawed protocol handler.

There is no patch available right now. However, in lieu of a patch, Microsoft recommended users lock down the MHTML protocol handler by running a “Fixit” tool it has made available. The tool automates the process of editing the Windows registry, which if done carelessly could cripple a PC, and lets IE users continue to run MHTML files that include scripting by clicking through a warning.

You can access the Fixit tool at Microsoft’s support site.

Leave a Reply

You must be logged in to post a comment.