An unpatched windows vulnerability affecting all current windows operating systems has been identified. Microsoft has supplied a ‘fix it’ utility http://support.microsoft.com/kb/2501696 or users can implement several options identified in the 2501696 security advisory. As of this time, no active exploits have been identified. Recommendations include users not clicking on unknown web links in e-mail and also setting internet and local intranet security zones to high. Very little content is presented using mhtml. Additional information on this vulnerability will be provided as it becomes available.
Other recommendations documented in the security advisory include:
Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:
|•||By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.|
|•||By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone, which disables script and ActiveX controls, removing the risk of an attacker being able to use this vulnerability to execute malicious code. If a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.|
|•||In a Web-based attack scenario, a Web site could contain a specially crafted link (MHTML:) that is used to exploit this vulnerability. An attacker would have to convince users to visit the Web site and open a specially crafted URL, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site, and then convincing them to click the specially crafted link.|
Microsoft is warning its users about a dangerous flaw in the way that Windows handles certain MHTML operations, which could allow an attacker to run code on vulnerable machines. The bug affects all of the current versions of Windows, from XP up through Windows 7 and Windows Server 2008.
Microsoft issued an advisory about the MHTML vulnerability – https://www.microsoft.com/technet/security/advisory/2501696.mspx , which has been discussed among security researchers in recent days. There is some exploit code available for the bug, as well. In addition to the advisory, Microsoft has released a FixIt tool, which helps mitigate attacks against the vulnerability in Windows.
“The vulnerability could allow an attacker to cause a victim to run malicious scripts when visiting various Web sites, resulting in information disclosure. This impact is similar to server-side cross-site scripting (XSS) vulnerabilities. Microsoft is aware of published information and proof-of-concept code that attempts to exploit this vulnerability. At this time, Microsoft has not seen any indications of active exploitation of the vulnerability,” the company said in the advisory.
“The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible under certain conditions for this vulnerability to allow an attacker to inject a client-side script in the response of a Web request run in the context of the victim’s Internet Explorer. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site on behalf of the targeted user.”
The FixIt workaround that Microsoft released for the MHTML vulnerability enables the Network Protocol Lockdown in Internet Explorer for all of the security zones. The side effects from enabling the FixIt workaround are minor, Microsoft officials said.
“In our testing, the only side effect we have encountered is script execution and ActiveX being disabled within MHT documents. We expect that in most environments this will have limited impact. While MHTML is an important component of Windows, it is rarely used via mhtml: hyperlinks. Most often, MHTML is used behind the scenes, and those scenarios would not be impacted by the network protocol lockdown. In fact, if there is no script content in the MHT file, the MHT file would be displayed normally without any issue. Finally, for legitimate MHT files with script content that you would like to be rendered in IE, users can click the information bar and select “Allow All Protocols”,” the company said.
Only Internet Explorer and Opera can manage mhtml files by default. Firefox requires an add-in to be able to process mhtml files.