Microsoft tonight released a security advisory for a publicly-disclosed vulnerability in all versions of Windows. Security Advisory 2501696 describes a bug in the MHTML handler in Windows which could lead to information disclosure.
MHTML (MIME Encapsulation of Aggregate HTML) encapsulates HTML in a MIME structure.
MIME (Multipurpose Internet Mail Extensions) is a data format for encapsulating more complex binary structures in a text-only format. Windows includes a pluggable protocol handler (MHTML:) that allows applications to render MHTML structures. Internet Explorer is one of these and it can be abused to exploit the bug in the context of a web page, causing script to be executed. The user would have click a link to an MHTML:// document.
The vulnerability is similar to a cross-site scripting bug on a web page, in which HTML and script from another site is executed in the web page context. In this case, script could be executed in the client-side context.
Microsoft has provided a "Fix it" link to disable the MHTML protocol handler. This is a rather radical move, but it's probably the only thing Microsoft can do without an actual patch, which they will of course providewhen it's ready. They are also working with other companies to develop server-side protections to prevent attacks.
The link above to the Fix it also includes what amounts to a proof of concept for the bug which you can use to test if you are vulnerable or if mitigating measures have worked.
MHTML (MIME Encapsulation of Aggregate HTML) encapsulates HTML in a MIME structure.
MIME (Multipurpose Internet Mail Extensions) is a data format for encapsulating more complex binary structures in a text-only format. Windows includes a pluggable protocol handler (MHTML:) that allows applications to render MHTML structures. Internet Explorer is one of these and it can be abused to exploit the bug in the context of a web page, causing script to be executed. The user would have click a link to an MHTML:// document.
The vulnerability is similar to a cross-site scripting bug on a web page, in which HTML and script from another site is executed in the web page context. In this case, script could be executed in the client-side context.
Microsoft has provided a "Fix it" link to disable the MHTML protocol handler. This is a rather radical move, but it's probably the only thing Microsoft can do without an actual patch, which they will of course providewhen it's ready. They are also working with other companies to develop server-side protections to prevent attacks.
The link above to the Fix it also includes what amounts to a proof of concept for the bug which you can use to test if you are vulnerable or if mitigating measures have worked.
No comments:
Post a Comment