Microsoft Security Advisory (2501696)

ronjor · Mar 15, 2011

Vulnerability in MHTML Could Allow Information Disclosure
Published: January 28, 2011 | Updated: March 11, 2011

Version: 1.1
General Information
Executive Summary

Microsoft is investigating new public reports of a vulnerability in all supported editions of Microsoft Windows. The vulnerability could allow an attacker to cause a victim to run malicious scripts when visiting various Web sites, resulting in information disclosure. This impact is similar to server-side cross-site scripting (XSS) vulnerabilities. Microsoft is aware of published information and proof-of-concept code that attempts to exploit this vulnerability. In addition, at this time, Microsoft is aware of public proof-of-concept code being used in limited, targeted attacks. Users who have applied the automated Microsoft Fix it solution described in Microsoft Knowledge Base Article 2501696 or manually applied the "Enable the MHTML protocol lockdown" workaround described in this advisory to their systems are not exposed to this vulnerability.

The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible under certain conditions for this vulnerability to allow an attacker to inject a client-side script in the response of a Web request run in the context of the victim's Internet Explorer. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site on behalf of the targeted user.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.

We are collaborating with Service Providers to investigate server-side workarounds, but we recommend that customers apply one or more of the client-side workarounds provided in the Suggested Actions section of this advisory to help block potential attack vectors regardless of the service.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.
Click to expand...

https://www.microsoft.com/technet/security/advisory/2501696.mspx

elapsed · Mar 11, 2011

For the people who are wondering "Err, what's changed?"

V1.1 (March 11, 2011): Revised Executive Summary to reflect investigation of limited, targeted attacks.
Click to expand...

Page42 · Mar 11, 2011

Quick reference post...

MHTML lockdown (and undo lockdown) via Microsoft®Fix it

@ elapsed... so what has changed? MS is now saying there are actual attacks, though limited?

MrBrian · Mar 14, 2011

Attackers Targeting MHTML Bug in Windows

Page42 · Mar 14, 2011

Thanks for posting that, MrBrian.
After mentioning the fix ("experts are recommending that users install the FixIt mitigation that Microsoft released in January"), it would have been cool if the author had linked it.

MrBrian · Mar 14, 2011

Page42 said:

Thanks for posting that, MrBrian.
After mentioning the fix ("experts are recommending that users install the FixIt mitigation that Microsoft released in January"), it would have been cool if the author had linked it.
Click to expand...

You're welcome .

There is an older thread on the same topic.

m00nbl00d · Mar 14, 2011

Look at the comment! Hilarious!

"... of the targeted user," Microsoft sad in its advisory from January."

I am glad to hear that Microsoft is 'sad' about it....
Click to expand...

Log in or Sign up

Microsoft Security Advisory (2501696)

ronjor Global Moderator

elapsed Registered Member

Page42 Registered Member

MrBrian Registered Member

Page42 Registered Member

MrBrian Registered Member

m00nbl00d Registered Member

Log in or Sign up

Microsoft Security Advisory (2501696)

ronjor Global Moderator

elapsed Registered Member

Page42 Registered Member

MrBrian Registered Member

Page42 Registered Member

MrBrian Registered Member

m00nbl00d Registered Member

Useful Searches