Microsoft Acknowledges MHTML Vulnerability
Microsoft has released a tool mitigating the issue behind a new vulnerability that impacts all supported versions of Windows, aside from Server 2008 installations using the Server Core option. While concept code to leverage attacks is public, the software giant says it is unaware of any actual attacks.
On Friday, Microsoft acknowledged reports of a vulnerability in the MHTML (MIME Encapsulation of Aggregate HTML) protocol handler that surfaced earlier this month on a security mailing list. The handler itself has been around for a while, and is used to render various types of documents.
The nature of the vulnerability means that Internet Explorer (IE), and third-party applications leveraging IE or the protocol, pose the greatest risk. In their default installations, both Firefox and Chrome browsers do not support MHTML.
The impact of an attack on the vulnerability would be similar to that of server-side cross-site-scripting (XSS) vulnerabilities, Microsoft has explained.
“The XSS attack can be used to run JavaScript code on the user’s Internet Explorer instance, which gives the attacker a way to get at information stored in the browser and a mechanism to trick users into installing unwanted code through social engineering,” added Wolfgang Kandek, CTO at Qualys.
While on the surface the vulnerability looks overly critical, many security experts don’t see it as something to go running to the hills over. The mitigation steps suggested by Microsoft will have little user impact if applied in the office or at home.
“…even though the proof of concept code is public, carrying out an attack using this complicated cross site scripting-like bug will not be easy. Because of this, attacks are probably not imminent but users should still follow the mitigation advice in the advisory,” commented Andrew Storms of nCircle in an email.
“Locking down the MHTML protocol is likely to have a nominal impact on most users and will go a long way toward protecting their browsing experience,” he added.
Until an official patch is forthcoming, Microsoft has released a FixIt script that locks down the MHTML protocol and prevents script abuse.
“In our testing, the only side effect we have encountered is script execution and ActiveX being disabled within MHT documents. We expect that in most environments this will have limited impact,” Microsoft said regarding the fix.
“While MHTML is an important component of Windows, it is rarely used via mhtml: hyperlinks. Most often, MHTML is used behind the scenes, and those scenarios would not be impacted by the network protocol lockdown. In fact, if there is no script content in the MHT file, the MHT file would be displayed normally without any issue.”
More information on the MHTML vulnerability can be viewed here.
The official Security Advisory related to the MHTML issue can be found here.
Leave your response!