- Joined
- Jun 27, 2006
- Location
- Chicago, IL
Hello. Today we're releasing Link Removed due to 404 Error, which describesa publicly disclosed scripting vulnerability affecting all versions ofMicrosoft Windows. The main impact of the vulnerability is unintendedinformation disclosure. We're aware of publishedinformation and proof-of-concept code that attempts to exploit thisvulnerability, but we haven't seen any indications of activeexploitation.
The vulnerability lies in theMHTML (MIME Encapsulation of Aggregate HTML) protocol handler, which is used byapplications to render certain kinds of documents. The impact of an attack onthe vulnerability would be similar to that of server-side cross-site-scripting(XSS) vulnerabilities. For instance, anattacker could construct an HTML link designed to trigger a malicious scriptand somehow convince the targeted user to click it. When the user clicked thatlink, the malicious script would run on the user's computer for the rest of thecurrent Internet Explorer session. Sucha script might collect user information (eg., email), spoof content displayedin the browser, or otherwise interfere with the user's experience.
The workaround we arerecommending customers apply locks down the MHTML protocol and effectivelyaddresses the issue on the client system where it exists. We are providing aMicrosoft Fix-it package to further automate installation.
In our collaboration with otherservice providers, we are looking for possible ways that they can take steps toprovide protection on the server side. Our Security Research & Defense teamhas written a blog post that discusses some possible options.However, due to the nature of the issue, the only workaround Microsoft can officiallyrecommend is what we have identified in the advisory. We will continue to workclosely with others in the industry and appreciate the collaboration we have hadto date.
We have initiated our Link Removed due to 404 Error to manage this issue. We're also incommunication with other service providers to explain how the issue mightaffect third-party Web sites and to collaborate on developing a variety offurther solutions that address the varied needs of all parts of the Internet ecosystem- large sites, small sites, and all those who visit them.
Meanwhile, we are working on a securityupdate to address this vulnerability and we are monitoring the threat landscapevery closely. If the situation changes, we'll post updates here on the MSRCblog.
Thanks -
Angela Gunn
Trustworthy Computing
Link Removed due to 404 Error
More...
The vulnerability lies in theMHTML (MIME Encapsulation of Aggregate HTML) protocol handler, which is used byapplications to render certain kinds of documents. The impact of an attack onthe vulnerability would be similar to that of server-side cross-site-scripting(XSS) vulnerabilities. For instance, anattacker could construct an HTML link designed to trigger a malicious scriptand somehow convince the targeted user to click it. When the user clicked thatlink, the malicious script would run on the user's computer for the rest of thecurrent Internet Explorer session. Sucha script might collect user information (eg., email), spoof content displayedin the browser, or otherwise interfere with the user's experience.
The workaround we arerecommending customers apply locks down the MHTML protocol and effectivelyaddresses the issue on the client system where it exists. We are providing aMicrosoft Fix-it package to further automate installation.
In our collaboration with otherservice providers, we are looking for possible ways that they can take steps toprovide protection on the server side. Our Security Research & Defense teamhas written a blog post that discusses some possible options.However, due to the nature of the issue, the only workaround Microsoft can officiallyrecommend is what we have identified in the advisory. We will continue to workclosely with others in the industry and appreciate the collaboration we have hadto date.
We have initiated our Link Removed due to 404 Error to manage this issue. We're also incommunication with other service providers to explain how the issue mightaffect third-party Web sites and to collaborate on developing a variety offurther solutions that address the varied needs of all parts of the Internet ecosystem- large sites, small sites, and all those who visit them.
Meanwhile, we are working on a securityupdate to address this vulnerability and we are monitoring the threat landscapevery closely. If the situation changes, we'll post updates here on the MSRCblog.
Thanks -
Angela Gunn
Trustworthy Computing
Link Removed due to 404 Error
More...
