Jump to content

Microsoft warns of 0-day Windows vulnerability


Recommended Posts

Flaw could allow cross-site scripting attack

Microsoft is warning users following the disclosure of a security flaw in Windows.

The company said that the vulnerability is currently un-patched and exists in all versions of the operating system. Currently the exploit exists only as a proof-of-concept sample and no active exploits have been reported in the wild.

The vulnerability lies within a component of Windows which handles MIME Encapsulation of Aggregate HTML (MHTML) and can be accessed through an HTML link in Internet Explorer.

Microsoft said that an attacker could access the component by convincing the user to click on a link to a page containing a malicious script which targets the MHTML component.

Once exploited, the vulnerability would allow an attacker to have access to the user's browser, potentially allowing an attacker to harvest user information or perform cross-site scripting and spoofing attacks.

The company said that it was working on a fix for the flaw, though no possible release date has been given.

Users and administrators looking to mitigate the vulnerability are being advised by Microsoft to limit access to the MHTML component.

"We expect that in most environments this will have limited impact," the company said of the workaround in a blog posting.

"While MHTML is an important component of Windows, it is rarely used via mhtml: hyperlinks."

The company is also offering security suggestions for service providers on its Security Research and Defense blog.

view.gif View: Original Article

Link to comment
Share on other sites

  • Replies 1
  • Views 1.2k
  • Created
  • Last Reply
  • Administrator

Microsoft warns of Windows vulnerability that impacts all supported editions

Microsoft has warned of a vulnerability found across the range of desktop and server Windows offerings that could potentially allow an attacker to run malicious scripts through a web page.

The vulnerability, which was first reported on Friday by the Redmond-based software giant, impacts all "supported" editions of Windows, including Windows XP, Windows Vista, Windows 7 and Windows Server 2003 and 2008.

Microsoft says the exploit is a result of a bug in Windows' MHTML handler, which the software giant says interprets MIME-formatted requests in a way in which attackers could be able to take advantage of the tool.

"The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible for this vulnerability to allow an attacker to run script in the wrong security context," Microsoft said.

"The vulnerability could allow an attacker to cause a victim to run malicious scripts when visiting various Web sites, resulting in information disclosure. This impact is similar to server-side cross-site scripting (XSS) vulnerabilities."

At this stage it's understood the vulnerability has not yet been exploited by malicious parties, despite a number of sites publishing information about the problem.

"Microsoft is aware of published information and proof-of-concept code that attempts to exploit this vulnerability," the company warns, explaining that "at this time, Microsoft has not seen any indications of active exploitation of the vulnerability."

A patch is being prepared by Microsoft, but in the meantime the company is encouraging those who feel worried about the vulnerability to download the FixIt steps provided here. The FixIt download also includes a proof-of-concept tool which allows users to test whether the fix has worked or if they are still open to the exploit.

view.gif View: Original Article

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...