Windows Vulnerable to Zero-Day XSS Attacks

Microsoft released security advisory 2501696, titled "Vulnerability in MHTML Could Allow Information Disclosure" today. The advisory addresses a flaw in the MHTML protocol handler which opens all versions of Windows to potential cross-site scripting (XSS) attacks.

The Microsoft Security Response Center (MSRC) blog explains how an attack might work in more detail once a user receives a malicious link targeting this vulnerability. "When the user clicked that link, the malicious script would run on the user's computer for the rest of the current Internet Explorer session. Such a script might collect user information (eg., e-mail), spoof content displayed in the browser, or otherwise interfere with the user's experience."

Microsoft issued a security advisory related to a zero-day flaw with MHTML in Windows.
Wolfgang Kandek, CTO of Qualys, describes the issue in more detail on his blog. "The XSS attack can be used to run JavaScript code on the user's Internet Explorer instance, which gives the attacker a way to get at information stored in the browser and a mechanism to trick users into installing unwanted code through social engineering."

Jim Walter, manager of the McAfee Threat Intelligence Service for McAfee Labs, does not believe this is a serious threat--at least not imminently. "The scope and impact is relatively limited compared to other recent zero-day vulnerabilities. Based on the information that is currently available, we are aware that successful exploitation could lead to the running of arbitrary scripts (in the context of the clients IE session), as well as the disclosure of sensitive information."

Andrew Storms, director of security operations for nCircle, e-mailed the following comments. "At first glance today's advisory looks grim because it affects every supported Windows platform. However, even though the proof of concept code is public, carrying out an attack using this complicated cross site scripting-like bug will not be easy," adding, "Because of this, attacks are probably not imminent but users should still follow the mitigation advice in the advisory.

The MSRC blog suggests following the mitigation advice in the security advisory. "The workaround we are recommending customers apply locks down the MHTML protocol and effectively addresses the issue on the client system where it exists."

Kandek provides some incentive for using a browser other than Internet Explorer. "While the vulnerability is located in a Windows component, Internet Explorer is the only known attacker vector. Firefox and Chrome are not affected in their default configuration, as they do not support MHTML without the installation of specific add-on modules."

Subscribe to the Daily Downloads Newsletter

Comments