Attacks Use IE to Exploit Windows MHTML Flaw

New attacks are being reported using Internet Explorer to exploit a Windows vulnerability that was originally disclosed in January, but has not yet been patched. There is still no patch imminent, but there is a tool available from Microsoft to address the issue and protect your PC.

The actual flaw is with the MHTML protocol handler in Windows–not in Internet Explorer itself–and affects all versions of the Windows operating system. However, Internet Explorer is the only known attack vector for exploiting the vulnerability.

Attacks exploiting this flaw are similar to cross-site scripting attacks and enable the attacker to intercept and collect user information, spoof the content that is displayed to the browser, or interfere with the user’s browsing experience in other ways. It is also possible that the attacker may be able to run malicious scripts within the context of the IE session.

At the time that the vulnerability was initially disclosed in January, it was thought that it posed little threat. Andrew Storms, director of security operations for nCircle, stated at the time, “At first glance today’s advisory looks grim because it affects every supported Windows platform. However, even though the proof of concept code is public, carrying out an attack using this complicated cross site scripting-like bug will not be easy.”

It may not have been easy, but it also wasn’t impossible. Fast forward six weeks and those attacks are now being seen in the wild. Today, Storms commented, “Nobody should be surprised by this development; it was just a matter of time before this vulnerability became more widely used. It seems likely Microsoft will be updating this advisory again as they gain more intelligence on what is happening in the wild,” adding, “The good news is Microsoft has mitigation available. The Fixit tool is easy to apply and definitely reduces the risk.”

Jerry Bryant, group manager of response communications for Microsoft’s Trustworthy Computing, echoed that sentiment. “Users who have installed the Fixit to apply Microsoft’s recommended workaround are not at risk. When Microsoft is done investigating, we will take appropriate action to help protect customers. This may include providing a security update through the monthly release process or an out-of-band update to help customers protect themselves.”

It is worth noting, however, that the number of attacks seen in the wild thus far is still relatively small. The attacks seem to be more targeted, possibly politically-motivated according to a post on the Google Online Security Blog.

Remember, though, all supported versions of Windows are impacted, and all versions of Internet Explorer can be used as an attack vector. You could prevent exploitation of the MHTML flaw by switching to another browser like Firefox or Chrome. If you are going to continue using Internet Explorer, it is recommended that you run Microsoft’s FixIt tool to protect your PCs.