News Stay informed about the latest enterprise technology news and product updates.

Attack code surfaces for new Windows MHTML zero-day vulnerability

Proof-of-concept code has surfaced enabling attackers to target the vulnerability. All versions of Windows are vulnerable.

Microsoft is warning of a serious Windows zero-day vulnerability that could be exploited if a victim clicks on a malicious link in a website, enabling an attacker to spoof content or steal data.

While the vulnerability is located in a Windows component Internet Explorer is the only known attacker vector. Firefox and Chrome are not affected in their default configuration.

Wolfgang Kandek
CTOQualys Inc.

The MHTML protocol handler vulnerability affects all versions of Windows, Microsoft said in an advisory issued today. Proof-of-concept code surfaced recently, enabling attackers to target the vulnerability, though Microsoft said it has not yet detected any ongoing attacks.

Microsoft said a victim can be infected by clicking on a malicious link on a website that leads to a HTML document. The technique injects malicious JavaScript onto the victim's browser, giving the attacker the ability to "spoof content, disclose information, or take any action that the user could take on the affected website on behalf of the targeted user."

The vulnerability "gives the attacker a way to access information stored in the browser and a mechanism to trick users into installing unwanted code through social engineering," wrote Wolfgang Kandek, chief technology officer of vulnerability management vendor Qualys Inc., on the company's blog. "While the vulnerability is located in a Windows component, Internet Explorer is the only known attacker vector. Firefox and Chrome are not affected in their default configuration, as they do not support MHTML without the installation of specific add-on modules."

"This impact is similar to server-side cross-site scripting (XSS) vulnerabilities. Microsoft is aware of published information and proof-of-concept code that attempts to exploit this vulnerability. At this time, Microsoft has not seen any indications of active exploitation of the vulnerability," the company said in the advisory.

The software giant issued a temporary fixit workaround while engineers work on a patch for the issue, which locks down the MHTML protocol. Microsoft said it is working with service providers to investigate server-side workarounds. The company did not rule out an out-of-cycle security update to address the flaw.

According to Kevin Brown, an software engineer with the Microsoft Security Response Center, the only side effect encountered by implementing the workaround "is script execution and ActiveX being disabled within MHT documents." MHT documents are used in Internet Explorer to archive webpages.

Dig Deeper on Microsoft Windows security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.