News

Attack code surfaces for new Windows MHTML zero-day vulnerability

Robert Westervelt, News Director

Microsoft is warning of a serious Windows zero-day vulnerability that could be exploited if a victim clicks on a malicious link in a website, enabling an attacker to spoof content or steal data.

While the vulnerability is located in a Windows component Internet Explorer is the only known attacker vector. Firefox and Chrome are not

Requires Free Membership to View

affected in their default configuration.

Wolfgang Kandek
CTO, Qualys Inc.

The MHTML protocol handler vulnerability affects all versions of Windows, Microsoft said in an advisory issued today. Proof-of-concept code surfaced recently, enabling attackers to target the vulnerability, though Microsoft said it has not yet detected any ongoing attacks.

Microsoft said a victim can be infected by clicking on a malicious link on a website that leads to a HTML document. The technique injects malicious JavaScript onto the victim's browser, giving the attacker the ability to "spoof content, disclose information, or take any action that the user could take on the affected website on behalf of the targeted user."

The vulnerability "gives the attacker a way to access information stored in the browser and a mechanism to trick users into installing unwanted code through social engineering," wrote Wolfgang Kandek, chief technology officer of vulnerability management vendor Qualys Inc., on the company's blog. "While the vulnerability is located in a Windows component, Internet Explorer is the only known attacker vector. Firefox and Chrome are not affected in their default configuration, as they do not support MHTML without the installation of specific add-on modules."

"This impact is similar to server-side cross-site scripting (XSS) vulnerabilities. Microsoft is aware of published information and proof-of-concept code that attempts to exploit this vulnerability. At this time, Microsoft has not seen any indications of active exploitation of the vulnerability," the company said in the advisory.

The software giant issued a temporary fixit workaround while engineers work on a patch for the issue, which locks down the MHTML protocol. Microsoft said it is working with service providers to investigate server-side workarounds. The company did not rule out an out-of-cycle security update to address the flaw.

According to Kevin Brown, an software engineer with the Microsoft Security Response Center, the only side effect encountered by implementing the workaround "is script execution and ActiveX being disabled within MHT documents." MHT documents are used in Internet Explorer to archive webpages.