Microsoft releases advisory for Windows scripting bug

Share this article:

Microsoft on Friday warned of a new scripting vulnerability affecting all supported versions of Windows.

The vulnerability, similar to a cross-site scripting bug, is present in the MHTML (MIME Encapsulation of Aggregate HTML) protocol handler, used by applications to render certain types of documents, Angela Gunn, senior marketing communications manager for Microsoft Trustworthy Computing, wrote on a company blog post.

Unsuspecting internet users could be exploited if they visit a website that forces them to run malicious scripts.

"It is possible under certain conditions for this vulnerability to allow an attacker to inject a client-side script in the response of a web request run in the context of the victim's Internet Explorer [browser]," according to the advisory. "The script could spoof content, disclose information, or take any action that the user could take on the affected website on behalf of the targeted user."

Gunn said Microsoft is aware of a publicly available proof-of-concept exploit, but does not know of any active attacks.

In lieu of a patch, users are encouraged to lock down the MHTML protocol or switch certain security zone settings to "high" to block ActiveX controls and Active Scripting, according to the advisory, which details the steps. Microsoft also has released a Fix-It solution to automate the mitigation.

A post on Microsoft's Security Research & Defense blog provides additional information about the flaw.

Experts, though, doubt they will see widespread exploitation.

"At first glance today's advisory looks grim because it affects every supported Windows platform," Andrew Storms, director of security operations at vulnerability management firm nCircle, said in a statement. "However, even though the proof-of-concept code is public, carrying out an attack using this complicated cross-site scripting-like bug will not be easy."

Share this article:

Sign up to our newsletters

More in News

Firefox 32 feature could cut undetected malware downloads 'in half'

Mozilla plans to introduce a feature in Firefox 32 that, based on preliminary testing, could cut the amount of undetected malware downloads in half.

EFF asks court to find NSA internet spying a violation of Fourth Amendment

EFF asks court to find NSA internet spying ...

Complete with a colorful graphic, the EFF showed a federal court how the NSA essentially runs a digital dragnet that can pick up innocent Americans.

Study: Asian Android users at higher risk of malware exposure

Cheetah Mobile's new study showed that Asian Android users have a two to three times greater risk of downloading malware onto their devices.