Microsoft releases advisory for Windows scripting bug

Share this article:

Microsoft on Friday warned of a new scripting vulnerability affecting all supported versions of Windows.

The vulnerability, similar to a cross-site scripting bug, is present in the MHTML (MIME Encapsulation of Aggregate HTML) protocol handler, used by applications to render certain types of documents, Angela Gunn, senior marketing communications manager for Microsoft Trustworthy Computing, wrote on a company blog post.

Unsuspecting internet users could be exploited if they visit a website that forces them to run malicious scripts.

"It is possible under certain conditions for this vulnerability to allow an attacker to inject a client-side script in the response of a web request run in the context of the victim's Internet Explorer [browser]," according to the advisory. "The script could spoof content, disclose information, or take any action that the user could take on the affected website on behalf of the targeted user."

Gunn said Microsoft is aware of a publicly available proof-of-concept exploit, but does not know of any active attacks.

In lieu of a patch, users are encouraged to lock down the MHTML protocol or switch certain security zone settings to "high" to block ActiveX controls and Active Scripting, according to the advisory, which details the steps. Microsoft also has released a Fix-It solution to automate the mitigation.

A post on Microsoft's Security Research & Defense blog provides additional information about the flaw.

Experts, though, doubt they will see widespread exploitation.

"At first glance today's advisory looks grim because it affects every supported Windows platform," Andrew Storms, director of security operations at vulnerability management firm nCircle, said in a statement. "However, even though the proof-of-concept code is public, carrying out an attack using this complicated cross-site scripting-like bug will not be easy."

Share this article:

Sign up to our newsletters

More in News

Maryland hospital employees face tax fraud following breach

A University of Pittsburgh Medical Center spokeswoman announced that at least 788 employees were victims of tax fraud as a result of a February attack.

Donation campaign launched, aimed at OpenSSL audit

Bugcrowd, an Australian security start-up, will organize the funding drive in hopes to further secure the open source software.

New VOICE website a resource tool for cyber crime victims

A new website created to aid consumers in quickly reporting cyber crime is now available.