Microsoft releases advisory for Windows scripting bug

Share this article:

Microsoft on Friday warned of a new scripting vulnerability affecting all supported versions of Windows.

The vulnerability, similar to a cross-site scripting bug, is present in the MHTML (MIME Encapsulation of Aggregate HTML) protocol handler, used by applications to render certain types of documents, Angela Gunn, senior marketing communications manager for Microsoft Trustworthy Computing, wrote on a company blog post.

Unsuspecting internet users could be exploited if they visit a website that forces them to run malicious scripts.

"It is possible under certain conditions for this vulnerability to allow an attacker to inject a client-side script in the response of a web request run in the context of the victim's Internet Explorer [browser]," according to the advisory. "The script could spoof content, disclose information, or take any action that the user could take on the affected website on behalf of the targeted user."

Gunn said Microsoft is aware of a publicly available proof-of-concept exploit, but does not know of any active attacks.

In lieu of a patch, users are encouraged to lock down the MHTML protocol or switch certain security zone settings to "high" to block ActiveX controls and Active Scripting, according to the advisory, which details the steps. Microsoft also has released a Fix-It solution to automate the mitigation.

A post on Microsoft's Security Research & Defense blog provides additional information about the flaw.

Experts, though, doubt they will see widespread exploitation.

"At first glance today's advisory looks grim because it affects every supported Windows platform," Andrew Storms, director of security operations at vulnerability management firm nCircle, said in a statement. "However, even though the proof-of-concept code is public, carrying out an attack using this complicated cross-site scripting-like bug will not be easy."

Share this article:

Sign up to our newsletters

More in News

Report: UK police push for required mobile phone PWs

The Metropolitan Police have reportedly lobbied for two years to enact the standard.

JPMorgan Chase customers targeted in massive phishing campaign

JPMorgan Chase customers targeted in massive phishing campaign

Roughly 500,000 emails have been sent out so far as part of a massive multifaceted phishing campaign targeting customers of JPMorgan Chase.

Study: Organizations lack training, budget to thwart insider threats

Study: Organizations lack training, budget to thwart insider ...

Of the 355 IT and security professionals surveyed, a majority indicated that they were ill-equipped to thwart a possible insider threat.