Microsoft releases advisory for Windows scripting bug

Share this article:

Microsoft on Friday warned of a new scripting vulnerability affecting all supported versions of Windows.

The vulnerability, similar to a cross-site scripting bug, is present in the MHTML (MIME Encapsulation of Aggregate HTML) protocol handler, used by applications to render certain types of documents, Angela Gunn, senior marketing communications manager for Microsoft Trustworthy Computing, wrote on a company blog post.

Unsuspecting internet users could be exploited if they visit a website that forces them to run malicious scripts.

"It is possible under certain conditions for this vulnerability to allow an attacker to inject a client-side script in the response of a web request run in the context of the victim's Internet Explorer [browser]," according to the advisory. "The script could spoof content, disclose information, or take any action that the user could take on the affected website on behalf of the targeted user."

Gunn said Microsoft is aware of a publicly available proof-of-concept exploit, but does not know of any active attacks.

In lieu of a patch, users are encouraged to lock down the MHTML protocol or switch certain security zone settings to "high" to block ActiveX controls and Active Scripting, according to the advisory, which details the steps. Microsoft also has released a Fix-It solution to automate the mitigation.

A post on Microsoft's Security Research & Defense blog provides additional information about the flaw.

Experts, though, doubt they will see widespread exploitation.

"At first glance today's advisory looks grim because it affects every supported Windows platform," Andrew Storms, director of security operations at vulnerability management firm nCircle, said in a statement. "However, even though the proof-of-concept code is public, carrying out an attack using this complicated cross-site scripting-like bug will not be easy."


Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Hackers grab email addresses of CurrentC pilot participants

Hackers grab email addresses of CurrentC pilot participants

Although the hack didn't breach the mobile payment app itself, consumer confidence may be shaken.

Operators disable firewall features to increase network performance, survey finds

Operators disable firewall features to increase network performance, ...

McAfee found that 60 percent of 504 surveyed IT professionals prioritize security as the primary driver of network design.

PCI publishes guidance on security awareness programs

PCI publishes guidance on security awareness programs

The guidance, developed by a PCI Special Interest Group, will help merchants educate staff on protecting cardholder data.