The bug, disclosed in January, is present in the MHTML (MIME Encapsulation of Aggregate HTML) protocol handler, used by applications to render certain types of documents. It is similar to a cross-site scripting issue.
Unsuspecting Internet Explorer users could become victims if they are tricked into visiting a specially crafted website that forces them to run malicious scripts, Microsoft said in its advisory, which was updated Friday to reflect the discovery of in-the-wild attacks.
"It is possible under certain conditions for this vulnerability to allow an attacker to inject a client-side script in the response of a web request run in the context of the victim's Internet Explorer [browser]," according to the advisory. "The script could spoof content, disclose information or take any action that the user could take on the affected website on behalf of the targeted user."
Google said Friday that some of its user base have been victims.
“We've noticed some highly targeted and apparently politically motivated attacks against our users,” members of the Google Security Team wrote in a blog post. “We believe activists may have been a specific target. We've also seen attacks against users of another popular social site.”
Google did not disclose the affected site.
Microsoft last week issued its monthly Patch Tuesday updates for March but failed to close the Windows MHTML issue.
In lieu of a patch, users are encouraged to lock down the MHTML protocol or switch certain security zone settings to "high" to block ActiveX controls and Active Scripting, according to Microsoft's advisory, which details the steps. Microsoft also has released a Fix-It solution to automate the mitigation.
Google, meanwhile, said it has deployed various server-side defenses to make the flaw harder to exploit, but reminded users that these solutions may not be reliable. The search giant said it is working with Microsoft to develop a permanent fix but recommended users deploy the Fix-It solution in the meantime.
