Microsoft today warned Windows users of a new unpatched vulnerability that attackers could exploit to steal information and dupe people into installing malware.
In a security advisory issued Friday, Microsoft acknowledged that a bug in Windows' MHTML (MIME HTML) protocol handler can be used by attackers to run malicious scripts within Internet Explorer (IE).
"The best way to think of this is to call it a variant of a cross-site scripting vulnerability," said Andrew Storms, director of security operations at nCircle Security.
Cross-site scripting bugs, often shortened to XSS, can be used to insert malicious script into a Web page that can then take control of the session.
"An attacker could pretend to be the user, and act if as he was you on that specific site," said Storms. "If you were at Gmail.com or Hotmail.com, he could send e-mail as you."
Microsoft elaborated on the threat.
"Such a script might collect user information, for example e-mail, spoof content displayed in the browser or otherwise interfere with the user's experience," said Angela Gunn, a Microsoft security spokeswoman, in a post to the Microsoft Security Response Center (MSRC) blog.
The vulnerability went public last week when the Chinese Web site WooYun.org published proof-of-concept code.
MHTML is a Web page protocol that combines resources of several different formats -- images, Java applets, Flash animations and the like -- into a single file. Only Microsoft's IE and Opera Software's Opera support MHTML natively: Google's Chrome and Apple's Safari do not, and while Mozilla's Firefox can, it requires an add-on to read and write MHTML files.
Wolfgang Kandek, the chief technology officer at Qualys, pointed out that IE users are most at risk.
"While the vulnerability is located in a Windows component, Internet Explorer is the only known attacker vector," said Kandek in an e-mail message. "Firefox and Chrome are not affected in their default configuration, as they do not support MHTML without the installation of specific add-on modules."
All supported versions of Windows, including Windows XP, Vista and Windows 7, contain the flawed protocol handler, one reason why Storms believes it will take Microsoft time to come up with a patch.
"If this was only in IE, I could see them getting a patch out by Feb. 8," he said, referring to Microsoft's next regularly-scheduled day for releasing fixes. "But this is rooted in Windows, and Microsoft won't take any chances."
In lieu of a patch, Microsoft recommended that users lock down the MHTML protocol handler by running a "Fixit" tool it's made available. The tool automates the process of editing the Windows registry, which if done carelessly could cripple a PC, and lets IE users continue to run MHTML files that include scripting by clicking through a warning.
The Fixit tool can be accessed from Microsoft's support site.
Microsoft has had to deal with protocol handler vulnerabilities before, notably in 2007 when Microsoft and Mozilla argued over patching responsibility for similar bugs.
Today's confirmation of another Windows vulnerability adds to an already-long list of not-fixed flaws that Microsoft has acknowledged but not yet addressed. According to Microsoft's tally, there are five outstanding vulnerabilities that require its attention.
One of the five was also disclosed by the same Chinese site that revealed the vulnerability discussed Friday. Microsoft first acknowledged the earlier WooYun.org-revealed bug on Dec. 22, several weeks after French security firm Vupen had issued a bare-bones advisory that said all versions of IE were at risk.
Microsoft has admitted that criminals are already exploiting the December IE vulnerability, and earlier this month shipped a first-of-its-kind workaround for the bug.
Today Microsoft said it has seen no similar activity on the MHTML vulnerability.
"We are working on a security update to address this vulnerability and we are monitoring the threat landscape very closely," said Gunn of Friday's flaw.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is firstname.lastname@example.org.