Microsoft warns of new Windows zero-day bug
Only Internet Explorer users at risk; other browsers can't be exploited, say researchers
Computerworld - Microsoft today warned Windows users of a new unpatched vulnerability that attackers could exploit to steal information and dupe people into installing malware.
In a security advisory issued Friday, Microsoft acknowledged that a bug in Windows' MHTML (MIME HTML) protocol handler can be used by attackers to run malicious scripts within Internet Explorer (IE).
"The best way to think of this is to call it a variant of a cross-site scripting vulnerability," said Andrew Storms, director of security operations at nCircle Security.
Cross-site scripting bugs, often shortened to XSS, can be used to insert malicious script into a Web page that can then take control of the session.
"An attacker could pretend to be the user, and act if as he was you on that specific site," said Storms. "If you were at Gmail.com or Hotmail.com, he could send e-mail as you."
Microsoft elaborated on the threat.
"Such a script might collect user information, for example e-mail, spoof content displayed in the browser or otherwise interfere with the user's experience," said Angela Gunn, a Microsoft security spokeswoman, in a post to the Microsoft Security Response Center (MSRC) blog.
The vulnerability went public last week when the Chinese Web site WooYun.org published proof-of-concept code.
MHTML is a Web page protocol that combines resources of several different formats -- images, Java applets, Flash animations and the like -- into a single file. Only Microsoft's IE and Opera Software's Opera support MHTML natively: Google's Chrome and Apple's Safari do not, and while Mozilla's Firefox can, it requires an add-on to read and write MHTML files.
Wolfgang Kandek, the chief technology officer at Qualys, pointed out that IE users are most at risk.
"While the vulnerability is located in a Windows component, Internet Explorer is the only known attacker vector," said Kandek in an e-mail message. "Firefox and Chrome are not affected in their default configuration, as they do not support MHTML without the installation of specific add-on modules."
All supported versions of Windows, including Windows XP, Vista and Windows 7, contain the flawed protocol handler, one reason why Storms believes it will take Microsoft time to come up with a patch.
"If this was only in IE, I could see them getting a patch out by Feb. 8," he said, referring to Microsoft's next regularly-scheduled day for releasing fixes. "But this is rooted in Windows, and Microsoft won't take any chances."
In lieu of a patch, Microsoft recommended that users lock down the MHTML protocol handler by running a "Fixit" tool it's made available. The tool automates the process of editing the Windows registry, which if done carelessly could cripple a PC, and lets IE users continue to run MHTML files that include scripting by clicking through a warning.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts