Fix-it for MHTML Script Injection Vulnerability Could Allow Information Disclosure (KB2501696)

Microsoft today released "Security Advisory 2501696," which describes a publicly disclosed scripting vulnerability affecting all versions of Microsoft Windows. "We're aware of published info and proof-of-concept code that attempts to exploit this vuln, but we haven't seen any indications of active exploitation," said MSRC."The vul lies in the MHTML (MIME Encapsulation of Aggregate HTML) protocol […]

Microsoft today released "Security Advisory 2501696," which describes a publicly disclosed scripting vulnerability affecting all versions of Microsoft Windows. "We're aware of published info and proof-of-concept code that attempts to exploit this vuln, but we haven't seen any indications of active exploitation," said MSRC.

"The vul lies in the MHTML (MIME Encapsulation of Aggregate HTML) protocol handler. The impact of an attack on the vul would be similar to that of server-side cross-site-scripting (XSS) vuls. For instance, an attacker could construct an HTML link designed to trigger malicious script and somehow convince the targeted user to click it. When user clicks, the malicious script would run on user's computer for the rest of the current Internet Explorer session. Such a script might collect user info (eg., email), spoof content displayed in the browser, or otherwise interfere with the user's experience," explains Microsoft.

The recommended workaround is to apply locks down to MHTML protocol and effectively addresses the issue on the client system where it exists. Or, use the Microsoft Fix-it to automate installation.

Microsoft Fix-It

MHTML response after applying Fix-it

Refrence: SA 2501696 | KB2501696

[tags]mhtml,proof-of-concept,fix-it,xss,cross-site-scripting[/tags]

[Source: 1, 2]