Microsoft Security Alert - MHTML Handler Vulnerability
Date: 28 January 2011
The purpose of this Alert is to raise awareness of a vulnerability in the MHTML protocol handler affecting all currently supported versions of Windows through Internet Explorer.
Microsoft is investigating reports of a new vulnerability in the MHTML protocol handler present in all supported editions of Microsoft Windows. The issue resides in the way the MHTML handler interprets MIME-formatted requests for content blocks within a document. Although all versions of Windows are vulnerable, Internet Explorer is the attack vector. Attackers can exploit this vulnerability by convincing the victim to click on a specially crafted link pointing to an HTML document. Successful exploitation could inject a client-side script in the user's Internet Explorer browser that may lead to disclosure of sensitive information, spoofed content, or take any action on the affected Web site on behalf of the targeted user.
Microsoft is currently working towards an official patch and has provided mitigation suggestions to help protect against this threat in an advisory referenced below. At this time, CCIRC is not aware of active exploitation of this vulnerability, but proof of concept code is available.
CCIRC recommends users and administrators review Microsoft Security Advisory 2501696 and consider implementing the suggested workarounds to help mitigate the risks until a patch is available.
These mitigations/workarounds include to:
- Enable the MHTML protocol lockdown
- Set Internet and Local intranet security zone settings to "High" to block ActiveX Controls and Active Scripting in these zones
- Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
CCIRC has not tested the effects of these mitigations on an enterprise level system. Administrators are therefore advised to review their existing security posture to determine if the above mitigations are viable within their environment. Once an official patch is released for this vulnerability, CCIRC will release a follow-on advisory.
Additional technical information may be found here: http://blogs.technet.com/b/srd/archive/2011/01/28/more-information-about-the-mhtml-script-injection-vulnerability.aspx
Any federal departments suspecting they have incidents related to this activity are requested to provide a written incident report to the Government Operations Centre, as per the GC IT IMP.
Note to Readers
The Canadian Cyber Incident Response Centre (CCIRC) operates within Public Safety Canada, and works with partners inside and outside Canada to mitigate cyber threats to vital networks outside the federal government. These include systems that keep Canada's critical infrastructure functioning properly, such as the electrical grid and financial networks, or contain valuable commercial information that underpins our economic prosperity. CCIRC supports the owners and operators of systems of national importance, including critical infrastructure, and is responsible for coordinating the national response to any serious cyber security incident.
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118