You are here

T-546: Microsoft MHTML Input Validation Hole May Permit Cross-Site Scripting Attacks Arbitrary Code

January 31, 2011 - 7:00am

Addthis

PROBLEM:

Microsoft MHTML Input Validation Hole May Permit Cross-Site Scripting Attacks Arbitrary Code.

PLATFORM:

Microsoft 2003 SP2, Vista SP2, 2008 SP2, XP SP3, 7; and prior service packs

ABSTRACT:

A vulnerability was reported in Microsoft MHTML. A remote user can conduct cross-site scripting attacks.

reference LINKS:

Microsoft Security Advisory 2501696
Microsoft Support
Security Tracker Alert
CVE-2011-0096

IMPACT ASSESSMENT:

Medium

Discussion:

The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible for this vulnerability to allow an attacker to run script in the wrong security context.

The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible under certain conditions for this vulnerability to allow an attacker to inject a client-side script in the response of a Web request run in the context of the victim's Internet Explorer. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site on behalf of the targeted user.

Microsoft is investigating new public reports of a vulnerability in all supported editions of Microsoft Windows. The vulnerability could allow an attacker to cause a victim to run malicious scripts when visiting various Web sites, resulting in information disclosure. This impact is similar to server-side cross-site scripting (XSS) vulnerabilities. Microsoft is aware of published information and proof-of-concept code that attempts to exploit this vulnerability. At this time, Microsoft has not seen any indications of active exploitation of the vulnerability.

Solution:

Microsoft will take the appropriate action to help protect customers. This may include providing a security update through our monthly release process, or providing an out-of-cycle security update, depending on customer needs.

By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.

By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone, which disables script and ActiveX controls, removing the risk of an attacker being able to use this vulnerability to execute malicious code. If a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.

In a Web-based attack scenario, a Web site could contain a specially crafted link (MHTML:) that is used to exploit this vulnerability. An attacker would have to convince users to visit the Web site and open a specially crafted URL, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site, and then convincing them to click the specially crafted link. Enhanced Security Configuration

Addthis