Windows hit by zero-day MHTML flaw

Posted on Monday, January 31 2011 @ 18:04 CET by Thomas De Maesschalck

Microsoft issued a warning for a newly discovered security vulnerability which affects the MHTML component of Internet Explorer. The flaw could be abused to inject code to be run in the same security context as Internet Explorer. All versions of Windows including Windows 7 are affected, the vulnerability is not thought to be under active exploitation but sample attack code was recently published in a Chinese-language security magazine.

According to Microsoft's recently-published Security Advisory, the vulnerability exists due to the manner in which MHTML interprets certain MIME-format requests for portions of a document. By modifying the requests in a certain way, an attacker can inject code to be run on the client's system in the same security context as Internet Explorer.

The company warns that the flaw is capable of spoofing website content, disclosing information from the victim's computer and interacting with websites without user-input.

Microsoft has not yet decided whether an update will be provided through the monthly release process or an out-of-cycle update. Temporary fixes are described at Microsoft's website.

Source: Bit Tech

About the Author

Thomas De Maesschalck

Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.

Loading Comments

Share this story!