According to Microsoft's recently-published Security Advisory, the vulnerability exists due to the manner in which MHTML interprets certain MIME-format requests for portions of a document. By modifying the requests in a certain way, an attacker can inject code to be run on the client's system in the same security context as Internet Explorer.Microsoft has not yet decided whether an update will be provided through the monthly release process or an out-of-cycle update. Temporary fixes are described at Microsoft's website.
The company warns that the flaw is capable of spoofing website content, disclosing information from the victim's computer and interacting with websites without user-input.
Source: Bit Tech