MHTML vulnerability hit by targeted attacks
by Steve Ragan - Mar 15 2011, 18:35After there was no patch for the MHTML issue in this month’s security release from Microsoft, attackers are targeting a vulnerability disclosed earlier this year. The attacks have grown in number to such a level that Google has felt the need to comment, urging users to apply the FixIt option from Microsoft while a patch is developed.
In January, Microsoft released a FixIt tool mitigating the MHTML issue, which impacts all supported versions of Windows, aside from Server 2008 installations using the Server Core option. The vulnerability is inside the MHTML (MIME Encapsulation of Aggregate HTML) protocol handler, which itself has been around for a while.
At the time, Microsoft explained that the impact of an attack on the vulnerability would be similar to that of server-side cross-site-scripting (XSS) vulnerabilities. Experts agreed, such as Wolfgang Kandek, the CTO at Qualys, who commented:
“The XSS attack can be used to run JavaScript code on the user's Internet Explorer instance, which gives the attacker a way to get at information stored in the browser and a mechanism to trick users into installing unwanted code through social engineering.”
When it was first announced, Microsoft downplayed the issue, noting that they had not seen any attacks, adding that the best mitigation was to deploy the FixIt option. Other experts agreed with the assessment, and many figured that a patch for the problem would arrive in February’s monthly patch release.
That didn’t happen however, and the issue remained unpatched after March’s security release as well.
Yesterday, Google urged users to deploy the FixIt option after noticing “some highly targeted and apparently politically motivated attacks” against their users and users of another popular social site.
“All these attacks abuse a publicly-disclosed MHTML vulnerability for which an exploit was publicly posted in January 2011. Users browsing with the Internet Explorer browser are affected. For now, we recommend concerned users and corporations seriously consider deploying Microsoft’s temporary Fixit to block this attack until an official patch is available,” Google said.
“The abuse of this vulnerability is also interesting because it represents a new quality in the exploitation of web-level vulnerabilities. To date, similar attacks focused on directly compromising users' systems, as opposed to leveraging vulnerabilities to interact with web services.”
While there is no patch, users can deploy the FixIt solution here.
Comment on this Story