We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Internet Explorer users at risk from new zero-day

Microsoft warns of unpatched Windows bug

Microsoft has warned Windows users of a new unpatched vulnerability that attackers could exploit to steal information and dupe people into installing malware.

In a security advisory issued on Friday, Microsoft acknowledged that a bug in Windows' MHTML (MIME HTML) protocol handler can be used by attackers to run malicious scripts within Internet Explorer (IE).

"The best way to think of this is to call it a variant of a cross-side scripting vulnerability," said Andrew Storms, director of security operations at nCircle Security.

Cross-site scripting bugs, often shortened to XSS, can be used to insert malicious script into a web page that can then take control of the session.

"An attacker could pretend to be the user, and act if as he was you on that specific site," said Storms. "If you were at Gmail.com or Hotmail.com, he could send email as you."

Microsoft elaborated on the threat.

"Such a script might collect user information, for example email, spoof content displayed in the browser or otherwise interfere with the user's experience," said Angela Gunn, a Microsoft security spokeswoman, in a post to the Microsoft Security Response Center (MSRC) blog.

The vulnerability went public last week when the Chinese website WooYun.org published proof-of-concept code.

MHTML is a web page protocol that combines resources of several different formats - images, Java applets, Flash animations and the like -- into a single file. Only Microsoft's IE and Opera Software's Opera support MHTML natively: Google's Chrome and Apple's Safari do not, and while Mozilla's Firefox can, it requires an add-on to read and write MHTML files.

Wolfgang Kandek, the chief technology officer at Qualys, pointed out that IE users are most at risk.

"While the vulnerability is located in a Windows component, Internet Explorer is the only known attacker vector," said Kandek. "Firefox and Chrome are not affected in their default configuration, as they do not support MHTML without the installation of specific add-on modules."

All supported versions of Windows, including Windows XP, Vista and Windows 7, contain the flawed protocol handler, one reason why Storms believes it will take Microsoft time to come up with a patch.

"If this was only in IE, I could see them getting a patch out by Feb. 8," he said, referring to Microsoft's next regularly-scheduled day for releasing fixes. "But this is rooted in Windows, and Microsoft won't take any chances."

In lieu of a patch, Microsoft recommended that users lock down the MHTML protocol handler by running a "Fixit" tool it's made available. The tool automates the process of editing the Windows registry, which if done carelessly could cripple a PC, and lets IE users continue to run MHTML files that include scripting by clicking through a warning.

The Fixit tool can be accessed from Microsoft's support site .

Microsoft has had to deal with protocol handler vulnerabilities before, notably in 2007 when Microsoft and Mozilla argued over patching responsibility for similar bugs.

Today's confirmation of another Windows vulnerability adds to an already-long list of not-fixed flaws that Microsoft has acknowledged but not yet addressed. According to Microsoft's tally , there are five outstanding vulnerabilities that require its attention.

One of the five was also disclosed by the same Chinese site that revealed the vulnerability discussed Friday. Microsoft first acknowledged the earlier WooYun.org-revealed bug on Dec. 22, several weeks after French security firm Vupen had issued a bare-bones advisory that said all versions of IE were at risk.

Microsoft has admitted that criminals are already exploiting the December IE vulnerability, and earlier this month shipped a first-of-its-kind workaround for the bug.

Today Microsoft said it has seen no similar activity on the MHTML vulnerability.

"We are working on a security update to address this vulnerability and we are monitoring the threat landscape very closely," said Gunn of Friday's flaw.

IDG UK Sites

Best Black Friday 2014 tech deals UK: Latest bargains on phones, tablets, laptops and more this...

IDG UK Sites

Tech trends 2015: 3D printing grows up

IDG UK Sites

10 mind-blowing Oculus Rift experiments that reveal VR's practical potential

IDG UK Sites

Black Friday 2014 UK: Apple deals, Amazon deals & other Black Friday tech offers