ArtemisFowlXX
January 31st, 2011, 01:13 AM
Microsoft has warned of a vulnerability found across the range of desktop and server Windows offerings that could potentially allow an attacker to run malicious scripts through a web page.
The vulnerability, which was first reported on Friday by the Redmond-based software giant, impacts all "supported" editions of Windows, including Windows XP, Windows Vista, Windows 7 and Windows Server 2003 and 2008.
Microsoft says the exploit is a result of a bug in Windows' MHTML handler, which the software giant says interprets MIME-formatted requests in a way in which attackers could be able to take advantage of the tool.
"The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible for this vulnerability to allow an attacker to run script in the wrong security context," Microsoft said.
"The vulnerability could allow an attacker to cause a victim to run malicious scripts when visiting various Web sites, resulting in information disclosure. This impact is similar to server-side cross-site scripting (XSS) vulnerabilities."
At this stage it's understood the vulnerability has not yet been exploited by malicious parties, despite a number of sites publishing information about the problem.
"Microsoft is aware of published information and proof-of-concept code that attempts to exploit this vulnerability," the company warns, explaining that "at this time, Microsoft has not seen any indications of active exploitation of the vulnerability."
A patch is being prepared by Microsoft, but in the meantime the company is encouraging those who feel worried about the vulnerability to download the FixIt steps provided here*. The FixIt download also includes a proof-of-concept tool which allows users to test whether the fix has worked or if they are still open to the exploit.
* http://go.microsoft.com/?linkid=9760419
The vulnerability, which was first reported on Friday by the Redmond-based software giant, impacts all "supported" editions of Windows, including Windows XP, Windows Vista, Windows 7 and Windows Server 2003 and 2008.
Microsoft says the exploit is a result of a bug in Windows' MHTML handler, which the software giant says interprets MIME-formatted requests in a way in which attackers could be able to take advantage of the tool.
"The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible for this vulnerability to allow an attacker to run script in the wrong security context," Microsoft said.
"The vulnerability could allow an attacker to cause a victim to run malicious scripts when visiting various Web sites, resulting in information disclosure. This impact is similar to server-side cross-site scripting (XSS) vulnerabilities."
At this stage it's understood the vulnerability has not yet been exploited by malicious parties, despite a number of sites publishing information about the problem.
"Microsoft is aware of published information and proof-of-concept code that attempts to exploit this vulnerability," the company warns, explaining that "at this time, Microsoft has not seen any indications of active exploitation of the vulnerability."
A patch is being prepared by Microsoft, but in the meantime the company is encouraging those who feel worried about the vulnerability to download the FixIt steps provided here*. The FixIt download also includes a proof-of-concept tool which allows users to test whether the fix has worked or if they are still open to the exploit.
* http://go.microsoft.com/?linkid=9760419