Microsoft warns of Windows vulnerability that impacts all supported editions

Microsoft has warned of a vulnerability found across the range of desktop and server Windows offerings that could potentially allow an attacker to run malicious scripts through a web page.

The vulnerability, which was first reported on Friday by the Redmond-based software giant, impacts all "supported" editions of Windows, including Windows XP, Windows Vista, Windows 7 and Windows Server 2003 and 2008.

Microsoft says the exploit is a result of a bug in Windows' MHTML handler, which the software giant says interprets MIME-formatted requests in a way in which attackers could be able to take advantage of the tool.

"The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible for this vulnerability to allow an attacker to run script in the wrong security context," Microsoft said.

"The vulnerability could allow an attacker to cause a victim to run malicious scripts when visiting various Web sites, resulting in information disclosure. This impact is similar to server-side cross-site scripting (XSS) vulnerabilities."

At this stage it's understood the vulnerability has not yet been exploited by malicious parties, despite a number of sites publishing information about the problem.

"Microsoft is aware of published information and proof-of-concept code that attempts to exploit this vulnerability," the company warns, explaining that "at this time, Microsoft has not seen any indications of active exploitation of the vulnerability."

A patch is being prepared by Microsoft, but in the meantime the company is encouraging those who feel worried about the vulnerability to download the FixIt steps provided here. The FixIt download also includes a proof-of-concept tool which allows users to test whether the fix has worked or if they are still open to the exploit.

Report a problem with article
Previous Story

PS3 firmware 3.56 hacked in less than a day

Next Story

Apple and News Corp. set to announce The Daily on Wednesday

42 Comments

Commenting is disabled on this article.

Too bad it's really an OS level issue, since the newer versions of IE have pretty tight security on their own, I guess IE 9 doesn't fix it.

I don't see why they have to warn us.
There is always someone trying to break and run some code using Windows. Just like the PS3 firmware cracked, and it was Napster, then Kazza and now Torrents.

As that famous movie says "life will find a way".

Mr Spoon said,
I don't see why they have to warn us.
There is always someone trying to break and run some code using Windows. Just like the PS3 firmware cracked, and it was Napster, then Kazza and now Torrents.

As that famous movie says "life will find a way".

If they don't mention it all the MS haters will "freak" out about Ms not disclosing it, so it's always a loose/loose situation for them.

Mr Spoon said,
I don't see why they have to warn us.
There is always someone trying to break and run some code using Windows. Just like the PS3 firmware cracked, and it was Napster, then Kazza and now Torrents.

As that famous movie says "life will find a way".

If they don't mention it all the MS haters will "freak" out about Ms not disclosing it, so it's always a loose/loose situation for them.

z0phi3l said,

If they don't mention it all the MS haters will "freak" out about Ms not disclosing it, so it's always a loose/loose situation for them.

As opposed to a tight/tight situation? Loose change?

L-o-s-e. Why do so many people keep adding an "o" to such a simple word?

ANYWAY, as long as the exploit's one the majority of people won't run across in normal browsing, MS will be able to patch it without much fuss.


When I save a web page, my preferred format is MHT. I either use IE or Opera to save it. If I want to see the contents extracted, I just use extractMHT. But I only save articles, tutorials etc from well known sites...

But isn't IE on Windows suppose to be the most secure browser int he world and pretty much immune to everything? At least, that's what I keep seeing in the browser section by the IE fanboys...
Anyways, on topic, at least they posted a fixit quickly. Hopefully a proper patch is issued soon.

ncc50446 said,
But isn't IE on Windows suppose to be the most secure browser int he world and pretty much immune to everything? At least, that's what I keep seeing in the browser section by the IE fanboys...
Anyways, on topic, at least they posted a fixit quickly. Hopefully a proper patch is issued soon.

It is. In fact I'm pretty sure this particular vulnerability can do absolutely no harm as long as UAC is set to the highest level and IE8/9 is running in Protected Mode on Windows 7.

WindowsFanatic said,

It is. In fact I'm pretty sure this particular vulnerability can do absolutely no harm as long as UAC is set to the highest level and IE8/9 is running in Protected Mode on Windows 7.

And is that turned on by default?
Tim Dawg said,

Post above yours lol

ncc50446 said,

And is that turned on by default?

UAC and Protected Mode are turned on by default. But on Windows 7 the UAC level is set to medium by default, because of those XP Luddites who complained about it in Vista. So, the first thing I do after installing Windows 7 is to set the UAC slider to the highest level.

WindowsFanatic said,

UAC and Protected Mode are turned on by default. But on Windows 7 the UAC level is set to medium by default, because of those XP Luddites who complained about it in Vista. So, the first thing I do after installing Windows 7 is to set the UAC slider to the highest level.

Guess it shows how long since I last used IE lol However, with the UAC turned down by default, by default, it wouldn't immune to everything. Some people just complain far too much...First question Microsoft should ask when installing their products 'How secure do you want to be?' The average IE user doesn't know how to change UAC settings.

WindowsFanatic said,

UAC and Protected Mode are turned on by default. But on Windows 7 the UAC level is set to medium by default, because of those XP Luddites who complained about it in Vista. So, the first thing I do after installing Windows 7 is to set the UAC slider to the highest level.

Well, I was happy to move on from XP to Vista, now to 7. But the first thing I do on new machines which are mine, is disable UAC because it annoys me and slows me down. And for the record, my previous laptop (4 years) never got infected by malware; and neither has my current one so far. Although I do realize it's not a very good move, especially to some people. But common sense does help a lot.

ncc50446 said,
But isn't IE on Windows suppose to be the most secure browser int he world and pretty much immune to everything? At least, that's what I keep seeing in the browser section by the IE fanboys...
Anyways, on topic, at least they posted a fixit quickly. Hopefully a proper patch is issued soon.

This is a windows Vulnerability not IE, IE is just an attack vector. Doesn't justify anything, but lets not blame IE, if the other browsers supported MHTML they would be a vector also, but not to blame. Windows would get all the heat!

ncc50446 said,

Guess it shows how long since I last used IE lol However, with the UAC turned down by default, by default, it wouldn't immune to everything. Some people just complain far too much...First question Microsoft should ask when installing their products 'How secure do you want to be?' The average IE user doesn't know how to change UAC settings.

Said user would select "really secure" and then call Win 7 a failure!!

Jeffrey89 said,

Well, I was happy to move on from XP to Vista, now to 7. But the first thing I do on new machines which are mine, is disable UAC because it annoys me and slows me down. And for the record, my previous laptop (4 years) never got infected by malware; and neither has my current one so far. Although I do realize it's not a very good move, especially to some people. But common sense does help a lot.


not knowing you dont have a virus != not having one. I know what I do, what I can trust, and what to or not to download/run/install. But every now and then i still have a virus/trojan/malware notice when i scan, no serious issues and easy to fix.... but if your using the internet, its almost impossible not to get anything in the course of a few years...
unless you just visit neowin.net offcourse.

WindowsFanatic said,

It is. In fact I'm pretty sure this particular vulnerability can do absolutely no harm as long as UAC is set to the highest level and IE8/9 is running in Protected Mode on Windows 7.

I'm not sure it's the most secure one architecture-wise, since neither UAC nor Protected Mode is supported on Windows XP, a supported OS by MS. Google Chrome on the other hand uses a security sandbox that supports this OS as well. Also, I'm far from convinced Google's sandbox model is less secure even on Vista/7. Both browsers use a sandbox model to protect the browser from the OS. Also, MS has claimed that UAC is not a security boundary, which I agree with. It's kind of the same fallacy to claim this, as claiming RAID 1 is good for backups. It's not either, the design is there for something else - but users often get confused.

ncc50446 said,
But isn't IE on Windows suppose to be the most secure browser int he world and pretty much immune to everything? At least, that's what I keep seeing in the browser section by the IE fanboys...
Anyways, on topic, at least they posted a fixit quickly. Hopefully a proper patch is issued soon.

Oh dear god, not this **** again :'(

WindowsFanatic said,

It is. In fact I'm pretty sure this particular vulnerability can do absolutely no harm as long as UAC is set to the highest level and IE8/9 is running in Protected Mode on Windows 7.
To escape Protected Mode you just have to get the user to click a single button that can say anything. For that reason, IE vulnerabilities have to be taken very seriously. Even if the user doesn't click this button, the malware still has access to everything inside of the browser as well as read access to all your files and full access to any networked machines you're logged onto (because integrity levels do not work over a network.)

woi said,
This is a windows Vulnerability not IE, IE is just an attack vector. Doesn't justify anything, but lets not blame IE, if the other browsers supported MHTML they would be a vector also, but not to blame. Windows would get all the heat!
The vulnerability is in IE's parser. If other programs supported MHTML they would not automatically be vunerable unless they used IE.

Shadowzz said,

not knowing you dont have a virus != not having one. I know what I do, what I can trust, and what to or not to download/run/install. But every now and then i still have a virus/trojan/malware notice when i scan, no serious issues and easy to fix.... but if your using the internet, its almost impossible not to get anything in the course of a few years...
unless you just visit neowin.net offcourse.

Believe me, I visit a lot of sites which are quite risky. If you use common sense combined with decent antivirus/antimalware protection with regular scans, UAC has little to offer (not saying it doesn't add anything at all though, but its benefits do not outweigh it's annoyance for me)

ncc50446 said,
But isn't IE on Windows suppose to be the most secure browser int he world and pretty much immune to everything? At least, that's what I keep seeing in the browser section by the IE fanboys...

IE's protected mode prevents malicious websites from exploiting flaws in IE or Flash player to get write access to the hard disk or user profile (which prevents any malware installation, as opposite to firefox/opera/safari which have no protection at all). It's a great protection, however it is not supposed to prevent read access or cross scripting issues.

The funny thing is that chrome on android (which is sandboxed like IE) is currently suffering from the exact same kind of security issue:
http://www.engadget.com/2011/0...crosd-access-vulnerability/

hdood said,
To escape Protected Mode you just have to get the user to click a single button that can say anything.

???

Any app or malware who wants to escape IE's protected mode has to ask for the authorization to run outside protected mode, which displays a warning message explaining the risk, and the user has to click on the allow button if he wants to authorize the privilege escalation.

link8506 said,
Any app or malware who wants to escape IE's protected mode has to ask for the authorization to run outside protected mode, which displays a warning message explaining the risk, and the user has to click on the allow button if he wants to authorize the privilege escalation.
Correct. However, the Windows desktop has no security. That means the malware can simply paint whatever it wants on top of this warning, making it look like anything it wants. A Javascript error for instance. You think you're dismissing an error, but in reality you're telling the broker to let the malware free.

hdood said,
Correct. However, the Windows desktop has no security. That means the malware can simply paint whatever it wants on top of this warning, making it look like anything it wants. A Javascript error for instance. You think you're dismissing an error, but in reality you're telling the broker to let the malware free.

No it cannot. UAC is designed to not let anything draw ontop of it. It's built into the Windows desktop window manager.

Jeffrey89 said,

Well, I was happy to move on from XP to Vista, now to 7. But the first thing I do on new machines which are mine, is disable UAC because it annoys me and slows me down. And for the record, my previous laptop (4 years) never got infected by malware; and neither has my current one so far. Although I do realize it's not a very good move, especially to some people. But common sense does help a lot.

VERY FIRST thing I do also. What a PITA that crap is!!

Anyone that spends 10 minutes on a computer with enabled that's doing anything should get annoyed to heck!

Nope, never been infected on any machine I've owned including the 8 I have now.

floopy said,
No it cannot. UAC is designed to not let anything draw ontop of it. It's built into the Windows desktop window manager.
We are talking about the IE prompts. These belong to the IE broker and have nothing to do with UAC. They are not shown on the secure desktop like UAC prompts are.

Northgrove said,

I'm not sure it's the most secure one architecture-wise, since neither UAC nor Protected Mode is supported on Windows XP, a supported OS by MS. Google Chrome on the other hand uses a security sandbox that supports this OS as well. Also, I'm far from convinced Google's sandbox model is less secure even on Vista/7. Both browsers use a sandbox model to protect the browser from the OS. Also, MS has claimed that UAC is not a security boundary, which I agree with. It's kind of the same fallacy to claim this, as claiming RAID 1 is good for backups. It's not either, the design is there for something else - but users often get confused.

Ok, in theory IE is more secure than Chrome, for the same reasons you list.

IE and Chrome both run in a sandbox.
IE also runs in an additional low security mode.
IE's low security mode has NO rights to touch anything.
IE's low security mode uses a security 'broker'.
IE also uses disposable virtualization.

What this means, is that for IE to even access the user's favorites which are on the file system or access any information in the registry or touch anything outside the 'sandbox' it additionally has to use the 'broker' to obtain permission through the NT's token based security model.

The IE 'broker' also is used for any 'add-on' or external events, which is why something like Flash must get the same permissions through the 'broker' which also safeguards 3rd party access beyond IE's control.

When an IE event or a 3rd party add-on cannot obtain the proper permission from the broker and NT's security, IE then virtualizes a limited set of functionality for the add-on or function so that the add-on or function will not fail to work, but instead will not be touching any real data or able to write any real data, as the virtualized 'touching' in both the file system and registry are discarded.

Chrome is just sandboxing itself and runs with user level security.
Chrome just recently added the 'concept' of a broker for things like Flash and 'plugins'; however, this is only handed by Chrome and does not honor or use the NT security model as Chrome and its content already has full user level security rights. It is just a new internal 'safeguards' to sandbox the 3rd party plugins, but does not properly broker the security rights or requests to the OS.

So, yes, technically IE is more secure than any other browser, unless someone can show a browser that runs in a super low security rights mode that can't even touch its own files or the file system itself and brokers these and all external events to the OS security handler.

As for the UAC, it is not a security measure, it is tool that 1) made developers start considering and writing for NT security and 2) Acts as a security elevation model like you can find on almost any OS.

(On Linux and OS X, security password request elevations are not a security boundary either, this is also why Microsoft does not call UAC a security boundary, as it is an 'escalation' tool, and has nothing to do with security restricting access.)

As for the other posts talking about the desktop having no security and being able to paint, blah blah... This is also incorrect, as in Vista and Win7 even the WDDM uses the NT security model, which is why you can not even paint on an application that is running with elevated privledges.

The NT security system is rather good that is object based and uses a token model. WindowsXP sucked, as it did not enforce the NT security model and by default let all users and applications run with adminstrative level security for compatibility. People need to stop seeing Windows NT's security based on what Windows XP allowed and where Microsoft really messed up.

thenetavenger said,
What this means, is that for IE to even access the user's favorites which are on the file system or access any information in the registry or touch anything outside the 'sandbox' it additionally has to use the 'broker' to obtain permission through the NT's token based security model.
Sort of. It needs permission to _write_ outside of the sandbox. It has full and unrestricted read access equivalent to that of the user running IE, so it can steal all your files. It also has write access to the BNO namespace, a potential attack vector, and any networked resource (because integrity levels do not exist across the network.) And finally, it obviously has access to the IE session it's running in.

thenetavenger said,
As for the other posts talking about the desktop having no security and being able to paint, blah blah... This is also incorrect, as in Vista and Win7 even the WDDM uses the NT security model, which is why you can not even paint on an application that is running with elevated privledges.
Not true. There is no such protection. The only thing you can't do is send a small number of window messages to a process with a higher integrity level. These mostly have to do with preventing code injection.


If you want a demonstration, you can watch this clip: http://www.youtube.com/v/aq3esZFJLzE

omnicoder said,

No support for MHTML in Firefox, Safari or Chrome and limited support in Opera so no worries.

Limited you say... o.o