Microsoft warns of Windows vulnerability that impacts all supported editions

Microsoft has warned of a vulnerability found across the range of desktop and server Windows offerings that could potentially allow an attacker to run malicious scripts through a web page.

The vulnerability, which was first reported on Friday by the Redmond-based software giant, impacts all "supported" editions of Windows, including Windows XP, Windows Vista, Windows 7 and Windows Server 2003 and 2008.

Microsoft says the exploit is a result of a bug in Windows' MHTML handler, which the software giant says interprets MIME-formatted requests in a way in which attackers could be able to take advantage of the tool.

"The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible for this vulnerability to allow an attacker to run script in the wrong security context," Microsoft said.

"The vulnerability could allow an attacker to cause a victim to run malicious scripts when visiting various Web sites, resulting in information disclosure. This impact is similar to server-side cross-site scripting (XSS) vulnerabilities."

At this stage it's understood the vulnerability has not yet been exploited by malicious parties, despite a number of sites publishing information about the problem.

"Microsoft is aware of published information and proof-of-concept code that attempts to exploit this vulnerability," the company warns, explaining that "at this time, Microsoft has not seen any indications of active exploitation of the vulnerability."

A patch is being prepared by Microsoft, but in the meantime the company is encouraging those who feel worried about the vulnerability to download the FixIt steps provided here. The FixIt download also includes a proof-of-concept tool which allows users to test whether the fix has worked or if they are still open to the exploit.

Report a problem with article
Previous Story

PS3 firmware 3.56 hacked in less than a day

Next Story

Apple and News Corp. set to announce The Daily on Wednesday

42 Comments - Add comment