Hello. Today we’re releasing Security Advisory 2501696, which describes a publicly disclosed scripting vulnerability affecting all versions of Microsoft Windows. The main impact of the vulnerability is unintended information disclosure. We’re aware of published information and proof-of-concept code that attempts to exploit this vulnerability, but we haven’t seen any indications of active exploitation.
The vulnerability lies in the MHTML (MIME Encapsulation of Aggregate HTML) protocol handler, which is used by applications to render certain kinds of documents. The impact of an attack on the vulnerability would be similar to that of server-side cross-site-scripting (XSS) vulnerabilities. For instance, an attacker could construct an HTML link designed to trigger a malicious script and somehow convince the targeted user to click it. When the user clicked that link, the malicious script would run on the user’s computer for the rest of the current Internet Explorer session. Such a script might collect user information (eg., email), spoof content displayed in the browser, or otherwise interfere with the user’s experience.
The workaround we are recommending customers apply locks down the MHTML protocol and effectively addresses the issue on the client system where it exists. We are providing a Microsoft Fix-it package to further automate installation.
In our collaboration with other service providers, we are looking for possible ways that they can take steps to provide protection on the server side. Our Security Research & Defense team has written a blog post that discusses some possible options. However, due to the nature of the issue, the only workaround Microsoft can officially recommend is what we have identified in the advisory. We will continue to work closely with others in the industry and appreciate the collaboration we have had to date.
We have initiated our Software Security Incident Response Process (SSIRP) to manage this issue. We’re also in communication with other service providers to explain how the issue might affect third-party Web sites and to collaborate on developing a variety of further solutions that address the varied needs of all parts of the Internet ecosystem – large sites, small sites, and all those who visit them.
Meanwhile, we are working on a security update to address this vulnerability and we are monitoring the threat landscape very closely. If the situation changes, we’ll post updates here on the MSRC blog.