Microsoft Security Advisory for MHTML via Internet Explorer (MS2501696/CVE-2011-0096)

Microsoft Security Advisory for MHTML via Internet Explorer (MS2501696/CVE-2011-0096)
www.microsoft.com/technet/security/advisory/2501696.mspx Information on this vulnerability first started surfacing on Full-Disclosure on 1/15/2011.The vulnerability exists in all supported versions of MS Windows except for 2008 with server core. Other installed applications (Adobe Reader, etc) may be leveraged locally via Internet Explorer (including Outlook, etc.) There appears to be a myriad of ways it can be leveraged and a lot of thought and creativity is being poured into that. So now would be a good time to: test and consider the registry workaround (see advisory); to review group policies for zone settings for Internet Explorer; and to review detection options for email gateways and proxies/NIDS/etc. From the advisory: "The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible under certain conditions for this vulnerability to allow an attacker to inject a client-side script in the response of a Web request run in the context of the victim's Internet Explorer. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site on behalf of the targeted user." A release date for a fix has not been posted yet. Relevant/Interesting Links: Enhanced Security Configuration http://technet.microsoft.com/en-us/library/dd883248(WS.10).aspx MHTML Info http://msdn.microsoft.com/en-us/library/aa767916(v=vs.85).aspx Server Core http://technet.microsoft.com/en-us/library/ee441255(WS.10).aspx CVE-2011-0096 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0096 Advisory http://www.microsoft.com/technet/security/advisory/2501696.mspx If you come across any attacks targeting this vulnerability, please upload any details you have (pcap, samples, urls, etc) via our contact form and we'll review them, share with the community (if you permit us), and post updates to the diary. Thanks, Robert Danford	Robert 49 Posts Jan 28th 2011
Thread locked Subscribe	Jan 28th 2011 1 decade ago
After a careful reading of the advisory, I don't see what the vulnerability really is. It requires a request to a web server with the MHTML segment in it. Then the script can do anything that a normal script in a normal web page can do "spoof content, disclose information, or take any action that the user could take". In a normal web page this is usually called AJAX (or DOM) scripting. Is it a problem because MHTML is not supposed to allow this? Or is it a problem because the attacker can use a non-standard way to put the script into the MHTML page possibly bypassing any signature based checks in AV software?	Nathan Christiansen 20 Posts
Quote	Jan 28th 2011 1 decade ago
Now I see the problem. "It is possible for this vulnerability to allow an attacker to run script in the wrong security context." Meaning it could possibly do non-blind cross-site request forgery, and bypass checks for cross site scripting.	Nathan Christiansen 20 Posts
Quote	Jan 28th 2011 1 decade ago
They've chucked out a temporary workaround auto "fixit" thing as well: http://support.microsoft.com/kb/2501696	Alex 19 Posts
Quote	Jan 28th 2011 1 decade ago
The handler also ignores files extensions. So mhtml files can be placed on sites as jpg or whatever. So easy to hide. Some exploit code is about now. M	Mark 391 Posts ISC Handler
Quote	Jan 29th 2011 1 decade ago
- http://secunia.com/advisories/43093/ Release Date: 2011-01-29 Impact: Cross Site Scripting Where: From remote ... Solution: Enable MHTML protocol lockdown (either manually or using the available automated "Microsoft Fix it" solution). > http://support.microsoft.com/kb/2501696#FixItForMe .	Jack 160 Posts
Quote	Jan 29th 2011 1 decade ago