bit-tech.net

Microsoft warns of zero-day Windows flaw

Microsoft warns of zero-day Windows flaw

A flaw in the MHTML engine in Internet Explorer leaves Windows systems vulnerable to attack.

Microsoft has issued a warning for Windows users, following the online publication of attack code for a zero-day vulnerability.

The flaw, which affects the MHTML component of Internet Explorer, is described by Microsoft as 'similar to server-side cross-site scripting (XSS) vulnerabilities' in impact, allowing attackers to run code in the same security context as Internet Explorer when a malicious webpage is loaded.

According to Microsoft's recently-published Security Advisory, the vulnerability exists due to the manner in which MHTML interprets certain MIME-format requests for portions of a document. By modifying the requests in a certain way, an attacker can inject code to be run on the client's system in the same security context as Internet Explorer.

The company warns that the flaw is capable of spoofing website content, disclosing information from the victim's computer and interacting with websites without user-input.

Although the vulnerability, for which there is currently no patch available, is not thought to be under active exploitation, Microsoft admits that sample attack code is available in the wild following its publication in a Chinese-language security magazine.

The flaw, which affects all versions of Windows, including Windows 7 and Windows Server 2008 R2, can be resolved by enabling a security feature known as MHTML Lockdown Mode, while Microsoft works on a patch. The company hasn't yet ruled out fixing the flaw with an out-of-band patch, which could be released outside of its regular monthly update cycle.

Are you unimpressed by the news of yet another zero-day vulnerability in Windows, or just pleased that Microsoft has made a workaround available while it works on a patch? Share your thoughts over in the forums.

21 Comments

Discuss in the forums Reply
mi1ez 31st January 2011, 12:34 Quote
These things happen, at least there's a temporary workaround. Does this only affect IE then?
Zurechial 31st January 2011, 12:54 Quote
I'm not usually one to jump on the Anti-Microsoft bandwagon and I'm no security expert either, but these kind of flaws make me wonder what the point of UAC is in Vista/7 if applications like IE can operate outside of their purpose (ie; web browsing) without user direction.
Why is IE running in a security context with that level of system access to begin with? I don't recall ever having to pass a UAC prompt to load up IE, so why does the browser have that level of access to the rest of the system?

I sometimes get the feeling that Microsoft gives its own applications secure access by default because "It's signed by us, it can't possibly be harmful".
Or have I missed something crucial here?

I know we can google it, but it'd be nice if this article provided even a vague description/explanation of MHTML lockdown mode!
maximus09 31st January 2011, 12:57 Quote
does this affect other browsers then?
Shichibukai 31st January 2011, 13:04 Quote
When will the list of failures end >.>
Enzo Matrix 31st January 2011, 13:14 Quote
So if this an IE security flaw? I was under that impression until this statement:
"affects all versions of Windows, including Windows 7 and Windows Server 2008 R2"

This is misleading because this would not need to be stated if it were simply an IE flaw. Please clarify.
Yslen 31st January 2011, 13:16 Quote
So even for the poor fools using IE this major security flaw is rendered completely harmless simply by having UAC on? That's how I read it anyway.

"The same security context as Internet Explorer" surely means just that; if UAC is off and the user is on an Admin account the malicious code will have access to anything, but with UAC on and a restricted account the code is pretty powerless to affect anything.

To be honest this sounds like a non-issue. It only affects people who are daft/uninformed enough to be running Internet Explorer with most of Windows' security features manually switched off.
tad2008 31st January 2011, 13:37 Quote
It is highly unlikely that UAC will stop this flaw as those who still use IE will already have granted it "authorised" access. So if it then decides to do something unauthorised, then well, it's already authorised to do that. If it was to try to interact with other parts of the OS like the control panel then UAC would most likely be able to step in and warn you.

As for MHTML or Mime HTML, this is used by Microsoft Word, IE and Opera, Firefox used to need an extension for this and I believe there is lso one for Chrome. This is also a standard part of the format used for html emails, so I wonder how far reaching this flaw really is or could be.

It's a shame Microsoft's security flaw ratings aren't a bit more explicit rather than being the overly familiar "this security flaw could allow an unauthorised attacker to compromise your system".
PingCrosby 31st January 2011, 15:04 Quote
I love flaws...I have several myself.
RichCreedy 31st January 2011, 16:43 Quote
secunia has this marked as less critical

for more infomation look at the original microsoft security advisory 2501696
thehippoz 31st January 2011, 17:42 Quote
win vista and 7 aren't so bad on the security end of things despite what articles would have you believe.. I kinda wish everyone still ran windows xp cause it's a carnival of jokes.. easy to get in and run havoc

turn the uac all the way up in 7 and use the homegroup password for your shares.. you'll put egg on the face of most these.. don't be a tool and not run uac because without it, you might as well hang upside down and have your face kicked up around.. well you know

check out your task scheduler to add trusted apps that need admin.. then there's no excuse.. or you could go mac and run their ubuntu copy of a os with less security and be the ultimate jobbed toolbag (for the price of 2 pc's)

I should change my name to the prowler or squeeler (like my vm snapshots are so accurately named :))
HourBeforeDawn 31st January 2011, 18:10 Quote
okay where is this lockdown feature? it says under security like what IE Internet Options Security? or else where? Need to know on XP, Vista, ans Win7
IvanIvanovich 31st January 2011, 18:23 Quote
the lockdown:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN]
"explorer.exe"=dword:00000001
"iexplore.exe"=dword:00000001
"*"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\1]
"file"="file"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\3]
"file"="file"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\4]
"file"="file"
AKHandyman 31st January 2011, 19:13 Quote
Uhhh ... Firefox with NoScript might help alleviate the anxiety caused by MS's ineptitude ... AK
Blackie Chan 1st February 2011, 00:32 Quote
Quote:
Originally Posted by AKHandyman
Uhhh ... Firefox with NoScript might help alleviate the anxiety caused by MS's ineptitude ... AK

Seriously, I have been running noScript for like three years, the benefits greatly outweigh the hassles for me.
Daedelus 1st February 2011, 12:54 Quote
People still use IE?
Fizzban 1st February 2011, 15:10 Quote
Quote:
Originally Posted by Blackie Chan
Seriously, I have been running noScript for like three years, the benefits greatly outweigh the hassles for me.

This.
E_Spaghetti 1st February 2011, 19:02 Quote
It seems that this article created a lot questions about a security flaw and just barely skimmed the answer to fix it.
What's up with that?
I'll just rely on a search engine now, but thanks for bringing the problem to our attention.
I may report back with the answers to the questions that people have been asking.
schmidtbag 1st February 2011, 19:11 Quote
Quote:
Originally Posted by Daedelus
People still use IE?

unfortunately more than 50% of all computer users use IE, and to make it really depressing, more than half of those users use ie6

also, people need to realize that UAC doesn't protect you from programs that you have granted access to. UAC was a horrible failed attempt to make windows secure - uac doesn't protect you from having stuff written, deleted, or replaced in your system. uac is biased towards certain programs, so some things can slip by it. uac doesn't require a password to be triggered (someone could easily create a virus that uac doesn't detect and make it automatically grant access to everything).
theres a reason why linux and mac are so secure, and their lack of popularity ISN'T the only reason.
thehippoz 2nd February 2011, 02:37 Quote
Quote:
Originally Posted by schmidtbag
unfortunately more than 50% of all computer users use IE, and to make it really depressing, more than half of those users use ie6

also, people need to realize that UAC doesn't protect you from programs that you have granted access to. UAC was a horrible failed attempt to make windows secure - uac doesn't protect you from having stuff written, deleted, or replaced in your system. uac is biased towards certain programs, so some things can slip by it. uac doesn't require a password to be triggered (someone could easily create a virus that uac doesn't detect and make it automatically grant access to everything).
theres a reason why linux and mac are so secure, and their lack of popularity ISN'T the only reason.

aye but your rant on the uac is'nt true.. I think your talking about whitelists and exploiting explorer.exe.. well if you read my post up above- simple as turning the uac all the way up in 7.. vista is secured by the uac correctly default- you can add your trusted apps in the task scheduler if you don't want a uac prompt

if you really don't like windows.. it's probably more because you don't understand it.. a real hacker learns all systems including mac

I don't know why microsoft even has the option to run whitelists that have been proven since beta to be insecure, and they run the uac like that default =].. I guess it's all the feedback from the smear job on vista or maybe they want to keep pentesters in business who knows
schmidtbag 2nd February 2011, 04:41 Quote
Quote:
Originally Posted by thehippoz
Quote:
Originally Posted by schmidtbag
unfortunately more than 50% of all computer users use IE, and to make it really depressing, more than half of those users use ie6

also, people need to realize that UAC doesn't protect you from programs that you have granted access to. UAC was a horrible failed attempt to make windows secure - uac doesn't protect you from having stuff written, deleted, or replaced in your system. uac is biased towards certain programs, so some things can slip by it. uac doesn't require a password to be triggered (someone could easily create a virus that uac doesn't detect and make it automatically grant access to everything).
theres a reason why linux and mac are so secure, and their lack of popularity ISN'T the only reason.

aye but your rant on the uac is'nt true.. I think your talking about whitelists and exploiting explorer.exe.. well if you read my post up above- simple as turning the uac all the way up in 7.. vista is secured by the uac correctly default- you can add your trusted apps in the task scheduler if you don't want a uac prompt

if you really don't like windows.. it's probably more because you don't understand it.. a real hacker learns all systems including mac

I don't know why microsoft even has the option to run whitelists that have been proven since beta to be insecure, and they run the uac like that default =].. I guess it's all the feedback from the smear job on vista or maybe they want to keep pentesters in business who knows

i admit i don't know everything about uac, and i'm sure cranking it all the way up would make it very secure to *outsiders* but i highly doubt it can protect everything from the inside, and thats where a *nix based OS wins because it prevents outer and inner attacks naturally. also, the fact that you can turn it up all the way but still add trusted apps can be a potential security fault. its exactly the same thing as saying "i live in a free country" but you're limited to what you can do or say. once you add 1 exception, someone always manages to figure out how to sneak in another one.

i don't like windows, but i've actually been a hardcore windows user for over 10 years and really didn't like mac at all. then about 3 years ago i gave linux a shot and found it to be considerably better (as an os) in almost every single way except general user friendliness, which didn't bother me.

i would definitely have to agree that a real hacker should learn all systems, but remember that security relates to malware as well as hacking. i've noticed that windows lately appears to be harder to hack than mac or linux, but still very vulnerable to malware.
will_123 2nd February 2011, 10:29 Quote
@thehippoz OSX is not a ubuntu copy. its BSD varient with a very nice looking gui put on top. You are just ranting away about things when you clearly know diddly squat. How in any way is using a mac less safe than a windows pc? Im no expert but reading your comment clearly tells me you are a fool.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums