A flaw in the MHTML engine in Internet Explorer leaves Windows systems vulnerable to attack.
Microsoft has issued a warning for Windows users, following the online publication of attack code for a zero-day vulnerability.
The flaw, which affects the MHTML component of Internet Explorer, is described by Microsoft as 'similar to server-side cross-site scripting (XSS) vulnerabilities
' in impact, allowing attackers to run code in the same security context as Internet Explorer when a malicious webpage is loaded.
According to Microsoft's recently-published Security Advisory
, the vulnerability exists due to the manner in which MHTML interprets certain MIME-format requests for portions of a document. By modifying the requests in a certain way, an attacker can inject code to be run on the client's system in the same security context as Internet Explorer.
The company warns that the flaw is capable of spoofing website content, disclosing information from the victim's computer and interacting with websites without user-input.
Although the vulnerability, for which there is currently no patch available, is not thought to be under active exploitation, Microsoft admits that sample attack code is available in the wild following its publication in a Chinese-language security magazine.
The flaw, which affects all versions of Windows, including Windows 7 and Windows Server 2008 R2, can be resolved by enabling a security feature known as MHTML Lockdown Mode, while Microsoft works on a patch. The company hasn't yet ruled out fixing the flaw with an out-of-band patch, which could be released outside of its regular monthly update cycle.
Are you unimpressed by the news of yet another zero-day vulnerability in Windows, or just pleased that Microsoft has made a workaround available while it works on a patch? Share your thoughts over in the forums