Windows Vulnerable to Zero-Day XSS Attacks

Microsoft released , titled "Vulnerability in MHTML Could Allow Information Disclosure" today. The advisory in the MHTML protocol handler which opens all versions of Windows to potential cross-site scripting (XSS) attacks.

The explains how an attack might work in more detail once a user receives a malicious link targeting this vulnerability. "When the user clicked that link, the on the user's computer for the rest of the current Internet Explorer session. Such a script might collect user information (eg., e-mail), spoof content displayed in the browser, or otherwise interfere with the user's experience."

Wolfgang Kandek, CTO of , describes the issue in more detail on his blog. "The XSS attack can be used to run JavaScript code on the user's Internet Explorer instance, which gives the attacker a way to get at information stored in the browser and a mechanism to trick users into installing unwanted code through social engineering."

Jim Walter, manager of the McAfee Threat Intelligence Service for , does not believe this is a serious threat--at least not imminently. "The scope and impact is relatively limited compared to other recent zero-day code execution vulnerabilities. Based on the information that is currently available, we are aware that successful exploitation could lead to the running of arbitrary scripts (in the context of the clients IE session), as well as the disclosure of sensitive information."

Andrew Storms, director of security operations for , e-mailed the following comments. "At first glance today's advisory looks grim because it affects every supported Windows platform. However, even though the proof of concept code is public, carrying out an attack using this complicated cross site scripting-like bug will not be easy," adding, "Because of this, attacks are probably not imminent but users should still follow the mitigation advice in the advisory.

The MSRC blog suggests following the mitigation advice in the security advisory. "The workaround we are recommending customers apply locks down the MHTML protocol and effectively addresses the issue on the client system where it exists."