Jan 31, 2011 05:11 GMT  ·  By

A new zero-day script injection vulnerability has been confirmed in Windows and proof-of-concept attack code has already been published on public websites.

The flaw, identified as CVE-2011-0096, is located in the MHTML (MIME Encapsulation of Aggregate HTML) protocol handler and affects all supported version of Windows.

"The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document.

"It is possible under certain conditions for this vulnerability to allow an attacker to inject a client-side script in the response of a Web request run in the context of the victim's Internet Explorer," Microsoft wrote in a newly published advisory.

Successful exploitation can lead to the disclosure of sensitive information or to unauthorized actions being performed on the victim's behalf through the browser.

The proof-of-concept attack code was originally published in a Chinese-language hacking webzine (web magazine) and was later uploaded to the Exploit Database (EDB).

It describes six different attack scenarios, including server-side and local cross-site scripting in combination with Adobe Reader 9 or Word, which shows that the vulnerability can also be exploited via a maliciously crafted document.

MHTML-enabled clients like Microsoft Outlook, Mirosoft Outlook Express, Windows Mail and Internet Explorer on Windows Server 2003, 2008 and 2008 R2, are not affected because they run in Enhanced Security Configuration mode.

Mitigation involves locking down the MHTML protocol in Internet Explorer, an action for which Microsoft has released an automated "Fix it" solution.

When the workaround is enabled, trying to open MHTML links in IE will prompt a dialog bar, similar to the one displayed for ActiveX.

Users can allow the execution of the script by clicking on the bar and choosing "Allow All Protocol." This will only be temporary and will any other MHTML links.

Microsoft's Security Research & Defense team points out that the workaround will not interfere with other programs that require MHTML support.

"While MHTML is an important component of Windows, it is rarely used via mhtml: hyperlinks. Most often, MHTML is used behind the scenes, and those scenarios would not be impacted by the network protocol lockdown," the team explains.