Windows 0-Day Vulnerability Allows Attackers to Steal Info

Microsoft shared details of workarounds that Windows users can implement to protect themselves against exploits targeting a new zero-day vulnerability which allows attackers to steal information from users.

The company confirmed reports of the newly discovered Windows security hole, as well as the fact that both published information and proof-of-concept code made their way into the wild.

According to the software giant, the flaw resides in the MHTML (MIME Encapsulation of Aggregate HTML). Applications such as Internet Explorer leverage MHTML to interpret MIME-formatted requests for content blocks within certain documents that need to be rendered.

Microsoft underlines that despite the fact that the vulnerability was publicly disclosed, it’s not aware of any active exploits or attacks against customers. All supported releases of Windows are affected by the 0-day vulnerability.

“The impact of an attack on the vulnerability would be similar to that of server-side cross-site-scripting (XSS) vulnerabilities,” explained Angela Gunn, security response communications manager, Trustworthy Computing, Microsoft.

“For instance, an attacker could construct an HTML link designed to trigger a malicious script and somehow convince the targeted user to click it.

“When the user clicked that link, the malicious script would run on the user's computer for the rest of the current Internet Explorer session. Such a script might collect user information (eg., email), spoof content displayed in the browser, or otherwise interfere with the user's experience.”

Customers are advised to make their way to Security Advisory 2501696, and get insight into the problem.

Under the Mitigating Factors and Suggested Actions section, the Redmond company has published a list of suggested actions. These are temporary workarounds that customers can implement in order to ensure that any potential exploits would have no impact.

Microsoft is of course working on a patch, but until a security update is available, the software giant provided an automated Fix It solution for users.

“The workaround we are recommending customers apply locks down the MHTML protocol and effectively addresses the issue on the client system where it exists. We are providing a Microsoft Fix-it package to further automate installation,” Gunn stated.

“Meanwhile, we are working on a security update to address this vulnerability and we are monitoring the threat landscape very closely.”

UPDATE: added Fix It link.