Microsoft releases Security Advisory 2501696

Hello. Today we’re releasing Security
Advisory 2501696
, which describes
a publicly disclosed scripting vulnerability affecting all versions of
Microsoft Windows. The main impact of the vulnerability is unintended
information disclosure. We’re aware of published
information and proof-of-concept code that attempts to exploit this
vulnerability, but we haven’t seen any indications of active

The vulnerability lies in the
MHTML (MIME Encapsulation of Aggregate HTML) protocol handler, which is used by
applications to render certain kinds of documents. The impact of an attack on
the vulnerability would be similar to that of server-side cross-site-scripting
(XSS) vulnerabilities.  For instance, an
attacker could construct an HTML link designed to trigger a malicious script
and somehow convince the targeted user to click it. When the user clicked that
link, the malicious script would run on the user’s computer for the rest of the
current Internet Explorer session.  Such
a script might collect user information (eg., email), spoof content displayed
in the browser, or otherwise interfere with the user’s experience.

The workaround we are
recommending customers apply locks down the MHTML protocol and effectively
addresses the issue on the client system where it exists. We are providing a
Microsoft Fix-it package to further automate installation.

In our collaboration with other
service providers, we are looking for possible ways that they can take steps to
provide protection on the server side. Our Security Research & Defense team
has written a blog post that discusses some possible options.
However, due to the nature of the issue, the only workaround Microsoft can officially
recommend is what we have identified in the advisory. We will continue to work
closely with others in the industry and appreciate the collaboration we have had
to date.

We have initiated our Software
Security Incident Response Process (SSIRP)
to manage this issue. We’re also in
communication with other service providers to explain how the issue might
affect third-party Web sites and to collaborate on developing a variety of
further solutions that address the varied needs of all parts of the Internet ecosystem
– large sites, small sites, and all those who visit them.

Meanwhile, we are working on a security
update to address this vulnerability and we are monitoring the threat landscape
very closely. If the situation changes, we’ll post updates here on the MSRC

Thanks –

Angela Gunn
Trustworthy Computing