Microsoft warns of Windows zero-day flaw

An unpatched flaw in web protocol MHTML could let an attacker steal information via Internet Explorer or pose as the victim, the software maker has warned

Microsoft has warned of a zero-day vulnerability in Windows that could let an attacker collect any information stored in an Internet Explorer user's browser.

Microsoft warns of IE vulnerbaility

Microsoft has warned of a zero-day vulnerability in Windows. Photo credit: TechFlash Todd

The flaw allows a hacker to inject a malicious client-side script in an otherwise legitimate web-request response made by the Internet Explorer (IE) browser, Microsoft said in a security advisory on Friday. The script could post content or perform actions online that would appear to have been initiated by the victim.

Alternatively, the vulnerability, which lies in the MHTML web protocol, could allow the script to collect an IE user's information, or spoof content displayed in the browser to "interfere with the user's experience", Microsoft security advisor Angela Gunn said in a blog post.

The bug, which resembles a cross-site scripting flaw, affects all supported versions of Windows, including some XP editions, Server 2003, Vista and Windows 7.

"While the vulnerability is located in a Windows component, Internet Explorer is the only known attacker vector," Wolfgang Kandek, chief technology officer at Qualys, said in a blog post. "Firefox and Chrome are not affected in their default configuration, as they do not support MHTML without the installation of specific add-on modules."

In an attack, a hacker would have to persuade a person to click on a link to download the malicious script, Microsoft noted.


The flaw lies in the way MHTML interprets Multipurpose Internet Mail Extensions (Mime) for content blocks in a document. MHTML, which stands for Mime HTML, is a standard that allows web objects such as images to be combined with HTML into a single file.

Proof-of-concept attack code is available on the internet, said Microsoft, which added that it was not aware of any attacks having taken place that exploit the vulnerability. According to Qualys, the issue was originally disclosed by the WooYun Chinese information security website.

Microsoft said it is working with ISPs to provide server-side workarounds, and said it plans to release a client-side patch for the flaw at some point in the future.

Workarounds suggested by Microsoft include making registry alterations to disable the MHTML protocol, but this has the side effect of having an impact on all applications that use MHTML. In addition, IT professionals could block ActiveX or Active scripting, but this could cause problems with banking sites and other companies that use ActiveX for functions such as providing bank statements.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.