Microsoft warns of major Windows security hole

by Pete Mason on 31 January 2011, 11:17

Tags: Windows 7, Windows XP, Windows Vista Home Premium, Microsoft (NASDAQ:MSFT)

Quick Link: HEXUS.net/qa4bo

Add to My Vault: x

Microsoft has just warned of a major vulnerability that could leave all versions of Windows at risk of attack by certain malicious websites.

The hole exploits the way in which MIME HTML (MHTML) interprets MIME-formatted requests for content blocks in certain documents. By getting a user to click a link in a browser or e-mail client, an attacker could cause malicious code to run on a target machine. The biggest risk is to data security and privacy, since the attack would allow information to be collected for the remainder of the session.

Although Microsoft is aware of the exploit and has seen proof-of-concept code, it hasn't been spotted in the wild yet.

The nature of the vulnerability means that it could potentially impact all versions of Windows, including Server, 64-bit and Itanium editions. Of course, the good news is that it only affects Internet Explorer, Outlook, Outlook Express and Windows Live Mail - although the mail clients all have some level of protection built-in by default.

Obviously the simplest way to avoid any harm is to use a non-Microsoft browser or mail client. However, since that's not an option for everyone, there are a few workarounds that will tide people over until the security teams come up with a fix. Basically, they involve locking-down MHTML and setting the internet zone security to 'High' to block and ActiveX Controls and Active Scripting.

More details on the recommended fixes and some mitigating actions can be found on the Security Advisory page, while more in depth details on the vulnerability are available in this TechNet blog post.



HEXUS Forums :: 0 Comments

Login with Forum Account

Don't have an account? Register today!
Log in to be the first to comment!