Microsoft warns of new Windows zero-day bug

Microsoft today warned Windows users of a new unpatched vulnerability that attackers could exploit to steal information and dupe people into installing malware.

In a security advisory issued Friday, Microsoft acknowledged that a bug in Windows MHTML (MIME HTML) protocol handler can be used by attackers to run malicious scripts within Internet Explorer (IE):

"The best way to think of this is to call it a variant of a cross-side scripting vulnerability," said Andrew Storms, director of security operations at nCircle Security.

Cross-site scripting bugs, often shortened to XSS, can be used to insert malicious script into a Web page that can then take control of the session:

"An attacker could pretend to be the user, and act if as he was you on that specific site," said Storms. "If you were at Gmail.com or Hotmail.com, he could send e-mail as you."

Microsoft elaborated on the threat as:

"Such a script might collect user information, for example e-mail, spoof content displayed in the browser or otherwise interfere with the user's experience," said Angela Gunn, a Microsoft security spokeswoman, in a post to the Microsoft Security Response Center (MSRC) blog.

The vulnerability went public last week when the Chinese Web site WooYun.org published proof-of-concept code. MHTML is a Web page protocol that combines resources of several different formats -- images, Java applets, Flash animations and the like -- into a single file. Only Microsoft's IE and Opera Software's Opera support MHTML natively: Google's Chrome and Apple's Safari do not, and while Mozilla's Firefox can, it requires an add-on to read and write MHTML files.

Wolfgang Kandek, the chief technology officer at Qualys, pointed out that IE users are most at risk:

"While the vulnerability is located in a Windows component, Internet Explorer is the only known attacker vector," said Kandek in an e-mail message. "Firefox and Chrome are not affected in their default configuration, as they do not support MHTML without the installation of specific add-on modules."

All supported versions of Windows, including Windows XP, Vista and Windows 7, contain the flawed protocol handler, one reason why Storms believes it will take Microsoft time to come up with a patch:

"If this was only in IE, I could see them getting a patch out by Feb. 8," he said, referring to Microsoft's next regularly-scheduled day for releasing fixes. "But this is rooted in Windows, and Microsoft won't take any chances."

In lieu of a patch, Microsoft recommended that users lock down the MHTML protocol handler by running a "Fixit" tool it's made available. The tool automates the process of editing the Windows registry, which if done carelessly could cripple a PC, and lets IE users continue to run MHTML files that include scripting by clicking through a warning.