Microsoft has issued a new security advisory, warning the public of a security loophole that could expose the 900 million or so users of Internet Explorer to risks of information theft and, possibly, the risk of a total machine hijacking.
The vulnerability is found in all versions of Windows, but only appears to manifest itself through Microsoft’s Internet Explorer Web browser. The protocol handler MIME Encapsulation of Aggregate HTML (MHTML), which is used by certain applications for document rendering, is at the heart of the rather serious security flaw. A MHTML exploit would appear very similar to an server-side cross-site-scripting (XSS) attack, a vulnerability that injects malicious client-side script into Web pages.
“For instance, an attacker could construct an HTML link designed to trigger a malicious script and somehow convince the targeted user to click it,” Microsoft’s Angela Gunn said in a blog post. “When the user clicked that link, the malicious script would run on the user’s computer for the rest of the current Internet Explorer session.” The script could then be used to gather users’ information or display malicious content.
Microsoft says its working on a security fix that will address the glitch, but in the meantime suggests that all Windows users — especially those that also use Internet Explorer — download a “Fix-It Package” that blocks any attempts to take advantage of the vulnerability. Microsoft says it is not aware of any attempts to exploit the loophole. Of all major browsers, Microsoft’s Internet Explorer and Opera Software’s Opera browser are the only that offer native support for MHTML. Mozilla’s Firefox browser offers support for MHTML through a plug-in.