Microsoft has issued a security bulletin warning of a new unpatched Windows vulnerability affecting all Windows versions from Windows XP through to Windows 7, except for Server Core installations of Windows Server 2008 and Windows Server 2008 R2. The flaw enables attackers to cause victims to run malicious scripts by visiting a web page.
The flaw was disclosed on January 15, and proof-of-concept code has been published. The flaw lies in the way Windows handles MHTML files. MHTML is a mechanism devised by Microsoft to encapsulate a web page and all the objects it needs—scripts, images, stylesheets—into a single MHTML file, to make it easier to save and e-mail web pages. Along with support for the files themselves, Windows supports special MHTML URLs: it is this support that contains the security flaw.
Microsoft has not released a patch yet, nor has the company released a timetable for the patch. MHTML files can be prevented from loading scripts, which blocks known attacks on the flaw by changing some registry settings, and the company has an automated Fix it to apply the change automatically. The company says that it has seen no indications of exploitation in-the-wild.
Though the flaw was disclosed on January 15, it’s a variation of a problem first discovered in 2004, and first reported in 2007. After the 2007 report, Microsoft issued a patch, but as the latest report reveals, the patch was not completely effective.
Read the comments on this post
Full story: Security
Related Posts
- Newly discovered Windows kernel flaw bypasses UAC
Last week an exploit for a Windows kernel flaw was published by an unknown source. Presumably as a joke, details of the flaw, along with proof-of-concept code, were published o... - New Windows zero-day flaw bypasses UAC
A new zero-day exploit in Microsoft Windows was disclosed today. The exploit allows an application to elevate privilege to "system," and in Vista and Windows 7 also bypass User Account Control (UAC).... - Mozilla warns of unpatched Firefox flaw used in attacks
Mozilla says it will patch a new zero-day flaw now being exploited in Web attacks.
View full post on Computerworld Security News... - Twitter ‘mouse over’ security flaw causing problem
The Twitter website is being widely exploited by users who have stumbled across a flaw which allows messages to pop-up and third-party websites to open in your browser just by moving your mouse over a... - Microsoft patches Windows XP flaw that aided Stuxnet worm
Microsoft Tuesday patched a critical Windows XP vulnerability that aided attacks based on the Stuxnet worm by letting attackers gain remote access through the operating system's print spooler service.... - ‘Here You Have’ Is a Windows Problem (PC World)
PC World - Every time a virus like the current "Here You Have" worm comes around, people shake their heads, wring their hands and wonder how "computer security" can be improved.
View full post on Y... - Windows DLL-loading security flaw puts Microsoft in a bind
Last week, HD Moore, creator of the Metasploit penetration testing suite, tweeted about a newly patched iTunes flaw. The tweet said that many other (unspecified) Windows applic... - An old-new 0day Windows flaw on the horizon?
Looks like there are clouds on the horizon. Another new 0day flaw has been discovered after the last one related to Windows Shell which Microsoft fixed this month. At least this is what we can read f... - Zero-day Windows bug problem worse than first thought, says expert
An unpatched problem with Windows applications is much worse than first thought, with hundreds of programs, not just 40, vulnerable to attack, a Slovenian security company said today.
View full pos... - New Windows kernel mode flaw points to future attack vectors
A new Windows flaw that allows all current, supported versions of Windows to be crashed was published on Friday by Israeli researcher Gil Dabah. The bug allows a local user to c...
Posted on 02 February 2011. Tags: 2004, flaw, newest, Problem, unpatched, Variation, Windows
