Zero day vulnerability found in Windows MHTML renderer

Filed Under: Internet Explorer, Malware, Microsoft, Vulnerability

Microsoft Fix it for MHTML flawMicrosoft has just released security advisory 2501696 acknowledging a new zero day flaw in all current versions of Windows (except Server Core). The flaw appears to allow maliciously crafted web pages to execute code in any "zone" regardless of which zone is specified.

Any applications that use Microsoft's HTML renderer can be attacked including Internet Explorer, but applications that always open web content in the "Restricted zone" are not affected including Outlook, Outlook Express, and Windows Mail.

There is proof of concept code in the wild and it seems to be only a matter of time before we see criminals trying to exploit this flaw. For individuals, or people who only manage a small number of computers, Microsoft has provided a Fix it tool that allows to to apply their recommended settings without having to use GPOs or having to manually edit registry keys.

The SANS Internet Storm Center has posted a blog on this as well, noting all the current locations for information on this vulnerability.

Microsoft has provided mitigation advice and I highly recommend you consider deploying the mitigation settings using Group Policy Objects (GPOs) as soon as possible. It will likely be some time before Microsoft is able to release a patch for this vulnerability and this is one of the cases where it is likely worth the effort to implement the mitigations.

, , , , ,

You might like

13 Responses to Zero day vulnerability found in Windows MHTML renderer

  1. Alex T · 1364 days ago

    which is EXACTLY why I use Google Chrome :) :)

    • Vivek Prabhu · 1364 days ago

      Chrome may also be vulnerable not to this attack but some other attack.

      • Jeremy · 1358 days ago

        Firefox FTW. They always update security patches asap and it's open source.

  2. Alex · 1363 days ago

    I thought Chrome has a sandbox in the latest version that traps malware Vivek. Is that not correct? Is the above vulnerability only for Internet Explorer or is a windows vulnerablitiy. will using another browser protect you from this flaw? Thanks in advance

    • Chester Wisniewski · 1362 days ago

      The flaw is in Windows, but only affected products that use the MHTML renderer provided by Microsoft, so it does not affect Firefox, Safari, or Chrome. The flaw could be exploited through other Windows programs which may use the MS render engine.

  3. Darryl Gittins · 1362 days ago

    I'm curious - what are the odds of a typically home user actually getting hit with this? If it's only proof of concept, and not actually being expoited, should one wait for the official patch or is it advisable to actually install the fixit now?

    • Paul Ducklin · 1362 days ago

      The $64 question!

      For home users, the fix is pretty uncontroversial - go to the page Chester links to above and click the "Fix it! - Enable" button.

      (There is a "Fix it! Disable" button -I guess that sounds better than an Unfix it! button - for when the official patch comes out, or if you decide the workaround is getting in the way somehow.

      YMMV, but I've applied the Fix it! to my personal Windows 7 box. (OK, virtual machine.) I can still open and read MHTML files which I've saved locally, which is the only sort of MHTML file I've ever wanted or needed to open.

    • Chester Wisniewski · 1362 days ago

      We have not seen any real malware exploiting this, only a proof of concept showing how one might exploit it. At this point you may wish to wait and see, but personally I applied the Fix it as the changes Microsoft make should not break anything in your home network.

  4. Criosdean · 1362 days ago

    As far as I am aware it is the windows operating system itself that has this vulnerability so it may not matter which browser you use. And yes, although it's a 'proof of concept' the article does state that it's in the wild and only a matter of time before it is exploited so, better to be safe than sorry, prevention better than cure etc......! The Microsoft 'Fix It' should plug the hole temporarily until the come up with a permanent fix and is available from their support site. http://support.microsoft.com/kb/2501696

    • JustMe · 1361 days ago

      It's a flaw in Windows parsing, that only IE has the functionality that see the code as valid code, not harmless text. Other browsers will harmlessly ignore it, therefore it's it's an IE bug. But Microsoft doesn't want to say that so near to IE9 being released; so they're making it out to be a Windows bug.
      http://www.infoworld.com/t/malware/what-microsoft... has a good writeup; especially regarding ActiveX exploits being classed as IE bugs, despite being exactly the same mechanism as this exploit.

  5. TexasJetter · 1361 days ago

    Ok, so I see the registry changes to be made, and the kb article suggest applying them via GPO, any suggestions as to how to apply the assorted registry updates via GPO?

    • andrew · 1360 days ago

      i created a .reg file from the microsoft article, and saved it in a common location on our network. then i created a .bat file that does
      regedit /s serverfileshare
      eghack.reg
      and put that both in the shutdown and startup scripts in a group policy object that's then linked to the OU with our computers in it
      i chose both the shutdown and startup scripts, as just the startup script didn't apply to enough computers until they were rebooted too many times, while the startup script seemed to be "quicker" to be deployed and run

  6. e. Idzerda · 1360 days ago

    Thanks for the update. I feel compelled to say that the best way to avoid the malicious code is not utilizing the exploitable application. I know we can't leave the utopian concept, but I digress.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.