Zero day vulnerability found in Windows MHTML renderer

Microsoft Fix it for MHTML flawMicrosoft has just released security advisory 2501696 acknowledging a new zero day flaw in all current versions of Windows (except Server Core). The flaw appears to allow maliciously crafted web pages to execute code in any “zone” regardless of which zone is specified.

Any applications that use Microsoft’s HTML renderer can be attacked including Internet Explorer, but applications that always open web content in the “Restricted zone” are not affected including Outlook, Outlook Express, and Windows Mail.

There is proof of concept code in the wild and it seems to be only a matter of time before we see criminals trying to exploit this flaw. For individuals, or people who only manage a small number of computers, Microsoft has provided a Fix it tool that allows to to apply their recommended settings without having to use GPOs or having to manually edit registry keys.

The SANS Internet Storm Center has posted a blog on this as well, noting all the current locations for information on this vulnerability.

Microsoft has provided mitigation advice and I highly recommend you consider deploying the mitigation settings using Group Policy Objects (GPOs) as soon as possible. It will likely be some time before Microsoft is able to release a patch for this vulnerability and this is one of the cases where it is likely worth the effort to implement the mitigations.