Once again, Microsoft has cautioned Windows users against another vulnerability present in Windows’ MHTML (MIME HTML) protocol handler. The still unpatched bug is likely to be exploited for malicious software installations. According to Andrew Storms, the security operations director at nCircle Security, it is a variant of cross-site scripting (XSS) that’ll inject itself into the web page to control a browser session.
The bug script is not only capable of collecting sensitive information but can also interfere with user’s experience. The vulnerability was exposed publicly for the first time when a Chinese website, WooYun.org, presented the proof-of-concept code (PoC). As only IE and Opera browsers support MHTML, Chrome and Firefox users are not vulnerable. The vulnerability is deeply rooted in Windows itself so a patch is unlikely to be released earlier. However, Microsoft has issued a ‘Fixit’ tool that’ll disable the MHTML protocol handler.
Microsoft is continuously encountering a number of vulnerabilities one after another. According to Microsoft, there are already at least five critical vulnerabilities that require patching. These five include another bug exposed by the same Chinese site. Previously, French security firm, Vupen, had also revealed that all the versions of IE are vulnerable to these risks in December last year.
PS: Do you like this post? If so, be sure to sign up for our weekly newsletter
