Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC: InfoSec Handlers Diary Blog - Microsoft Security Advisory for MHTML via Internet Explorer (MS2501696/CVE-2011-0096) InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft Security Advisory for MHTML via Internet Explorer (MS2501696/CVE-2011-0096)

Published: 2011-01-27
Last Updated: 2011-01-28 18:47:54 UTC
by Robert Danford (Version: 1)
5 comment(s)

www.microsoft.com/technet/security/advisory/2501696.mspx

Information on this vulnerability first started surfacing on Full-Disclosure on 1/15/2011.The vulnerability exists in all supported versions of MS Windows except for 2008 with server core. Other installed applications (Adobe Reader, etc) may be leveraged locally via Internet Explorer (including Outlook, etc.)

There appears to be a myriad of ways it can be leveraged and a lot of thought and creativity is being poured into that. So now would be a good time to: test and consider the registry workaround (see advisory); to review group policies for zone settings for Internet Explorer; and to review detection options for email gateways and proxies/NIDS/etc.

From the advisory:

"The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible under certain conditions for this vulnerability to allow an attacker to inject a client-side script in the response of a Web request run in the context of the victim's Internet Explorer. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site on behalf of the targeted user."

A release date for a fix has not been posted yet.

Relevant/Interesting Links:

Enhanced Security Configuration
http://technet.microsoft.com/en-us/library/dd883248(WS.10).aspx

MHTML Info
http://msdn.microsoft.com/en-us/library/aa767916(v=vs.85).aspx

Server Core
http://technet.microsoft.com/en-us/library/ee441255(WS.10).aspx

CVE-2011-0096
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0096

Advisory
http://www.microsoft.com/technet/security/advisory/2501696.mspx

If you come across any attacks targeting this vulnerability, please upload any details you have (pcap, samples, urls, etc)
via our contact form and we'll review them, share with the community (if you permit us), and post updates to the diary.

Thanks,

Robert Danford

5 comment(s)
Diary Archives