Microsoft hit by zero-day Windows vulnerability

Microsoft issued an advisory on the problem late on Friday 28th and, according to Wolfgang Kandek, CTO of Qualys, the flaw allows attackers to run Javascript code if the user is browsing a malicious site using Internet Explorer.

Kandek says that this suggests that Internet Explorer is the only browser client affected by the problem.

A patch is in progress from Redmond, but Microsoft says that concerned users can install a workaround that secures the way in which Windows handles MHTML documents.

According to Andrew Storms, director of security with vulnerability specialist nCircle, 2011 is not off to an auspicious start for Microsoft's security staff.

"In early January Jonathan Ness posted an explanation of five public security bugs Microsoft was tracking to the SRD blog", he said, adding that just two short weeks later, we have another bug to add to the list.

"At first glance today's advisory looks grim because it affects every supported Windows platform. However, even though the proof of concept code is public, carrying out an attack using this complicated cross site scripting-like bug will not be easy", he explained.

"Because of this, attacks are probably not imminent but users should still follow the mitigation advice in the advisory. Locking down the MHTML protocol is likely to have a nominal impact on most users and will go a long way toward protecting their browsing experience", he said.

What’s Hot on Infosecurity Magazine?