The flaw, which lies in the MHTML protocol handler and affects the way Internet Explorer handles web pages and documents, could enable hackers to steal private information or hijack computers, according to the security advisory. Users could inadvertently download malware by clicking on a web link.
Angela Gunn, an analyst with Microsoft’s Trustworthy Computing, explains the result of the flaw this way: “an attacker could construct an HTML link designed to trigger a malicious script and somehow convince the targeted user to click it. When the user clicked that link, the malicious script would run on the user's computer for the rest of the current Internet Explorer session. Such a script might collect user information (e.g., email), spoof content displayed in the browser, or otherwise interfere with the user's experience.”
Microsoft said it is aware of a “proof-of-concept” code that can exploit the flaw, but is not aware of active exploitation. Just in case, it is providing a “fix-it” package that “locks down the MHTML protocol and effectively addresses the issue on the client system where it exists.”
The Microsoft Security Research and Defense Team has written a blog post that discusses the workaround and the fix-it package. It considers the side effects of locking down the MHTML protocol: “the only side effect we have encountered is script execution and ActiveX being disabled within MHT documents. We expect that in most environments this will have limited impact. While MHTML is an important component of Windows, it is rarely used via mhtml: hyperlinks. Most often, MHTML is used behind the scenes, and those scenarios would not be impacted by the network protocol lockdown.”
The company said that it is working on a permanent fix for the flaw, and it is monitoring the “threat landscape very closely.” Any changes will be posted on the Microsoft Security Response Center blog.