Microsoft Warns of Windows MHTML XSS Vulnerability

According to Computerworld, Microsoft has issued a security advisory for an unpatched Windows flaw that could allow attackers to steal information and dupe people into installing malware.

Andrew Storms, director of security operations at nCircle Security, calls the bug a variant of a cross-side scripting vulnerability. A post on the Microsoft Security Response Center explains:

The vulnerability lies in the MHTML (MIME Encapsulation of Aggregate HTML) protocol handler, which is used by applications to render certain kinds of documents ... an attacker could construct an HTML link designed to trigger a malicious script and somehow convince the targeted user to click it. When the user clicked that link, the malicious script would run on the user's computer for the rest of the current Internet Explorer session. Such a script might collect user information (eg., email), spoof content displayed in the browser, or otherwise interfere with the user's experience.

While all supported versions of Windows contain the flawed protocol handler, only Internet Explorer users are at risk, notes PCWorld.com. Although the tech giant has not seen any evidence of active exploits, it has released a "Fixit" tool to lock down the MHTML protocol handler.