Microsoft Warns of Windows MHTML XSS Vulnerability

Kara Reeder

According to Computerworld, Microsoft has issued a security advisory for an unpatched Windows flaw that could allow attackers to steal information and dupe people into installing malware.


Andrew Storms, director of security operations at nCircle Security, calls the bug a variant of a cross-side scripting vulnerability. A post on the Microsoft Security Response Center explains:

The vulnerability lies in the MHTML (MIME Encapsulation of Aggregate HTML) protocol handler, which is used by applications to render certain kinds of documents ... an attacker could construct an HTML link designed to trigger a malicious script and somehow convince the targeted user to click it. When the user clicked that link, the malicious script would run on the user's computer for the rest of the current Internet Explorer session. Such a script might collect user information (eg., email), spoof content displayed in the browser, or otherwise interfere with the user's experience.

While all supported versions of Windows contain the flawed protocol handler, only Internet Explorer users are at risk, notes Although the tech giant has not seen any evidence of active exploits, it has released a "Fixit" tool to lock down the MHTML protocol handler.

Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Resource centers

Business Intelligence

Business performance information for strategic and operational decision-making


SOA uses interoperable services grouped around business processes to ease data integration

Data Warehousing

Data warehousing helps companies make sense of their operational data