Forgot your password?
typodupeerror
Security Windows Technology IT

Windows MHTML Vulnerability Warning From Microsoft 49

Posted by CmdrTaco
from the thats-bad-mmkay dept.
jhernik writes "An HTML scripting bug impacting all supported versions of Windows is receiving Microsoft's attention Microsoft issued an advisory on a Windows security vulnerability today after exploit code for the bug went public. The bug, which lies in the MIME Encapsulation of Aggregate HTML (MHTML) protocol handler, can be exploited to cause data leakage. Though proof-of-concept code for the vulnerability has already gone public, the company said it is unaware of any attempts to exploit the bug." This might seem familiar to you, but considering how many times I saw it submitted this morning, it probably doesn't ;)
This discussion has been archived. No new comments can be posted.

Windows MHTML Vulnerability Warning From Microsoft

Comments Filter:
    • The fact that it's a dupe is actually mentioned right in the summary...

      • by Thelasko (1196535)

        The fact that it's a dupe is actually mentioned right in the summary...

        I think it was added after the original story, because I don't remember it being there a few minutes ago.

        • by Anonymous Coward

          You are correct. It was a silent, unmarked edit. Design may have changed, but editor behavior hasn't.

    • by Culture20 (968837)
      Sometimes a duplicate story is important. Monday morning is a nice time to re-hash a warning that some tech folk might not have seen over the weekend.
      • by 1u3hr (530656)
        . Monday morning is a nice time to re-hash a warning that some tech folk might not have seen over the weekend.

        If it's actually your job to know this, you had better not be depending on Commander Taco to keep you informed.

    • That was posted last Friday. I suspect a lot of people didn't see it because slashdot had recently changed to the new format that is virtually unreadable on older browsers - or even recent Firefox versions.

      I notice that things are substantially better today, at least for the older firefox 2.0.0.8. Maybe they got fixed up enough that more people will see this posting.

  • by Anonymous Coward

    So, what have we learned in 2010? MS will deny the existence of a bug, at the very least until proof-of-concept is published; afterwards, they'll downplay it by saying "it's not really critical at all, but you should update ASAP because, uh, eh, well, the stars are right or something, but definitely not critical, nosir, not at all". In other words, same old, same old. Nothing to see here, move along.

  • It's a feature, not a bug...
    • Re: (Score:1, Troll)

      It is true that, for all the freetard crowing about their precious "SSH", Microsoft is an industry leader in built-in remote access and administration tools. Many of them are so easy and intuitive that they can be configured an enabled without user intervention, or simply by visiting a website!
      • by h4rm0ny (722443)
        Freetard == Pirates. Libre software is not in the same category. As someone who comfortably uses MS software (albeit also uses Gentoo), if you really want to promote MS Products, please lend your support to the "other side" because you ain't helping MS's PR by spouting a load of crap on their behalf. I don't know what the Hell you find worth mocking in "SSH". It's something pretty fundamental and used by everyone.
      • by Jawnn (445279)
        It is also sadly true that moderators (and other respondents) are often sarcasm-challenged.
        • I figured that my sarcasm was broad enough(especially since I was just elaborating the "it's a feature not a bug" stock reply); but apparently not.

          Ah well. Not every day you can be accused of shilling for Bill for a comment made from Konqueror running on a remote debian host over an ssh -X tunnel...
          • by mikechant (729173)

            I'll fess up and say I modded too hastily, immediately realized I was wrong and am posting to undo.
            Would be nice to be able to undo an individual mistaken mod (say within a couple of minutes), but I'll try to not jump the gun in future.

    • by Anonymous Coward

      TO APPLY THIS FIX:

      Windows Registry Editor Version 5.00

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN]
      "explorer.exe"=dword:00000001
      "iexplore.exe"=dword:00000001
      "*"=dword:00000001

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols]

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\1]
      "mhtml"="mhtml"

      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\

      • by Smallpond (221300) on Monday January 31, 2011 @11:51AM (#35056948) Homepage Journal

        I'm going to edit my registry based on the word of AC. Seems like a reliable source.

  • by Anonymous Coward
    I'm pretty sure if MHTML were wiped off the face of the earth tomorrow, nobody would miss it. Why must we have all these useless data formats / protocols / standards? They are nothing but security holes.
  • Are you at risk if you use an alternate web browser like Firefox, Opera, or Chrome?

    • Chrome seems to just render a blank document for mhtml: urls, and doesn't let you enter them in the omnibox directly (it searches instead). Firefox gets confused and thinks mhtml: is not associated with any application and so refuses to open it. (Even if it didn't, IIRC it'll ask you whether you want to open it or not.)
      • Chrome seems to just render a blank document for mhtml: urls, and doesn't let you enter them in the omnibox directly... Firefox gets confused and thinks mhtml: is not associated with any application

        Yeah. Probably because "mhtml" isn't a valid URL protocol, according to HKEY_CLASSES_ROOT.

        "My Computer\HKEY_CLASSES_ROOT\mhtml" doesn't exist.

        "My Computer\HKEY_CLASSES_ROOT\mhtmlfile" exists, but it doesn't have the "URL Protocol" REG_SZ flag set.

        Here we have yet another example of Internet Explorer / Windows doing things in non-standard ways and breaking everything else. The MSDN Library even has a how-to page describing how to register an application to a URL protocol [microsoft.com]...

        For instance, to add an "alert:" protocol, add an alert key to HKEY_CLASSES_ROOT, as follows [...] Under this new key, the URL Protocol string value indicates that this key declares a custom protocol handler. Without this key, the handler application will not launch. [...]

        HKEY_CLASSES_ROOT
        alert

        (Default) = "URL:Alert Protocol"
        URL Protocol = ""
        DefaultIcon
        (Default) = "alert.exe,1"
        shell
        open
        command

        (Default) = "C:\Program Files\Alert\alert.exe" "%1"quote>

    • by modmans2ndcoming (929661) on Monday January 31, 2011 @11:50AM (#35056926)

      Opera has fixed this. Firefox crashes. I would hope Chrome has fixed it because Google is the company that discovered the problem.

      • Firefox does not "crash". It pops up an alert message which reads as follows:

        Firefox doesn't know how to open this address, because the protocol (mhtml) isn't associated with any program.

        ...which it isn't. Go check HKEY_CLASSES_ROOT...

      • So wait, it affected Opera as well? Is it because it used some IE bits to handle MHTML, or because any naive implementation of it is prone to that bug?

    • by Ol Olsoc (1175323)
      Yes, because plenty of programs use IE, even if it doesn't appear that way. Make sure you install the fix.

"Now this is a totally brain damaged algorithm. Gag me with a smurfette." -- P. Buhr, Computer Science 354

Working...