Windows MHTML Vulnerability Warning From Microsoft

jhernik writes "An HTML scripting bug impacting all supported versions of Windows is receiving Microsoft's attention Microsoft issued an advisory on a Windows security vulnerability today after exploit code for the bug went public. The bug, which lies in the MIME Encapsulation of Aggregate HTML (MHTML) protocol handler, can be exploited to cause data leakage. Though proof-of-concept code for the vulnerability has already gone public, the company said it is unaware of any attempts to exploit the bug." This might seem familiar to you, but considering how many times I saw it submitted this morning, it probably doesn't ;)

Dupe

[Lord Byron II]

http://tech.slashdot.org/story/11/01/29/0050223/New-Critical-Bug-In-All-Current-Windows-Versions [slashdot.org]

Re:

[Ephemeriis]

http://tech.slashdot.org/story/11/01/29/0050223/New-Critical-Bug-In-All-Current-Windows-Versions [slashdot.org]

The fact that it's a dupe is actually mentioned right in the summary...

Re:

[Thelasko]

The fact that it's a dupe is actually mentioned right in the summary...

I think it was added after the original story, because I don't remember it being there a few minutes ago.

Re:

[Anonymous Coward]

You are correct. It was a silent, unmarked edit. Design may have changed, but editor behavior hasn't.

Re:

[Culture20]

Sometimes a duplicate story is important. Monday morning is a nice time to re-hash a warning that some tech folk might not have seen over the weekend.

Re:

[1u3hr]

. Monday morning is a nice time to re-hash a warning that some tech folk might not have seen over the weekend.

If it's actually your job to know this, you had better not be depending on Commander Taco to keep you informed.

Posted just after /.'s changeover to new version.

[Ungrounded Lightning]

That was posted last Friday. I suspect a lot of people didn't see it because slashdot had recently changed to the new format that is virtually unreadable on older browsers - or even recent Firefox versions.

I notice that things are substantially better today, at least for the older firefox 2.0.0.8. Maybe they got fixed up enough that more people will see this posting.

Can't make a gorilla change its spots.

[Anonymous Coward]

So, what have we learned in 2010? MS will deny the existence of a bug, at the very least until proof-of-concept is published; afterwards, they'll downplay it by saying "it's not really critical at all, but you should update ASAP because, uh, eh, well, the stars are right or something, but definitely not critical, nosir, not at all". In other words, same old, same old. Nothing to see here, move along.

Feature

[mbarnsdale]

It's a feature, not a bug...

Re:

[fuzzyfuzzyfungus]

It is true that, for all the freetard crowing about their precious "SSH", Microsoft is an industry leader in built-in remote access and administration tools. Many of them are so easy and intuitive that they can be configured an enabled without user intervention, or simply by visiting a website!

Re:

[h4rm0ny]

Freetard == Pirates. Libre software is not in the same category. As someone who comfortably uses MS software (albeit also uses Gentoo), if you really want to promote MS Products, please lend your support to the "other side" because you ain't helping MS's PR by spouting a load of crap on their behalf. I don't know what the Hell you find worth mocking in "SSH". It's something pretty fundamental and used by everyone.

Re:

[Jawnn]

It is also sadly true that moderators (and other respondents) are often sarcasm-challenged.

Re:

[fuzzyfuzzyfungus]

I figured that my sarcasm was broad enough(especially since I was just elaborating the "it's a feature not a bug" stock reply); but apparently not.

Ah well. Not every day you can be accused of shilling for Bill for a comment made from Konqueror running on a remote debian host over an ssh -X tunnel...

Re:

[mikechant]

I'll fess up and say I modded too hastily, immediately realized I was wrong and am posting to undo.
Would be nice to be able to undo an individual mistaken mod (say within a couple of minutes), but I'll try to not jump the gun in future.

Here's the MS Fixit link from the original article

[jayemcee]

http://support.microsoft.com/kb/2501696 [microsoft.com]

Manual method (vs. Ms FixIt)

[Anonymous Coward]

TO APPLY THIS FIX:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN]
"explorer.exe"=dword:00000001
"iexplore.exe"=dword:00000001
"*"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\1]
"mhtml"="mhtml"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\

Re:Manual method (vs. Ms FixIt)

[Smallpond]

I'm going to edit my registry based on the word of AC. Seems like a reliable source.

Re:

[RussellSHarris]

So what you're saying is, you copied & pasted code from the MSDN website (which has "© 2011 Microsoft Corporation. All rights reserved." printed at the bottom) without citing the source of the information that you ripped from it.

Isn't that called plagiarism?

Re:

[zeroshade]

Please link to some proof that you are who you say you are, and you have done what you say you have done. For all anyone knows you are a random person claiming the initials APK and claiming that you have done oh so much. In reality, it is difficult for you to prove anything seeing as you aren't even logged in so if multiple people were posting the same way, there's no way to know the difference.

If you are as knowledgeable as you claim to be, then you would know that it is stupid to follow the instructions o

Useless features.

[Anonymous Coward]

I'm pretty sure if MHTML were wiped off the face of the earth tomorrow, nobody would miss it. Why must we have all these useless data formats / protocols / standards? They are nothing but security holes.

MHTML is HTML in a MIME container

[tepples]

MHTML [wikipedia.org] is nothing more than a MIME multipart message containing HTML. If there's a vulnerability in IE's handling of MHTML, then there's probably a vulnerability in each mail client that Microsoft maintains.

Are you at risk if you use an "alternate" browser?

[HouseOfMisterE]

Are you at risk if you use an alternate web browser like Firefox, Opera, or Chrome?

Re:

[The MAZZTer]

Chrome seems to just render a blank document for mhtml: urls, and doesn't let you enter them in the omnibox directly (it searches instead). Firefox gets confused and thinks mhtml: is not associated with any application and so refuses to open it. (Even if it didn't, IIRC it'll ask you whether you want to open it or not.)

Re:

[RussellSHarris]

Chrome seems to just render a blank document for mhtml: urls, and doesn't let you enter them in the omnibox directly... Firefox gets confused and thinks mhtml: is not associated with any application

Yeah. Probably because "mhtml" isn't a valid URL protocol, according to HKEY_CLASSES_ROOT.

"My Computer\HKEY_CLASSES_ROOT\mhtml" doesn't exist.

"My Computer\HKEY_CLASSES_ROOT\mhtmlfile" exists, but it doesn't have the "URL Protocol" REG_SZ flag set.

Here we have yet another example of Internet Explorer / Windows doing things in non-standard ways and breaking everything else. The MSDN Library even has a how-to page describing how to register an application to a URL protocol [microsoft.com]...

For instance, to add an "alert:" protocol, add an alert key to HKEY_CLASSES_ROOT, as follows [...] Under this new key, the URL Protocol string value indicates that this key declares a custom protocol handler. Without this key, the handler application will not launch. [...]

HKEY_CLASSES_ROOT
alert
(Default) = "URL:Alert Protocol"
URL Protocol = ""
DefaultIcon
(Default) = "alert.exe,1"
shell
open
command
(Default) = "C:\Program Files\Alert\alert.exe" "%1"quote>

Re:Are you at risk if you use an "alternate" brows

[modmans2ndcoming]

Opera has fixed this. Firefox crashes. I would hope Chrome has fixed it because Google is the company that discovered the problem.

Re:

[RussellSHarris]

Firefox does not "crash". It pops up an alert message which reads as follows:

Firefox doesn't know how to open this address, because the protocol (mhtml) isn't associated with any program.

...which it isn't. Go check HKEY_CLASSES_ROOT...

Re:

[shutdown -p now]

So wait, it affected Opera as well? Is it because it used some IE bits to handle MHTML, or because any naive implementation of it is prone to that bug?

Re:

[Ol Olsoc]

Yes, because plenty of programs use IE, even if it doesn't appear that way. Make sure you install the fix.