Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Microsoft Security Advisory for MHTML via Internet Explorer (MS2501696/CVE-2011-0096) - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Microsoft Security Advisory for MHTML via Internet Explorer (MS2501696/CVE-2011-0096)

www.microsoft.com/technet/security/advisory/2501696.mspx

Information on this vulnerability first started surfacing on Full-Disclosure on 1/15/2011.The vulnerability exists in all supported versions of MS Windows except for 2008 with server core. Other installed applications (Adobe Reader, etc) may be leveraged locally via Internet Explorer (including Outlook, etc.)

There appears to be a myriad of ways it can be leveraged and a lot of thought and creativity is being poured into that. So now would be a good time to: test and consider the registry workaround (see advisory); to review group policies for zone settings for Internet Explorer; and to review detection options for email gateways and proxies/NIDS/etc.

From the advisory:

"The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible under certain conditions for this vulnerability to allow an attacker to inject a client-side script in the response of a Web request run in the context of the victim's Internet Explorer. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site on behalf of the targeted user."

A release date for a fix has not been posted yet.

Relevant/Interesting Links:

Enhanced Security Configuration
http://technet.microsoft.com/en-us/library/dd883248(WS.10).aspx

MHTML Info
http://msdn.microsoft.com/en-us/library/aa767916(v=vs.85).aspx

Server Core
http://technet.microsoft.com/en-us/library/ee441255(WS.10).aspx

CVE-2011-0096
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0096

Advisory
http://www.microsoft.com/technet/security/advisory/2501696.mspx

If you come across any attacks targeting this vulnerability, please upload any details you have (pcap, samples, urls, etc)
via our contact form and we'll review them, share with the community (if you permit us), and post updates to the diary.

Thanks,

Robert Danford

Robert

49 Posts
After a careful reading of the advisory, I don't see what the vulnerability really is.

It requires a request to a web server with the MHTML segment in it. Then the script can do anything that a normal script in a normal web page can do "spoof content, disclose information, or take any action that the user could take". In a normal web page this is usually called AJAX (or DOM) scripting.

Is it a problem because MHTML is not supposed to allow this?

Or is it a problem because the attacker can use a non-standard way to put the script into the MHTML page possibly bypassing any signature based checks in AV software?
Nathan Christiansen

20 Posts
Now I see the problem. "It is possible for this vulnerability to allow an attacker to run script in the wrong security context."

Meaning it could possibly do non-blind cross-site request forgery, and bypass checks for cross site scripting.
Nathan Christiansen

20 Posts
They've chucked out a temporary workaround auto "fixit" thing as well:

http://support.microsoft.com/kb/2501696
Alex

19 Posts
The handler also ignores files extensions. So mhtml files can be placed on sites as jpg or whatever. So easy to hide.
Some exploit code is about now.

M
Mark

391 Posts
ISC Handler
- http://secunia.com/advisories/43093/
Release Date: 2011-01-29
Impact: Cross Site Scripting
Where: From remote ...
Solution: Enable MHTML protocol lockdown (either manually or using the available automated "Microsoft Fix it" solution). > http://support.microsoft.com/kb/2501696#FixItForMe
.
Jack

160 Posts

Sign Up for Free or Log In to start participating in the conversation!