Slashdot Mirror
Windows MHTML Vulnerability Warning From Microsoft
jhernik writes "An HTML scripting bug impacting all supported versions of Windows is receiving Microsoft's attention Microsoft issued an advisory on a Windows security vulnerability today after exploit code for the bug went public. The bug, which lies in the MIME Encapsulation of Aggregate HTML (MHTML) protocol handler, can be exploited to cause data leakage. Though proof-of-concept code for the vulnerability has already gone public, the company said it is unaware of any attempts to exploit the bug." This might seem familiar to you, but considering how many times I saw it submitted this morning, it probably doesn't ;)
http://tech.slashdot.org/story/11/01/29/0050223/New-Critical-Bug-In-All-Current-Windows-Versions
So, what have we learned in 2010? MS will deny the existence of a bug, at the very least until proof-of-concept is published; afterwards, they'll downplay it by saying "it's not really critical at all, but you should update ASAP because, uh, eh, well, the stars are right or something, but definitely not critical, nosir, not at all". In other words, same old, same old. Nothing to see here, move along.
It's a feature, not a bug...
http://support.microsoft.com/kb/2501696
I'm pretty sure if MHTML were wiped off the face of the earth tomorrow, nobody would miss it. Why must we have all these useless data formats / protocols / standards? They are nothing but security holes.
Are you at risk if you use an alternate web browser like Firefox, Opera, or Chrome?
TO APPLY THIS FIX:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN]
"explorer.exe"=dword:00000001
"iexplore.exe"=dword:00000001
"*"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\1]
"mhtml"="mhtml"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\2]
"mhtml"="mhtml"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\3]
"mhtml"="mhtml"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\4]
"mhtml"="mhtml"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN]
"explorer.exe"=dword:00000001
"iexplore.exe"=dword:00000001
"*"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\1]
"mhtml"="mhtml"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\2]
"mhtml"="mhtml"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\3]
"mhtml"="mhtml"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\4]
"mhtml"="mhtml"
----
TO UNDO THIS FIX:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN]
"explorer.exe"=dword:00000000
"iexplore.exe"=dword:00000000
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN]
"explorer.exe"=dword:00000000
"iexplore.exe"=dword:00000000
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols]
---
(For those of you that want to "know what's 'going on', under the hood"...
APK
MHTML is nothing more than a MIME multipart message containing HTML. If there's a vulnerability in IE's handling of MHTML, then there's probably a vulnerability in each mail client that Microsoft maintains.
Chrome seems to just render a blank document for mhtml: urls, and doesn't let you enter them in the omnibox directly (it searches instead). Firefox gets confused and thinks mhtml: is not associated with any application and so refuses to open it. (Even if it didn't, IIRC it'll ask you whether you want to open it or not.)
It depends.
For web browsing? no.
But IE isn't just used for browsing. That's why MS argued so heavily that they *can't* unbundle IE from the OS.
Use Outlook Express for reading email? IE does the work of rendering the email's body in the window.
Use any applications with MS-standard helpfiles? IE is used to render those.
These are just two examples.
The question is, do any programs that delegate content rendering to IE choke if they're used to open MTML content, or do they just blindly pass it along?
Opera has fixed this. Firefox crashes. I would hope Chrome has fixed it because Google is the company that discovered the problem.
Are you at risk if you use an alternate web browser like Firefox, Opera, or Chrome?
Firefox, Opera,and Chrome are browsers.
Internet Explorer is the badly named front end for Windows Update in Windows XP and earlier. Sure, you can use it for other tasks, but that's like using a hand grenade as a hammer.
Chrome seems to just render a blank document for mhtml: urls, and doesn't let you enter them in the omnibox directly... Firefox gets confused and thinks mhtml: is not associated with any application
Yeah. Probably because "mhtml" isn't a valid URL protocol, according to HKEY_CLASSES_ROOT.
"My Computer\HKEY_CLASSES_ROOT\mhtml" doesn't exist.
"My Computer\HKEY_CLASSES_ROOT\mhtmlfile" exists, but it doesn't have the "URL Protocol" REG_SZ flag set.
Here we have yet another example of Internet Explorer / Windows doing things in non-standard ways and breaking everything else. The MSDN Library even has a how-to page describing how to register an application to a URL protocol...
For instance, to add an "alert:" protocol, add an alert key to HKEY_CLASSES_ROOT, as follows [...] Under this new key, the URL Protocol string value indicates that this key declares a custom protocol handler. Without this key, the handler application will not launch. [...]
HKEY_CLASSES_ROOT
alert
(Default) = "URL:Alert Protocol"
URL Protocol = ""
DefaultIcon
(Default) = "alert.exe,1"
shell
open
command
(Default) = "C:\Program Files\Alert\alert.exe" "%1"quote>
Firefox does not "crash". It pops up an alert message which reads as follows:
Firefox doesn't know how to open this address, because the protocol (mhtml) isn't associated with any program.
...which it isn't. Go check HKEY_CLASSES_ROOT...
See the "Suggested Actions" section, on the same link that jayemcee posted here :
http://www.microsoft.com/technet/security/advisory/2501696.mspx
(You'll see the same things I posted. I put up the one for 64-bit Windows is all, since more users are using it than the 32-bit version of Windows 7).
APK
P.S.=> Now, why I even BOTHER deal with some troll like yourself, that's quite obviously illiterate and lazy, I will NEVER know... but, there you are! apk
http://www.microsoft.com/technet/security/advisory/2501696.mspx
Eat your words, you stupid little troll, and learn to READ...
I have just posted the SAME REPLY to you, in essence, as I did to the other dolt, "smallpond" (more like small brain and low literacy rate on his end, lol), as I did to here, here:
http://tech.slashdot.org/comments.pl?sid=1973914&cid=35058394
Yourself & SmallPond? Exemplary of what's wrong with the youth of today - lazy, ignorant, and STUPID! I have to generalize, but, thank god not all the young are like yourself, & SmallPond (small mind is more like it).
APK
P.S.=> Because in case you hadn't noticed, you moronic little dolt? What I posted IS what MS suggested as a valid workaround (until they TOTALLY fix this issue)... apk
Ahem: I posted completely valid information, straight from the horses mouth (MS)... which you tried to say was invalid no less... lol, now? Now, you "eat your words"!
(By the way? My reply was also up-modded to +2 also!)
Now, you? LOL, you have to sit there now, and eat your words... & that IS that!
(So, Learn to read next time, instead of shooting your stupid piehole off, and you'd be FAR better off than you are now, with egg on your face, shithead!)
APK
P.S.=>
"If you'd have linked to that originally, people could have had the information from a site they trusted, not some random guy posting anonymously and calling himself "apk", which appears to be a file format for the Android platform similar to the .jar Java archive filetype" - by Anonymous Coward on Monday January 31, @01:05PM (#35058550)
Ahem: I OWN "APK", far longer than GOOGLE has... they are my initials, literally, & since this day in the 1960's no less (it's my b-day today)... yet again you've shot your piehole off, only to look stupid, once more on your part.
---
"Plus they would have both the 32-bit and 64-bit instructions, not to mention that MSDN appears to know how to use basic HTML, unlike you. Here's a few pointers to get you started" - by Anonymous Coward on Monday January 31, @01:05PM (#35058550)
Also, before the "likes of you", a FUCKING NOBODY, tries to "patronize me"?
(You, who obviously have done nothing of note in this field in your ENTIRE LIFE you little shit?)
Well...
The day you've done more than this, and before I did, in the arena of the computer sciences that was noted well by respected publications in this art & science + ended up with my work in commercial wares also, per this PARTIAL LIST ONLY (of my favs)?
---
Windows NT Magazine (now Windows IT Pro) April 1997 "BACK OFFICE PERFORMANCE" issue, page 61
(&, for work done for EEC Systems/SuperSpeed.com on PAID CONTRACT (writing portions of their SuperCache program increasing its performance by up to 40% via my work) albeit, for their SuperDisk & HOW TO APPLY IT, took them to a finalist position @ MS Tech Ed, two years in a row 2000-2002, in its HARDEST CATEGORY: SQLServer Performance Enhancement).
WINDOWS MAGAZINE, 1997, "Top Freeware & Shareware of the Year" issue page 210, #1/first entry in fact (my work is there)
PC-WELT FEB 1998 - page 84, again, my work is featured there
WINDOWS MAGAZINE, WINTER 1998 - page 92, insert section, MUST HAVE WARES, my work is again, there
PC-WELT FEB 1999 - page 83, again, my work is featured there
CHIP Magazine 7/99 - page 100, my work is there
GERMAN PC BOOK, Data Becker publisher "PC Aufrusten und Repairen" 2000, where my work is contained in it
HOT SHAREWARE Numero 46 issue, pg. 54 (PC ware mag from Spain), 2001 my work is there, first one featured, yet again!
Also, a British PC Mag in 2002 for many utilities I wrote, saw it @ BORDERS BOOKS but didn't buy it... by that point, I had moved onto other areas in this field besides coding only...
Being paid for an article that made me money over @ PCPitstop in 2008 for writing up a guide that has people showing NO VIRUSES/SPYWARES & other screwups, via following its point, such as THRONKA sees here -> http://www.xtremepccentral.com/forums/showthread.php?s=ee926d913b81bf6d63c3c7372fd2a24c&t=28430&page=3
Lastly, lately (this year)?
It's also been myself helping out the folks at the UltraDefrag64 project (a 64-bit defragger for Windows), in showing them code for how to do Process Priority Control @ the GUI usermode/ring 3/rpl 3 level in their program (good one too), & being credited for it by their lead dev & his team... see here -> http://ultradefrag.sourceforge.net/handbook/Credits.html
---
Ahem: In case you hadn't noticed? The poster I replied to jayemcee and HIS link/url lead right to the one I put up later in response to yourself, an AC troll, as well as the other troll "SmallPond".
I didn't see the need to post another URL from MS is all, even though I did later for you illiterate little trolls that skimmed over it from jaymcee's post URL link... but, there's NO doubting I posted valid information, and info. that came right from MS!
(Readers here could have easily seen the information I posted, and being led there from the very page that jaymcee used which I replied to, which led to the one I posted!)
APK
P.S.=> I really truly pity the likes of you online, I really do: All you do is act the ridiculous little troll to others... real "contribution" there on YOUR part, troll! apk
You mean present in all releases of the product.
Better yet, all releases have this flaw.
"Impact" is what happens when a solid object strikes another solid object.
"Impacting" means almost nothing but suggests the vulnerability occurred recently.
No, it has been present all along.
So wait, it affected Opera as well? Is it because it used some IE bits to handle MHTML, or because any naive implementation of it is prone to that bug?
"Gee.. such aggression.. why?" - by Anonymous Coward on Monday January 31, @02:35PM (#35059502)
Yes, just as I suspected: You're a done nothing of note in computer science troll, who attempts to patronize others ontop of being shown you are incorrect in insinuating I posted bad information!
(LOL, and you had the NERVE to try to tell me "what's-what" in the realm of computer sciences? Please...)
APK
P.S.=> This "ring a bell" there, dimwit? You said this to me:
"not to mention that MSDN appears to know how to use basic HTML, unlike you. Here's a few pointers to get you started" - by Anonymous Coward on Monday January 31, @01:05PM (#35058550)
So, since you're "such an expert on things computing"? Well, show us you've done more than I have & earlier than I have + to equal respect/notoriety in the realm of computing as I have....
AFTER ALL:
http://tech.slashdot.org/comments.pl?sid=1973914&cid=35058754
YOU were asked to do so after your attempt @ "patronizing me" in the url above from this very exchange, & it's now rather FUNNY how you "run away" from that now, after that quote of YOUR WORDS directed MY WAY, above... apk
That was posted last Friday. I suspect a lot of people didn't see it because slashdot had recently changed to the new format that is virtually unreadable on older browsers - or even recent Firefox versions.
I notice that things are substantially better today, at least for the older firefox 2.0.0.8. Maybe they got fixed up enough that more people will see this posting.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
"I'm not the same AC as before. You can tell, in part, because I have a very different writing style." - by Anonymous Coward on Monday January 31, @09:48PM (#35063398)
Ahem: BULLSHIT! Who do you think you are fooling?
APK
P.S.=>
"You're being INCREDIBLY hostile to people suggesting that maybe you should have linked the source." - by Anonymous Coward on Monday January 31, @09:48PM (#35063398)
Uhm, troll? First of all, AGAIN:
The original poster, jaymcee, and the URL he listed? Has the one with the data from MS I used, RIGHT IN IT @ THE TOP!
There was NO real reason for me to post the URL again, even though I did to satisfy the jackass nitpicking trolls around here, who MOSTLY haven't done SHIT with themselves!
Yet, they're trying to "patronize me" & yes, also INSULT ME?
(Man, LMAO - please, give us a break & just fuck off!)
---
"It's not a good idea to follow your suggestions, even though they happen to be correct. " - by Anonymous Coward on Monday January 31, @09:48PM (#35063398)
Contradicting yourself? Please - Do you have ANY IDEA how STUPID you sound after saying that?
(I.E.-> Even though I am correct, it's incorrect to use what I posted?? Even though it's been VERIFIED as coming from "The Horses Mouth", in MS???)
Again, give us a fucking break, you waste of life troll...
---
"It's a terrible idea to do it based on your say-so.." - by Anonymous Coward on Monday January 31, @09:48PM (#35063398)
My "say so" carries a HELL OF A LOT MORE WEIGHT in this art & science than you & yours here EVER will, shit head... get used to it! apk
"And please, please stop acting like you're better than everybody else. You aren't." - by Anonymous Coward on Monday January 31, @09:48PM (#35063398)
No, I am just saying, AND SHOWING, that in the art & science of computing, I am ONE HELL OF A LOT BETTER THAN YOU APPEAR TO BE, even though you f'd up badly in your trolling me... and?
I'm done "mincing words" with an off-topic little troll like you & even attempting to be polite to a worm like you...
So, since you said that?
WELL - Quit running away from proving YOU ARE BETTER THAN I AM IN THIS ART & SCIENCE then, big talker/armchair QB, & please: DO show us you've done more than the list below, to your name/credit!
Anyone can "talk a game", you pitiful "armchair QB"... it's QUITE another to have done the job & done well @ it... but then, you'd never know that feeling now, would you? I doubt it.
---
Windows NT Magazine (now Windows IT Pro) April 1997 "BACK OFFICE PERFORMANCE" issue, page 61
(&, for work done for EEC Systems/SuperSpeed.com on PAID CONTRACT (writing portions of their SuperCache program increasing its performance by up to 40% via my work) albeit, for their SuperDisk & HOW TO APPLY IT, took them to a finalist position @ MS Tech Ed, two years in a row 2000-2002, in its HARDEST CATEGORY: SQLServer Performance Enhancement).
WINDOWS MAGAZINE, 1997, "Top Freeware & Shareware of the Year" issue page 210, #1/first entry in fact (my work is there)
PC-WELT FEB 1998 - page 84, again, my work is featured there
WINDOWS MAGAZINE, WINTER 1998 - page 92, insert section, MUST HAVE WARES, my work is again, there
PC-WELT FEB 1999 - page 83, again, my work is featured there
CHIP Magazine 7/99 - page 100, my work is there
GERMAN PC BOOK, Data Becker publisher "PC Aufrusten und Repairen" 2000, where my work is contained in it
HOT SHAREWARE Numero 46 issue, pg. 54 (PC ware mag from Spain), 2001 my work is there, first one featured, yet again!
Also, a British PC Mag in 2002 for many utilities I wrote, saw it @ BORDERS BOOKS but didn't buy it... by that point, I had moved onto other areas in this field besides coding only...
Being paid for an article that made me money over @ PCPitstop in 2008 for writing up a guide that has people showing NO VIRUSES/SPYWARES & other screwups, via following its point, such as THRONKA sees here -> http://www.xtremepccentral.com/forums/showthread.php?s=ee926d913b81bf6d63c3c7372fd2a24c&t=28430&page=3
Lastly, lately (this year)?
It's also been myself helping out the folks at the UltraDefrag64 project (a 64-bit defragger for Windows), in showing them code for how to do Process Priority Control @ the GUI usermode/ring 3/rpl 3 level in their program WITH CODE for it (their app's a good one too), & being credited for it by their lead dev & his team... see here -> http://ultradefrag.sourceforge.net/handbook/Credits.html
---
I mean, lol, if you'd done even 1/2 of that list??
Then, MAYBE THEN, I'd even pay you & those of "your ilk" online, any mind whatsoever:
APK
P.S.=> Going to run away, 2nd time now/again, from proving YOU are better than I am in this field then, even though you tried to "patronize me" with this line of crap, requoted for all reading here's reference:
"MSDN appears to know how to use basic HTML, unlike you. Here's a few pointers to get you started" - by Anonymous Coward on Monday January 31, @01:05PM (#35058550)
See above, drink it in & digest it, you pitiful ne'er do well arrogant troll... on your best day in your entire existence? You couldn't even do a fraction of what I can show from only a small partial list to my credit in fact... and you're trying to condescend to me/patronize me?
You're the one who has to backup his big mouth now, so go for it... big talker/armchair QB... apk
Yes, because plenty of programs use IE, even if it doesn't appear that way. Make sure you install the fix.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Please link to some proof that you are who you say you are, and you have done what you say you have done. For all anyone knows you are a random person claiming the initials APK and claiming that you have done oh so much. In reality, it is difficult for you to prove anything seeing as you aren't even logged in so if multiple people were posting the same way, there's no way to know the difference.
If you are as knowledgeable as you claim to be, then you would know that it is stupid to follow the instructions of some person you've never heard of simply because they say they are knowledgeable and claim to have done a lot of development.
Prove you are who you say you are, if you're offering such advice. Anyone can take an internet nickname and use it anywhere. It's not like you have it patented.
If you are as knowledgeable as you claim to be, then you would know that it is stupid to follow the instructions of some person you've never heard of simply because they say they are knowledgeable and claim to have done a lot of development. by zeroshade (1801584) on Saturday February 05, @12:37AM (#35109612)
If you are as knowledgeable as you *THINK* you are, offering advice as you do? Then, you'd have seen the information I posted was actually led to from the article the op posted... that is, IF people here would actually READ THE F'ING ARTICLE (& largely, many here, don't, typically).
APK
"Please link to some proof that you are who you say you are, and you have done what you say you have done. For all anyone knows you are a random person claiming the initials APK and claiming that you have done oh so much." - by zeroshade (1801584) on Saturday February 05, @12:37AM (#35109612)
First, prove who YOU are, behind your childish little "nickname" you use here... ok? Your attempt @ logic here "backfires" on you, because I can ask the SAME of you.
---
"In reality, it is difficult for you to prove anything seeing as you aren't even logged in so if multiple people were posting the same way, there's no way to know the difference." - by zeroshade (1801584) on Saturday February 05, @12:37AM (#35109612)
What a load of horseshit. Pretty much everyone here knows who I am, & even things I've done (because it's not the 1st time I posted the list I use).
----
"If you are as knowledgeable as you claim to be, then you would know that it is stupid to follow the instructions of some person you've never heard of simply because they say they are knowledgeable and claim to have done a lot of development" - .by zeroshade (1801584) on Saturday February 05, @12:37AM (#35109612)
I only claimed I knew what was up in this thread, technically, & I also posted some things I have done in the field of computing that did well. That's all. As far as verifying it? I posted means to do so through this thread, & if anyone wishes to verify them, please - FEEL FREE to do so.
APK
P.S.=> The true "bottom-line" here, is this: The op's original link leads right to the data I posted in fact, right at its outset/start in fact... Thus, I felt no need to post the link, because MS always posts a DETAILED LINK of what their "FixIt" tools in fact, really do, which is what I posted!
(Then again though, you'd have to expect readers here to be intelligent enough to "RTFA", & most? Most apparently, do not)...
Why is WHY, nevertheless, my post is still "modded up" +1 INFORMATIVE... despite all the b.s. "protests" here... argue with that! apk
"Please link to some proof that you are who you say you are, and you have done what you say you have done." - by zeroshade (1801584) on Saturday February 05, @12:37AM (#35109612)
See subject-line, prove who YOU are, first... ok? Additionally, I have proofs of what I say I do, and I have had others here 'test them' before, & they ended up eating their own words, and pretty much everyone here who comes here regularly knows who I am anyways!
---
"For all anyone knows you are a random person claiming the initials APK and claiming that you have done oh so much. " - by zeroshade (1801584) on Saturday February 05, @12:37AM (#35109612)
More than yourself, or my other "naysayers" here... that much is certain, based on their lack of being able to produce 1 single thing they've done of note in the art & science of computing that did well & was a credit to them, via the critique of others (especially in printed publications like books or magazines in the field of computing, or commercial code to their credit, or being winners/finalists at something like MsTechEd 2 yrs. in a row in its hardest category (as I have been)).
---
"In reality, it is difficult for you to prove anything" - " - by zeroshade (1801584) on Saturday February 05, @12:37AM (#35109612)
Not really: What exactly would you like proof of from my statements? I can back up pretty much all of it easily enough.
---
"If you are as knowledgeable as you claim to be" - by zeroshade (1801584) on Saturday February 05, @12:37AM (#35109612)
NO, I only claimed to have done well in this art & science, and I have visible accomplishments I can put up to MY credit easily from having done well at it (unlike most others around here).
---
"then you would know that it is stupid to follow the instructions of some person you've never heard of simply because they say they are knowledgeable and claim to have done a lot of development." - by zeroshade (1801584) on Saturday February 05, @12:37AM (#35109612)
Again, where did I say I was "knowledgeable"? Thanks for the compliment then, I suppose. On the note of development?? I've been at that, professionally, for almost 17 yrs. now... how about you???
Secondly/lastly: What I posted IS correct, and works (and can be undone too)... & if folks here would bother READ THE F'ING ARTICLE?? They would have seen that much... though I even posted the direct link to the info. I put up, from MS, and the op's original post leads right to it, from its outset early on no less!
APK