Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows MHTML Vulnerability Warning From Microsoft

Posted by CmdrTaco on from the thats-bad-mmkay dept.

jhernik writes "An HTML scripting bug impacting all supported versions of Windows is receiving Microsoft's attention Microsoft issued an advisory on a Windows security vulnerability today after exploit code for the bug went public. The bug, which lies in the MIME Encapsulation of Aggregate HTML (MHTML) protocol handler, can be exploited to cause data leakage. Though proof-of-concept code for the vulnerability has already gone public, the company said it is unaware of any attempts to exploit the bug." This might seem familiar to you, but considering how many times I saw it submitted this morning, it probably doesn't ;)

28 of 49 comments (clear)

  1. Dupe by Lord+Byron+II · · Score: 1, Informative

    http://tech.slashdot.org/story/11/01/29/0050223/New-Critical-Bug-In-All-Current-Windows-Versions

    1. Re:Dupe by Ephemeriis · · Score: 1

      http://tech.slashdot.org/story/11/01/29/0050223/New-Critical-Bug-In-All-Current-Windows-Versions

      The fact that it's a dupe is actually mentioned right in the summary...

      --
      "Work is the curse of the drinking classes." -Oscar Wilde
    2. Re:Dupe by Thelasko · · Score: 1

      The fact that it's a dupe is actually mentioned right in the summary...

      I think it was added after the original story, because I don't remember it being there a few minutes ago.

      --
      One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
    3. Re:Dupe by Anonymous Coward · · Score: 1

      You are correct. It was a silent, unmarked edit. Design may have changed, but editor behavior hasn't.

    4. Re:Dupe by Culture20 · · Score: 1

      Sometimes a duplicate story is important. Monday morning is a nice time to re-hash a warning that some tech folk might not have seen over the weekend.

    5. Re:Dupe by 1u3hr · · Score: 1
      . Monday morning is a nice time to re-hash a warning that some tech folk might not have seen over the weekend.

      If it's actually your job to know this, you had better not be depending on Commander Taco to keep you informed.

  2. Can't make a gorilla change its spots. by Anonymous Coward · · Score: 1

    So, what have we learned in 2010? MS will deny the existence of a bug, at the very least until proof-of-concept is published; afterwards, they'll downplay it by saying "it's not really critical at all, but you should update ASAP because, uh, eh, well, the stars are right or something, but definitely not critical, nosir, not at all". In other words, same old, same old. Nothing to see here, move along.

  3. Feature by mbarnsdale · · Score: 1

    It's a feature, not a bug...

    1. Re:Feature by fuzzyfuzzyfungus · · Score: 1, Troll

      It is true that, for all the freetard crowing about their precious "SSH", Microsoft is an industry leader in built-in remote access and administration tools. Many of them are so easy and intuitive that they can be configured an enabled without user intervention, or simply by visiting a website!

    2. Re:Feature by h4rm0ny · · Score: 1

      Freetard == Pirates. Libre software is not in the same category. As someone who comfortably uses MS software (albeit also uses Gentoo), if you really want to promote MS Products, please lend your support to the "other side" because you ain't helping MS's PR by spouting a load of crap on their behalf. I don't know what the Hell you find worth mocking in "SSH". It's something pretty fundamental and used by everyone.

      --

      Aide-toi, le Ciel t'aidera - Jeanne D'Arc.
    3. Re:Feature by Jawnn · · Score: 1

      It is also sadly true that moderators (and other respondents) are often sarcasm-challenged.

    4. Re:Feature by fuzzyfuzzyfungus · · Score: 1

      I figured that my sarcasm was broad enough(especially since I was just elaborating the "it's a feature not a bug" stock reply); but apparently not.

      Ah well. Not every day you can be accused of shilling for Bill for a comment made from Konqueror running on a remote debian host over an ssh -X tunnel...

    5. Re:Feature by mikechant · · Score: 1

      I'll fess up and say I modded too hastily, immediately realized I was wrong and am posting to undo.
      Would be nice to be able to undo an individual mistaken mod (say within a couple of minutes), but I'll try to not jump the gun in future.

  4. Here's the MS Fixit link from the original article by jayemcee · · Score: 4, Informative

    http://support.microsoft.com/kb/2501696

  5. Useless features. by Anonymous Coward · · Score: 1

    I'm pretty sure if MHTML were wiped off the face of the earth tomorrow, nobody would miss it. Why must we have all these useless data formats / protocols / standards? They are nothing but security holes.

  6. Are you at risk if you use an "alternate" browser? by HouseOfMisterE · · Score: 2

    Are you at risk if you use an alternate web browser like Firefox, Opera, or Chrome?

  7. Manual method (vs. Ms FixIt) by Anonymous Coward · · Score: 2, Informative

    TO APPLY THIS FIX:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN]
    "explorer.exe"=dword:00000001
    "iexplore.exe"=dword:00000001
    "*"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\1]
    "mhtml"="mhtml"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\2]
    "mhtml"="mhtml"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\3]
    "mhtml"="mhtml"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\4]
    "mhtml"="mhtml"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN]
    "explorer.exe"=dword:00000001
    "iexplore.exe"=dword:00000001
    "*"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\1]
    "mhtml"="mhtml"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\2]
    "mhtml"="mhtml"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\3]
    "mhtml"="mhtml"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols\4]
    "mhtml"="mhtml"

    ----

    TO UNDO THIS FIX:

    Windows Registry Editor Version 5.00
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN]
    "explorer.exe"=dword:00000000
    "iexplore.exe"=dword:00000000

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN]
    "explorer.exe"=dword:00000000
    "iexplore.exe"=dword:00000000

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols]

    ---

    (For those of you that want to "know what's 'going on', under the hood"...

    APK

    1. Re:Manual method (vs. Ms FixIt) by Smallpond · · Score: 3, Insightful

      I'm going to edit my registry based on the word of AC. Seems like a reliable source.

  8. MHTML is HTML in a MIME container by tepples · · Score: 2

    MHTML is nothing more than a MIME multipart message containing HTML. If there's a vulnerability in IE's handling of MHTML, then there's probably a vulnerability in each mail client that Microsoft maintains.

  9. Re:Are you at risk if you use an "alternate" brows by The+MAZZTer · · Score: 1

    Chrome seems to just render a blank document for mhtml: urls, and doesn't let you enter them in the omnibox directly (it searches instead). Firefox gets confused and thinks mhtml: is not associated with any application and so refuses to open it. (Even if it didn't, IIRC it'll ask you whether you want to open it or not.)

  10. Re:Are you at risk if you use an "alternate" brows by modmans2ndcoming · · Score: 3, Informative

    Opera has fixed this. Firefox crashes. I would hope Chrome has fixed it because Google is the company that discovered the problem.

  11. Re:Are you at risk if you use an "alternate" brows by RussellSHarris · · Score: 1

    Chrome seems to just render a blank document for mhtml: urls, and doesn't let you enter them in the omnibox directly... Firefox gets confused and thinks mhtml: is not associated with any application

    Yeah. Probably because "mhtml" isn't a valid URL protocol, according to HKEY_CLASSES_ROOT.

    "My Computer\HKEY_CLASSES_ROOT\mhtml" doesn't exist.

    "My Computer\HKEY_CLASSES_ROOT\mhtmlfile" exists, but it doesn't have the "URL Protocol" REG_SZ flag set.

    Here we have yet another example of Internet Explorer / Windows doing things in non-standard ways and breaking everything else. The MSDN Library even has a how-to page describing how to register an application to a URL protocol...

    For instance, to add an "alert:" protocol, add an alert key to HKEY_CLASSES_ROOT, as follows [...] Under this new key, the URL Protocol string value indicates that this key declares a custom protocol handler. Without this key, the handler application will not launch. [...]

    HKEY_CLASSES_ROOT
        alert
            (Default) = "URL:Alert Protocol"
            URL Protocol = ""
            DefaultIcon
                (Default) = "alert.exe,1"
            shell
                open
                    command
                        (Default) = "C:\Program Files\Alert\alert.exe" "%1"quote>

  12. Re:Are you at risk if you use an "alternate" brows by RussellSHarris · · Score: 1

    Firefox does not "crash". It pops up an alert message which reads as follows:

    Firefox doesn't know how to open this address, because the protocol (mhtml) isn't associated with any program.

    ...which it isn't. Go check HKEY_CLASSES_ROOT...

  13. Re:Hey, stupid? It IS Ms' fix... take a read! by RussellSHarris · · Score: 1

    So what you're saying is, you copied & pasted code from the MSDN website (which has "© 2011 Microsoft Corporation. All rights reserved." printed at the bottom) without citing the source of the information that you ripped from it.

    Isn't that called plagiarism?

  14. Re:Are you at risk if you use an "alternate" brows by shutdown+-p+now · · Score: 1

    So wait, it affected Opera as well? Is it because it used some IE bits to handle MHTML, or because any naive implementation of it is prone to that bug?

  15. Posted just after /.'s changeover to new version. by Ungrounded+Lightning · · Score: 1

    That was posted last Friday. I suspect a lot of people didn't see it because slashdot had recently changed to the new format that is virtually unreadable on older browsers - or even recent Firefox versions.

    I notice that things are substantially better today, at least for the older firefox 2.0.0.8. Maybe they got fixed up enough that more people will see this posting.

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  16. Re:Are you at risk if you use an "alternate" brows by Ol+Olsoc · · Score: 1

    Yes, because plenty of programs use IE, even if it doesn't appear that way. Make sure you install the fix.

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  17. Re:Show us all reading here you're better than I a by zeroshade · · Score: 1

    Please link to some proof that you are who you say you are, and you have done what you say you have done. For all anyone knows you are a random person claiming the initials APK and claiming that you have done oh so much. In reality, it is difficult for you to prove anything seeing as you aren't even logged in so if multiple people were posting the same way, there's no way to know the difference.

    If you are as knowledgeable as you claim to be, then you would know that it is stupid to follow the instructions of some person you've never heard of simply because they say they are knowledgeable and claim to have done a lot of development.