Microsoft Advisory on client side XSS – 2501696

Wolfgang Kandek

Last updated on: September 7, 2020

Today Microsoft published today Security Advisory 2501696 describing a vulnerability (CVE-2011-0096) in the MHTML handler present on all versions of Windows. The vulnerability allows the execution of an XSS attack from a webpage going through Internet Explorer.

The XSS attack can be used to run JavaScript code on the user’s Internet Explorer instance, which gives the attacker a way to get at information stored in the browser and a mechanism to trick users into installing unwanted code through social engineering.

The advisory 2501696 describes a work around that disables scripting inside the MHTML handler by setting the corresponding keys in the Windows registry. We expect the release of a FixIt to automate the application of the work around for security conscious end users.

The vulnerability was originally disclosed on the WooYun website The same site disclosed in December a vulnerability in the CSS handler of Internet Explorer "css.css" (CVE-2010-3971). The vulnerability has been acknowledged by Microsoft and Security Advisory 2488013 includes a workaround and a FixIt link to apply.

While the vulnerability is located in a Windows component Internet Explorer is the only known attacker vector. Firefox and Chrome are not affected in their default configuration, as they do not support MHTML without the installation of specific add-on modules.

Microsoft’s SRD blog has a detailed description of the attack and provides HTML files for local testing.

Share your Comments

Comments

Your email address will not be published. Required fields are marked *