Microsoft Advisory on client side XSS – 2501696
Last updated on: September 7, 2020
Today Microsoft published today Security Advisory 2501696 describing a vulnerability (CVE-2011-0096) in the MHTML handler present on all versions of Windows. The vulnerability allows the execution of an XSS attack from a webpage going through Internet Explorer.
The advisory 2501696 describes a work around that disables scripting inside the MHTML handler by setting the corresponding keys in the Windows registry. We expect the release of a FixIt to automate the application of the work around for security conscious end users.
The vulnerability was originally disclosed on the WooYun website The same site disclosed in December a vulnerability in the CSS handler of Internet Explorer "css.css" (CVE-2010-3971). The vulnerability has been acknowledged by Microsoft and Security Advisory 2488013 includes a workaround and a FixIt link to apply.
While the vulnerability is located in a Windows component Internet Explorer is the only known attacker vector. Firefox and Chrome are not affected in their default configuration, as they do not support MHTML without the installation of specific add-on modules.
Microsoft’s SRD blog has a detailed description of the attack and provides HTML files for local testing.