Highly targeted attacks exploiting Windows MHTML vulnerability

A recent surge in attacks against a variety of sites that exploit a MHTML XSS vulnerability publicly disclosed in January – and which still hasn’t been patched by Microsoft – has been remarked on by Google’s Security Team researchers.

The vulnerability is caused due to an error in the way the MHTML (MIME Encapsulation of Aggregate HTML) protocol handler interprets MIME-formatted requests for content blocks within a document, which can be exploited by an attacker to execute arbitrary HTML and script code in a user’s browser session in context of a web site. This vulnerability affects only Internet Explorer users.

The Google team believes these latest attacks to be politically motivated, and in order to protect its users, they have deployed a number of server-side defenses to make the vulnerability harder to exploit. They point out that neither of those solutions is meant to be long-term, and that they are not “100% reliable”.

When the vulnerability was first make public, Microsoft mentioned that there was proof-of-concept code that attempts to exploit this vulnerability floating around the Internet. Until a patch was issued, they advised users to enable MHTML protocol lockdown (either manually or using the available automated “Microsoft Fix it” solution) – advice seconded now by Google.

“The abuse of this vulnerability is also interesting because it represents a new quality in the exploitation of web-level vulnerabilities. To date, similar attacks focused on directly compromising users’ systems, as opposed to leveraging vulnerabilities to interact with web services,” adds the team.