Microsoft MHTML Critical Windows Vulnerability & Fix-it Tool
On January 28, 2011, Microsoft released a security advisory acknowledging a publicly-disclosed vulnerability in all versions of Windows. Security Advisory 2501696 describes a bug in the MHTML handler in Windows which could lead to information disclosure, or worse.
Begin Techno-babble:
Proof Of Concept code has already been published and soon this vulnerability will be added to all of the most popular exploit attack kits. The vulnerability exists in all supported (and unsupported - end of life) versions of Windows, in an Internet protocol known as MHTML. Windows includes a web document protocol handler (MHTML:) that allows various applications to render MHTML structures. Internet Explorer is one of these and it can be abused to exploit the bug in the context of a web page, causing a hostile script to be executed.
The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible for this vulnerability to allow an attacker to run script in the wrong security context. An attacker who successfully exploited this vulnerability could inject a "client-side" script (that's your side) in the user's Internet Explorer browser, or background process. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site on behalf of the targeted user.
What is MHTML?
MHTML (MIME Encapsulation of Aggregate HTML) is an Internet standard that defines the MIME structure that is used to wrap HTML content. The MHTML protocol handler in Windows provides a "pluggable" protocol (MHTML:) that permits MHTML encoded documents to be rendered in applications capable of recognizing MHTML content.
End Techno-babble
What you can do to protect your PC from this script injection vulnerability
First of all, limit your target-ability by using Mozilla Firefox or Google Chrome as your default web browser, instead of Microsoft's Internet Explorer. The MHTML scripts that are used in this exploit trigger certain events that are specific to Internet Explorer. However, even if you use a different brand of browser, if you are lured or redirected by a link to a hostile website, you can take it to the bank that other exploits will be launched against your browser. Still, you won't have the code injected into your Firefox or Chrome browser, as you would if you encounter this exploit using Internet Exploder!
The second thing all Windows users can do is to disable the MHTML handler that is responsible for this new vulnerability. A Fix-It Tool has been released by Microsoft, which can disable the affected protocol until Microsoft releases an official patch. There is also an Undo Tool on the same page. These Tools are just Windows Registry entries that turn off the MHTML Handler security zones for Internet Explorer and its children (MS Outlook, Outlook Express, Windows Mail, Windows Live mail). This also disables (rare) MHTML content in Windows Media Player
Note: since the MHTML vulnerability exists in other Windows applications besides Internet Explorer, you are strongly advised to disable that protocol, using the Fix-It Tool. Since this tool is based upon the Microsoft .msi extension, you must run it either from an Administrator level account (Win XP, Windows Server 2003 or older), or by elevating your privileges to Run As Administrator in Windows Server 2008, Vista and 7. By default, Internet Explorer on Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.
See the Registry hack in my extended content to include the "Run As" command for .MSI files under Windows XP, Server 2003 and 2008, Windows Vista and Windows 7
A few words about how this vulnerability can be exploited by email.
By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows (Live) Mail open HTML e-mail messages in the Restricted sites zone, which disables script and ActiveX controls, removing the risk of an attacker being able to use this vulnerability to execute malicious code. If a user has unchecked the option to open email in that Zone, or clicks on a hostile link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.
A Registry hack that adds the Run As command for .MSI files to the right click options
Copy and paste these 5 lines of code into a new text document (right-click inside a folder of your choice, then select New, then Text Document), save the pasted in contents, then rename it to something like: Run MSI As Admin.reg
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\Msi.Package\shell\runas]
@="Install &As Administrator..."
[HKEY_CLASSES_ROOT\Msi.Package\shell\runas\command]
@="msiexec /i \"%1\""
Now, double click on that reg file and when asked if you want to add the information in (path and file name) to your Windows Registry, click Yes. If your account has sufficient privileges (Power User, Standard User, Administrator Group) to add information to the Local Machine branch of the Registry, the changes will take instantly. If you are running Vista or Windows 7, you may have to allow this change by answering a UAC prompt box.
If your account type is too limited to allow you to install this Registry update, switch users into an account that does have Admin privileges, then install the Reg file from there and log off that account and back into your regular (Limited User) account.
With the Registry hack installed, you can now right click on a .msi file, select "Run As" (XP, Server 2003), or "Run As Administrator" (Vista, 7, or Server 2008+). You will be asked for the Administrator account's password under XP and Server 2003) and possibly also under some or all of the newer systems. Type the password for an admin level account and proceed with the agreeing to any conditions of use and installation of the .msi file.
I have tested this Registry hack in Windows XP Professional, as a Power User, and it worked instantly.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.