The flaw, which was first highlighted by Microsoft in an advisory in January, allows an attacker to inject a client-side script into the response to a request made by Internet Explorer.
The script could allow a hacker to compromise the user by performing actions online that appear to have originated from the user; by stealing information from the user; or by otherwise trying to fool them.
MHTML, or Mime HTML, is a standard that allows web objects such as images to be combined with HTML into a single file. The vulnerability lies in how MHTML interprets Multipurpose Internet Mail Extensions (Mime) for content blocks in a document.
All these attacks abuse a publicly-disclosed MHTML vulnerability for which an exploit was publicly posted in January 2011.
Users browsing with the Internet Explorer browser are affected.
For now, users and corporations seriously consider deploying Microsoft’s temporary Fixit to block this attack until an official patch is available.
Paper: Hacking with mhtml protocol handler
Today Microsoft released a new security advisory to help protect users from a vulnerability affecting Internet Explorer versions 6, 7, and 8. Exploiting this vulnerability could lead to unauthorized remote code execution inside the iexplore.exe process.
Internet Explorer loads mscorie.dll, a library that was not compiled with /DYNAMICBASE (thus not supporting ASLR and being located always at the same base) when processing some HTML tags. Attackers use these predictable mappings to evade ASLR and bypass DEP by using ROP (return oriented programming) gadgets from these DLLs in order to allocate executable memory, copying their shellcode and jumping into it.
Although Microsoft is currently not aware of any attacks, given the public disclosure of this vulnerability, the likelihood of criminals using this information to actively attack may increase.
Users of Windows Vista and later versions of Windows are strongly encouraged to protect themselves against this issue by installing the free Enhanced Mitigation Experience Toolkit (EMET) and proceed to protect the iexplore.exe process.
When EMET is in place, this type of exploit will most likely fail. This is because of at least three mitigations:
- Mandatory ASLR: This mitigation will force the mscorie.dll to be located on random addresses each time.
- Heap Spray pre-allocation: Some of these exploits use some common used heap pages for placing ROP data such as 0x0c0c0c0c.
- EAT Filtering: Running shellcode can potentially be blocked by this mitigation.
Additionally, users should be aware that protected Mode in Internet Explorer on Windows Vista and Windows 7 helps to significantly limit the impact of currently known exploits. Protected Mode is on by default in Internet and Restricted sites zones in Internet Explorer 7 and 8, and prompts users before allowing software to install, run or modify sensitive system components.
Microsoft continues to investigate the vulnerability and will release a comprehensive security update once available.