In a shocking move Microsoft’s patch Tuesday left the now almost famous MHTML bug unfixed. I wrongly predicted earlier this week that Microsoft would fix the MHTML problem during its “update Tuesday” which occurs on the first Tuesday of the month.
Instead Microsoft patched a critical vulnerability in Windows Media Player/Center and two less critical vulnerabilities; one in the Windows Remote Desktop client and one in Microsoft Groove.
The critical update resolves two vulnerabilities found in Windows Media Player and Windows Media Center. In the worst case these vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file.
The fix to the MHTML problem seems now to be as elusive as The Scarlet Pimpernel (they seek him here, they seek him there). The problem was found in January and it affects all versions of Windows from XP upwards regardless of the version of IE installed on the PC.
The vulnerability could allow an attacker to cause a victim to run malicious scripts when visiting a targeted web site, which in turn could result in information disclosure.
Microsoft have issued a Fixit which locks down the MHTML components of Windows but they failed to patch the problem now for two consecutive patch Tuesdays. Will Microsoft fix this in April? Nobody knows!