Microsoft’s Patch Tuesday is tomorrow and there are only three fixes listed in Redmond’s advance notification (compared to the 12 bulletins that addressed 22 vulnerabilities in February’s update). Two of the fixes listed are for Windows and one is for Office. One of the fixes listed for Windows is very likely to be a fix to the MHTML problem. Found in January, it affects all versions of Windows from XP upwards regardless of the version of IE installed on the PC.
MHTML (MIME HTML), is a web page archive format (often with the extension .mht) used to combine HTML, images, Flash etc into a single file. On Windows the MHTML handler is part of Windows and not part of Internet Explorer.
The vulnerability could allow an attacker to cause a victim to run malicious scripts when visiting a targeted web site, which in turn could result in information disclosure.
Previously, Microsoft issued a Fixit which locks down the MHTML components of Windows but they failed to patch the problem on February’s Patch Tuesday.
Also noted in Microsoft’s advance notification is the release of an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.