December 7, 2016

Microsoft Likely To Fix MHTML Vulnerability Tomorrow

Microsoft’s Patch Tuesday is tomorrow and there are only three fixes listed in Redmond’s advance notification (compared to the 12 bulletins that addressed 22 vulnerabilities in February’s update). Two of the fixes listed are for Windows and one is for Office. One of the fixes listed for Windows is very likely to be a fix to the MHTML problem. Found in January, it affects all versions of Windows from XP upwards regardless of the version of IE installed on the PC.

MHTML (MIME HTML), is a web page archive format (often with the extension .mht) used to combine HTML, images, Flash etc into a single file. On Windows the MHTML handler is part of Windows and not part of Internet Explorer.

The vulnerability could allow an attacker to cause a victim to run malicious scripts when visiting a targeted web site, which in turn could result in information disclosure.

Previously, Microsoft issued a Fixit which locks down the MHTML components of Windows but they failed to patch the problem on February’s Patch Tuesday.

Also noted in Microsoft’s advance notification is the release of an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

As predicted Microsoft Doesn’t Fix MHTML Problem on Patch Tuesday

Patch Tuesday has been and gone and as predicted Microsoft where unable to fix the MHTML vulnerability discovered at the end of January. To be fair to Microsoft there really wasn’t enough time for testing and proper due process to fix it in time for February’s Patch Tuesday also Microsoft has issed a Fixit. However there may now be increased hacker activity to try and exploit this vulnerability and infect unsuspecting web users with malware.

So what did they fix? Microsoft issued 12 bulletins that addressed 22 vulnerabilities in Microsoft Windows, Office, Internet Explorer, and Microsoft’ web server IIS.

Of these 12, three are considered Critical:

MS11-003. This is a Cumulative Security Update for Internet Explorer and addresses problems first described in Security Advisory 2488013. In short, this patch fixes four vulnerabilities in Internet Explorer that could allow remote code execution if a user views a specially crafted Web page.

The second critical patch is MS11-006 and only applies to XP and Vista (and Server 2003 and 2008). Windows 7 isn’t affected. The problem fixed here is within the Windows Shell graphics processor. The vulnerability could allow remote code execution if a user views a specially crafted thumbnail image. It was initially described in Security Advisory 2490606 which MS released on January 4th. Since that time, Microsoft report that they have not seen any attacks using this issue.

The last critical patch, MS11-007 addresses vulnerabilities affecting all supported versions of Windows and involving the OpenType Compact Font Driver. The vulnerability could allow remote code execution if a user views content rendered in a specially crafted CFF font.

If you have automatic updating enabled on your Windows machine you will not need to take any action as these updates will be downloaded and installed automatically. If you don’t have automatic updating enabled you will need to check for the updates and install them manually.

In the video below, Jerry Bryant (of Microsoft) discusses this month’s bulletins in further detail: