Microsoft Warns of Windows Script Injection Hole (MHTML Script Injection Vulnerability)

Microsoft on Friday released a security advisory for a publicly-disclosed vulnerability in all versions of Windows. Microsoft Security Advisory #2501696 describes a bug in the MHTML handler in Windows which could lead to information disclosure.

MHTML (MIME Encapsulation of Aggregate HTML) is a web page archive format used to combine resources that are typically represented by external links (such as images, Flash animations, Java applets, audio files) together with HTML code into a single file. The content of an MHTML file is encoded as if it were an HTML e-mail message, using the MIME type multipart/related. The vulnerability is similar to a cross-site scripting bug on a web page, in which HTML and script from another site is executed in the web page context. In this case, script could be executed in the client-side context.

Microsoft has provided a temporary workaround "Fix it" link to disable the MHTML protocol handler. For more information on the How-To and implications of applying the fix, read more here.

To fix it right away, click the following icon (link points to Microsoft):

"Fix it" link to disable the MHTML protocol handler