Unpatched Vulnerability in MHTML Being Exploited
A vulnerability in the Windows implementation of HTML that was first
reported at the end of January is now being actively exploited in very
targeted attacks. A patch for this vulnerability is not yet
available and it might require that websites install a patch.
For now, the best protection is to disable allowing scripts to run in
Warning: A vulnerability is being
actively exploited in very targeted attacks.
(A "warning" alert is for a situation that are currently occurring or
conditions are right for the situation to occur soon.)
Media attention: Information Technology blogs and
trade magazines are carrying this story.
- Windows XP and later
- The iPhone and Android browsers are also
History of the Vulnerability
MHTML (MIME Encapsulation of Aggregate HTML) is an
Internet standard for a web page archive format introduced by Microsoft
in 1999 used to combine resources that are typically represented by
external links (such as images, Flash animations, Java applets, audio
files) together with HTML code into a single file. The
content of an MHTML file is encoded as if it were an HTML e-mail
message, using the MIME type multipart/related. It is
supported in Internet Explorer, Opera, WebKit-based browsers, and (with
an extension) Firefox. Windows Explorer will open files with
the .mht extension as MHTML. MHTML protocol is a prefix
(mhtml:) to an internet web address (URL, hyperlink) for an MHTML
The vulnerability is in the Microsoft Windows
MHTML protocol handler.
The vulnerability was thought to be so difficult
to exploit that it was unlikely to happen and Microsoft is also
apparently having a hard time getting a quality patch for it.
A patch for it was not included in the scheduled second Tuesday patches
A Google engineer warned Microsoft about the flaw
back in July. Microsoft maintains that it was unable to
reproduce the problem until December. In January the Google
engineer publically disclosed some technical details and released a
hacking tool that could be used to find the bug, saying that he was
concerned that Chinese hackers may have already discovered the
problem. Presumably he was trying to force Microsoft to fix
the vulnerability. Releasing details in that way puts
information in the hands of those who can use it maliciously.
Although reports are that the attacks have been
very targeted so far, any vulnerability in Windows is likely to be
exploited quickly by criminals before a patch become widely
deployed. The availability of proof-of-concept code just
makes it easier for the criminals to exploit the vulnerability.
A few days after Microsoft released the scheduled
patches for March, we learned that targeted attacks using the MHTML
vulnerability have been discovered. Microsoft updated their
security advisory on Friday, March 11, 2011 with that information.
The vulnerability is an injection problem, that
is, a well known and trusted web site could be compromised to run a
malicious script when you access a page on that server. The
problem might need to be fixed on web servers. Google is
already working to protect their servers, but you cannot depend on
every web server to fix the problem. So, you need some
protection on workstation computers (those from which you browse the
Google Online Security said, "The abuse of this vulnerability is also
interesting because it represents a new quality in the exploitation of
web-level vulnerabilities. To date, similar attacks focused
on directly compromising users' systems, as opposed to leveraging
vulnerabilities to interact with web services."
Windows servers already have a locked down browser configuration that
would prevent the malicious script from running, but you have to be
careful that you have not trusted sites that could be compromised
because trusted sites will be able to run script in the locked down
browser configuration on Windows servers.
Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open
HTML e-mail messages in the Restricted sites zone, which disables
script and ActiveX controls, removing the risk of an attacker being
able to use this vulnerability to execute malicious code.
How Are Systems Compromised?
A website could contain a specially crafted link
(mhtml:) that is used to exploit this vulnerability. An
attacker would have to convince a user to visit the website and open a
specially crafted URL, typically by getting them to click a link in an
e-mail message or Instant Messenger message that takes users to the
attacker's website, and then convincing them to click the specially
crafted link. Since by default Microsoft mail programs
restrict links in the message, a malicious e-mail message would have to
include a link to a web page that then had a link to the malicious
What is the Fix For The
Microsoft has not released a patch as of February 11, 2011.
In the mean time, they have suggested that you
lock down the MHTML network protocol. This will prevent MHTML
documents from launching scripts. Any application that uses
scripts within MHTML will be affected by this workaround. It
is unlikely that you will use any such applications. Script
in standard HTML files is not affected by this workaround.
Microsoft supplied a FixIt to automate this
fix. They also supplied instructions on how to manually
change the registry to lock down the MHTML network protocol.
Microsoft is also working with other companies to
develop server-side protections to prevent attacks.
Some Intrusion Prevention Systems (IPS) provide
protection against this vulnerability in their latest update.
Do I Protect My Computer?
IT Professional Services recommends that you
seriously consider deploying Microsoft’s temporary FixIt to
block this attack until an official patch is available.
If you are relying on only Microsoft Update to
keep your PC up-to-date, Microsoft Update will not install the
workaround because it is not the final patch. You must
manually run the Microsoft FixIt
or otherwise make the necessary registry settings to enable the
workaround of locking down the network protocol MHTML.
After implementing this workaround, if you attempt
to open a MHTML link, a yellow information bar will be
displayed in Internet Explorer with the warning "This webpage is trying
to communicate with your computer using a protocol that your security
settings won't allow. Click here for options..." for any link
(URL) with the mhtml: protocol (the first part of the address, similar
to http:). If you do allow the protocol, it will not undo the
MHTML workaround permanently; it will only allow it for that
page. Unless you have a good reason to believe that the page
is safe (beyond just it being a well known or trusted website), you should not approve enabling
the MHTML protocol.
We think that there will be no negative effect of
this workaround, that is, you should not see the warning
discussed above for any legitimate use (documents and web
pages that have not been compromised). If there is no script
content in an MHT file, the MHT file will be displayed
normally without any issue. Most often, MHTML is used behind
the scenes (not via a URL with the mhtml: protocol, which is how the
vulnerability is exploited), and those scenarios will not be impacted
by the network protocol lockdown. MHTML is rarely used via a
Is My Server At Risk?
There are two potential risks for
servers. First, if the server is used to browse the Internet,
the risk is the same as above. Second, web servers could be
used to deliver malicious MHTML pages.
As discussed in the Analysis section above, by
default servers have a locked down configuration of Internet Explorer
and are less at risk. Also, you should not be using a server
for web browsing. However, if you view web pages on a server
from a trusted domain, they are at the same risk as workstations
PCs. Therefore, it would be wise to check the trusted domains
list in the Internet Options and remove any domains that are not really
trusted, especially any that display unvetted advertisements.
However, it is possible that even a trusted website could be used to
deliver malicious content. Therefore, installing the
workaround even on servers is advisable.
The impact of scripting injected into the
server-side is dependent on how the service itself is
implemented. Any service that allows user input to be
reflected back to the user could be affected by this issue.
Currently there is no workaround for the server-side short of
reprogramming the server.
For example, it was possible to inject a valid
mhtml document into a support page hosted on mail.google.com.
(Google fixed that problem in early March 2011.)
Google says that it has deployed “various server-side defenses” to make
the MHTML vulnerability harder to exploit, adding that although the
measures are in place, they cannot be guaranteed to be 100%
reliable. They recommend installing Microsoft's temporary fix
until an official patch is available.
IT Professional Services performed a deployment of
the workaround recommended by Microsoft to all systems under Managed Care.
Microsoft Security Advisory 2501696
Microsoft MHTML Vulnerability Workaround
Microsoft Security Response Center blog: Microsoft releases Security Advisory 2501696
Microsoft Security Research & Defense blog: More information about the MHTML Script
Google Online Security Blog: MHTML vulnerability under active exploitation
US-CERT Alert: VU#326549
MITRE Common Vulnerabilities and Exposures: CVE-2011-0096
If you need assistance installing protection from
this vulnerability or a security assessment, IT Professional
can help. Call our
out more about our Managed
To find out how vulnerable your network is
schedule a free network security analysis today.
We at IT Professional Services (ITPS)
hope that the information in this bulletin is valuable to you. ITPS
believes the information provided herein is reliable. While care has
been taken to ensure accuracy, your use of the information contained in
this bulletin is at your sole risk. All information in this bulletin is
provided "as-is", without any warranty, whether express or implied, of
its accuracy, completeness, fitness for a particular purpose, title or
non-infringement, and none of the third-party products or information
mentioned in the bulletin are authored, recommended, supported or
guaranteed by ITPS. ITPS shall not be liable for any damages you may
sustain by using this information, whether direct, indirect, special,
incidental or consequential, even if it has been advised of the
possibility of such damages.