Security Alerts

Security Warning:   Unpatched Vulnerability in MHTML Being Exploited
2/11/2011

Threat Level

Warning:  A vulnerability is being actively exploited in very targeted attacks.

(A "warning" alert is for a situation that are currently occurring or conditions are right for the situation to occur soon.)

Severity:  High.

Media attention: Information Technology blogs and trade magazines are carrying this story.

Affected Software

• Windows XP and later
• The iPhone and Android browsers are also possibly vulnerable

History of the Vulnerability

MHTML (MIME Encapsulation of Aggregate HTML) is an Internet standard for a web page archive format introduced by Microsoft in 1999 used to combine resources that are typically represented by external links (such as images, Flash animations, Java applets, audio files) together with HTML code into a single file.  The content of an MHTML file is encoded as if it were an HTML e-mail message, using the MIME type multipart/related.  It is supported in Internet Explorer, Opera, WebKit-based browsers, and (with an extension) Firefox.  Windows Explorer will open files with the .mht extension as MHTML.  MHTML protocol is a prefix (mhtml:) to an internet web address (URL, hyperlink) for an MHTML document.

The vulnerability is in the Microsoft Windows MHTML protocol handler.

The vulnerability was thought to be so difficult to exploit that it was unlikely to happen and Microsoft is also apparently having a hard time getting a quality patch for it.  A patch for it was not included in the scheduled second Tuesday patches for March.

A Google engineer warned Microsoft about the flaw back in July.  Microsoft maintains that it was unable to reproduce the problem until December.  In January the Google engineer publically disclosed some technical details and released a hacking tool that could be used to find the bug, saying that he was concerned that Chinese hackers may have already discovered the problem.  Presumably he was trying to force Microsoft to fix the vulnerability.  Releasing details in that way puts information in the hands of those who can use it maliciously.

Although reports are that the attacks have been very targeted so far, any vulnerability in Windows is likely to be exploited quickly by criminals before a patch become widely deployed.  The availability of proof-of-concept code just makes it easier for the criminals to exploit the vulnerability.

A few days after Microsoft released the scheduled patches for March, we learned that targeted attacks using the MHTML vulnerability have been discovered.  Microsoft updated their security advisory on Friday, March 11, 2011 with that information.

Analysis

The vulnerability is an injection problem, that is, a well known and trusted web site could be compromised to run a malicious script when you access a page on that server.  The problem might need to be fixed on web servers.  Google is already working to protect their servers, but you cannot depend on every web server to fix the problem.  So, you need some protection on workstation computers (those from which you browse the Internet).

Google Online Security said, "The abuse of this vulnerability is also interesting because it represents a new quality in the exploitation of web-level vulnerabilities.  To date, similar attacks focused on directly compromising users' systems, as opposed to leveraging vulnerabilities to interact with web services."

Windows servers already have a locked down browser configuration that would prevent the malicious script from running, but you have to be careful that you have not trusted sites that could be compromised because trusted sites will be able to run script in the locked down browser configuration on Windows servers.

Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone, which disables script and ActiveX controls, removing the risk of an attacker being able to use this vulnerability to execute malicious code.

How Are Systems Compromised?

A website could contain a specially crafted link (mhtml:) that is used to exploit this vulnerability.  An attacker would have to convince a user to visit the website and open a specially crafted URL, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's website, and then convincing them to click the specially crafted link.  Since by default Microsoft mail programs restrict links in the message, a malicious e-mail message would have to include a link to a web page that then had a link to the malicious MHTML document.

What is the Fix For The Vulnerability?

In the mean time, they have suggested that you lock down the MHTML network protocol.  This will prevent MHTML documents from launching scripts.  Any application that uses scripts within MHTML will be affected by this workaround.  It is unlikely that you will use any such applications.  Script in standard HTML files is not affected by this workaround.

Microsoft supplied a FixIt to automate this fix.  They also supplied instructions on how to manually change the registry to lock down the MHTML network protocol.

Microsoft is also working with other companies to develop server-side protections to prevent attacks.

Some Intrusion Prevention Systems (IPS) provide protection against this vulnerability in their latest update.

How Do I Protect My Computer?

IT Professional Services recommends that you seriously consider deploying Microsoft’s temporary FixIt to block this attack until an official patch is available.

If you are relying on only Microsoft Update to keep your PC up-to-date, Microsoft Update will not install the workaround because it is not the final patch.  You must manually run the Microsoft FixIt or otherwise make the necessary registry settings to enable the workaround of locking down the network protocol MHTML.

After implementing this workaround, if you attempt to open a MHTML link, a yellow information bar will be displayed in Internet Explorer with the warning "This webpage is trying to communicate with your computer using a protocol that your security settings won't allow.  Click here for options..." for any link (URL) with the mhtml: protocol (the first part of the address, similar to http:).  If you do allow the protocol, it will not undo the MHTML workaround permanently; it will only allow it for that page.  Unless you have a good reason to believe that the page is safe (beyond just it being a well known or trusted website), you should not approve enabling the MHTML protocol.

We think that there will be no negative effect of this workaround, that is, you should not see the warning discussed  above for any legitimate use (documents and web pages that have not been compromised).  If there is no script content in  an MHT file, the MHT file will be displayed normally without any issue.  Most often, MHTML is used behind the scenes (not via a URL with the mhtml: protocol, which is how the vulnerability is exploited), and those scenarios will not be impacted by the network protocol lockdown.  MHTML is rarely used via a hyperlink.

Is My Server At Risk?

There are two potential risks for servers.  First, if the server is used to browse the Internet, the risk is the same as above.  Second, web servers could be used to deliver malicious MHTML pages.

As discussed in the Analysis section above, by default servers have a locked down configuration of Internet Explorer and are less at risk.  Also, you should not be using a server for web browsing.  However, if you view web pages on a server from a trusted domain, they are at the same risk as workstations PCs.  Therefore, it would be wise to check the trusted domains list in the Internet Options and remove any domains that are not really trusted, especially any that display unvetted advertisements.  However, it is possible that even a trusted website could be used to deliver malicious content.  Therefore, installing the workaround even on servers is advisable.

The impact of scripting injected into the server-side is dependent on how the service itself is implemented.  Any service that allows user input to be reflected back to the user could be affected by this issue.  Currently there is no workaround for the server-side short of reprogramming the server.

For example, it was possible to inject a valid mhtml document into a support page hosted on mail.google.com.  (Google fixed that problem in early March 2011.)  Google says that it has deployed “various server-side defenses” to make the MHTML vulnerability harder to exploit, adding that although the measures are in place, they cannot be guaranteed to be 100% reliable.  They recommend installing Microsoft's temporary fix until an official patch is available.

Managed Services

IT Professional Services performed a deployment of the workaround recommended by Microsoft to all systems under Managed Care.

More Information

Professional Services

If you need assistance installing protection from this vulnerability or a security assessment, IT Professional Services can help. Call our help desk.

Find out more about our Managed Care service.

To find out how vulnerable your network is schedule a free network security analysis today.

We at IT Professional Services (ITPS) hope that the information in this bulletin is valuable to you. ITPS believes the information provided herein is reliable. While care has been taken to ensure accuracy, your use of the information contained in this bulletin is at your sole risk. All information in this bulletin is provided "as-is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the bulletin are authored, recommended, supported or guaranteed by ITPS. ITPS shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.