Title

Microsoft MHTML Information Disclosure Vulnerability (Cat II impact)

Discussion

Microsoft has released a security bulletin addressing a vulnerability affecting Windows MHTML. MHTML (MIME Encapsulation of Aggregate HTML) is an Internet standard that defines the MIME structure that is used to wrap HTML content. To exploit this vulnerability, an attacker would host a malicious web site and entice a user to access the site by clicking on a link. If successfully exploited, this vulnerability would allow an attacker to gain access to sensitive information, spoof content, or execute arbitrary code to compromise the affected system. At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. MHTML Mime-Formatted Request Vulnerability - (CVE-2011-1894): An information disclosure vulnerability exists in the way that MHTML interprets MIME-formatted requests for content that are embedded in an HTML document. Similar to server-side cross-site scripting (XSS) vulnerabilities, it is possible under certain conditions for this vulnerability to allow an attacker to inject a client-side script in the response to a web request run in the context of the user's instance of Internet Explorer. The vulnerability is caused when MHTML interprets MIME-formatted requests for content that are embedded in an HTML document, making it possible for an attacker to run script in the wrong security context (for example, some scripts could be run in the incorrect Internet Explorer security zone).

Check Content

See IAVM notice and vendor bulletin for additional information. Microsoft Bulletin MS11-037 (2544893). Vulnerable Applications/Systems: Windows XP SP3 Windows XP Professional x64 Edition SP2 Windows Server 2003 SP2 (x86, x64, and Itanium) Windows Vista SP1 and SP2 (x86 and x64) Windows Server 2008 and Windows Server 2008 SP2 (x86*, x64*, and Itanium) Windows 7 and Windows 7 SP1 (x86 and x64) Windows Server 2008 R2 and Windows Server 2008 R2 SP1 (x64* and Itanium) *Server Core installation not affected. Verify that the patch has been installed by checking that the following sample file is at the version indicated or later. See the vendor bulletin for additional information and any Vulnerable Systems/Applications not listed below. Inetcomm.dll Windows XP SP3 – 6.0.2900.6109 Windows XP SP2 x64 – 6.0.3790.4862 Windows 2003 SP2 – 6.0.3790.4862 Windows Vista SP1 / 2008 – 6.0.6001.18645 or 22911 Windows Vista SP2 / 2008 SP2 – 6.0.6002.18463 or 22634 Windows 7 / 2008 R2 – 6.1.7600.16807 or 20958 Windows 7 / 2008 R2 SP1 – 6.1.7601.17609 or 21719

Fix Text

Additional Identifiers

Rule ID:

Vulnerability ID: V-28617

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.