Information disclosure in MHTML in Microsoft Windows

1) Cross-site scripting

EUVDB-ID: #VU2841

Risk: Medium

CVSSv3.1: 5.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C]

CVE-ID: CVE-2011-0096

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-input passed via MIME-formatted requests for content blocks within a document. A remote attacker can trick the victim to follow a specially crafted "MHTML:" link and execute arbitrary HTML and script code in user’s browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install update from vendor's website:

Windows XP Service Pack 3:
https://www.microsoft.com/downloads/details.aspx?familyid=7F0A4616-8E3E-4925-9D95-CE6E614E45AE
Windows XP Professional x64 Edition Service Pack 2:
https://www.microsoft.com/downloads/details.aspx?familyid=B01FE9A5-66A4-4683-963B-E78AEA214579
Windows Server 2003 Service Pack 2:
https://www.microsoft.com/downloads/details.aspx?familyid=0209A004-F23A-40D9-991F-864046F4605F
Windows Server 2003 x64 Edition Service Pack 2:
https://www.microsoft.com/downloads/details.aspx?familyid=6C287571-54EA-4298-8B7D-B98B2C830CC3
Windows Server 2003 with SP2 for Itanium-based Systems:
https://www.microsoft.com/downloads/details.aspx?familyid=3FB450A0-D087-4F36-9301-05FFBF94CC1A
Windows Vista Service Pack 1 and Windows Vista Service Pack 2:
https://www.microsoft.com/downloads/details.aspx?familyid=C8FCE0FB-4C90-479B-8CE9-75E60D52D256
Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2:
https://www.microsoft.com/downloads/details.aspx?familyid=7DA10B64-D0A9-4E42-AA3A-87C657122A8C
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2:
https://www.microsoft.com/downloads/details.aspx?familyid=036F1285-7484-4E3B-8799-2C6C08166596
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2:
https://www.microsoft.com/downloads/details.aspx?familyid=1438CEC8-8DAB-4510-AD75-DC6959DAC0D8
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2:
https://www.microsoft.com/downloads/details.aspx?familyid=F35ECDD1-6B5C-40E7-A00B-CA083BDF5CBA
Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1:
https://www.microsoft.com/downloads/details.aspx?familyid=AED201C1-F1FB-4DF9-8875-6F57EA0EB15B
Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1:
https://www.microsoft.com/downloads/details.aspx?familyid=1A32BF04-7EED-4D27-A8E4-054B4A5B76CB
Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1:
https://www.microsoft.com/downloads/details.aspx?familyid=665FAA7E-2368-4421-9DD5-EA6DF2C79498
Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1:
https://www.microsoft.com/downloads/details.aspx?familyid=140EA384-2877-401F-AC3B-F84F6966E970

Vulnerable software versions

Windows: 7 - XP

Windows Server: 2003 - 2008

External links

http://technet.microsoft.com/en-us/library/security/ms11-026

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.