The attack enables “unintended information disclosure” rather than taking control of the user’s entire computer system. Microsoft is currently working on a security patch for all versions of Windows which would “lock down the MHTML protocol and effectively address the issue on the client system where it exists,” says Angela Gunn, a security response communications manager at Microsoft. Microsoft has not announced a date for the coming patch release, although the company typically provides patches on the second Tuesday of each month.
According to Microsoft, the Zero Day Hole is a Windows hole, although the script itself exploits Internet Explorer. The only two browsers that support MHTML are Internet Explorer and Opera. Computer users can protect themselves from the malicious script while waiting for Microsoft’s patch by turning off MHTML. To turn off MHTML, computer users must either manually edit the Windows Registry or use Microsoft’s Fix It tool. Directions for manually editing the registry can be found at www.networkworld.com.
January 2011 was a light security patch release month for Microsoft, with only three security patches released.
Add your two cents:
Did you know that more people prefer FireFox over Internet Explorer? Which do you prefer? Networkworld.com reports that MHTML crashes Firefox. Have you found that to be true?