Microsoft Warns of Script Attacks in IE
Microsoft is warning Windows users of a new “critical” vulnerability that affects all supported versions of the company’s Windows operating system.
The issue, detailed in Security Advisory 2501696–released last week–details a vulnerability in the way Internet Explorer handles MHTML on certain types of Web pages and document objects. As a result, hackers and other third parties that exploit the vulnerability can gain access to a user’s information, or their computer through script injection.
In its advisory, Microsoft states it had “not seen any indications of active exploitation of the vulnerability,” but that the company was aware of “proof-of-concept code” that attempts to exploit it.
To keep the vulnerability at bay, Microsoft has issued suggestions for users to lock down Active Scripting, and ActiveX controls in Internet Explorer, as well as MHTML. Microsoft also said it was working with service providers to investigate server-side workarounds to the issue, as well as including any fixes in future software security updates.
Additional information on this vulnerability can be found here:
In an effort to help less technical users get a handle on this problem before a patch or windows update is released, they have provided a temporary solution. Microsoft has released an easy to use “Fix it” application that allows users to simply click and enable locking down MHTML as well as a way to “Disable” the fix in the same manner.
You can find it here: http://support.microsoft.com/kb/2501696
The fixit solution described above is not intended to be a replacement for any security update. We recommend that you always install the latest security updates. However, Microsoft offers this fixit solution as a workaround option for some scenarios.