HomeBlogsLeonard Daly's blog › Windows Problem - MIME HTML

Windows Problem - MIME HTML

Submitted by Leonard Daly on Fri, 02/04/2011 - 11:07
in
Right Image: 
IE screenshot showing vulnerability

On Friday 28 January 2011, Microsoft released a security advisory that Windows (all versions including XP, Vista, and Windows 7) were vulnerable to a hack. The entry way for this hack is Internet Explorer or Opera browsers. There is no problem with the browsers; the problem is with Windows.

The hack makes use of MIME HTML format. This is a Microsoft developed standard that allows multi-part messages (messages using more than one of text, images, script, HTML, etc.). The vulnerability is a zero-day hack - meaning that code that exploits the vulnerability was seen on the Internet prior to Microsoft knowing there was a problem.

The problem can occur when you visit a web page (or potentially an email) that has this hack embedded in it. The embedding may be intentional or unintentional. Since it is not obvious that the vulnerability is being exploited, you need to fix your copy of Windows. Fortunately, Microsoft has provided a fix for this.

First the problem. The code that determines if you are vulnerable to the hack is listed below. I found it on the TechWeb site at More information about the MHTML Script Injection vulnerability.

From: "Test"
Subject: Date: Mon, 1 Jan 1111 11:11:11 -0800
MIME-Version: 1.0
Content-Type: text/html;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-MimeOLE: Produced By Microsoft MimeOLE V6.1.7600.16543

=EF=BB=BF
<HTML><HEAD>
<META content=3D"text/html; charset=3Dutf-8" http-equiv=3DContent-Type>
<SCRIPT>
function foo()
{
alert("hello");
}
</SCRIPT>

<META name=3DGENERATOR content=3D"MSHTML 8.00.7600.16700"></HEAD>
<BODY onload=3Dfoo()>test MHTML protocol </BODY></HTML>

For convenience, I have put this file on realism.com at http://realism.com/files/browser-vulnerabilities/MHTML-Script-Injection.mht. If you are vulnerable and you access that link in Internet Explorer or Opera, you will get a pop-up that says "hello". No pop-up (in IE or Opera) means that you are not vulnerable.

To fix the vulnerability you need to do one of the following

  1. Download and execute the .msi file at http://go.microsoft.com/?linkid=9760419 (direct download). This will disable the feature of processing MHTMT files and block the vulnerability. The feature can be restored by downloading and executing the file at http://go.microsoft.com/?linkid=9760420. The reference page for these files is http://support.microsoft.com/kb/2501696. It is not necessary to use Internet Explorer or Opera to download those files.
  2. Network World has the Registry code for 32-bit and 64-bit systems listed on their website at How to protect Windows from the new MHTML zero-day hole. Follow the instructions on that page for your system.

Note that not using Internet Explorer or Opera does not eliminate the vulnerability - it just does not open that access method.