Microsoft Warns Of Windows Security Flaw
The company issued a statement Friday saying it is "aware of published information and proof-of-concept code that attempts to exploit this vulnerability," but said it has not seen any indications of active exploitation of the vulnerability."
The discovered bug affects versions of Windows XP, Windows 7, Windows Vista, Windows Server 2003 and Windows Server 2008.
Microsoft said it is working with partners in the Microsoft Active Protections Program to get word of the Windows security vulnerability to their customers. While Microsoft is considering possible server-side workarounds for the problem, delivered as part of the monthly "Patch Tuesday" update or as a separate security update, the company recommends that customers apply a client-side workaround included in the advisory.
Microsoft described the vulnerability as "similar to server-side, cross-site scripting (XSS) vulnerabilities." It exists because of the way MHTML interprets MIME-formatted requests for content blocks within a document. That could allow an attacker to inject a client-side script in the response of a Web request run in a user's Internet Explorer browser.
"The script could spoof content, disclose information, or take any action that the user could take on the affected Web site on behalf of the targeted user," Microsoft said.
Microsoft said more information is available at the Microsoft Security Response Center blog.