MS Releases Lock-Down Fix for Critical MHTML Bug
Hackers are actively exploiting a bug that involves both Windows and Internet Explorer. Google believes the hackers may be targeting specific users.
The bug involves MHTML, which is a special format designed to combine all the different files of a web page, such as the coding for the text and layout, the image files and video files, into a single file. It was originally developed as a way for a user to save an entire webpage to their desktop without winding up with a messy collection of files, but can also be used as a web link.
The vulnerability involves the way that Internet Explorer and Windows interact in using the MHTML system. The gist of the issue is that a malicious link could not only cause the computer to load the relevant files, but also to run a script. In other words, the MHTML bug can carry out a sequence of actions determined by an attacker.
Serious MHTML Attacks Already Underway
Microsoft first announced the problem in January, but at that time it appeared the method would be too complicated for any attackers to take advantage.
That's now proven to not be the case. Hackers are now known to be using the loophole for three different types of attack: interfering with web browsing; making bogus information appear as if it were on a legitimate website (such as messages designed to trick the user into downloading and installing malware), and collecting information from a user's computer.
Google says it's found evidence hackers are using the MHTML flaw to go after some of its online customers, calling the attacks "highly targeted and apparently politically motivated." It's tweaking its systems to make it harder to exploit the problem, but says this solution is neither 100% reliable nor sustainable. (Source: googleonlinesecurity.blogspot.com)
Temporary MHTML 'Fix It' Available Now
Microsoft has issued a temporary "Fix it" tool that offers greater protection without the need to manually change computer settings. Both the bug itself and the "Fix it" tool work on all versions of Windows and Internet Explorer. (Source: microsoft.com)
The "Fix it" tool is only a stopgap measure and it now seems likely Microsoft will offer a full patch as soon as a permanent solution is found -- a task that will have become a much higher priority with the new attacks.
The "Fix it" tool to lock down MHTML is available here.
Free eBook: Windows 7: Tips & Tricks. This eBook is for users that want to go one step further in their understanding of the Windows 7 operating system. With over 50 of the finest tips and tricks, this 113 page Windows 7 eBook features a plethora of screenshots, and was written especially for novices in mind. Also included is a bonus section for Windows 7 applications. Written and presented by technology enthusiast Vasu Jain. About the author: Vasu Jain is a software developer, web engineer, blogger, and Master's student at University of Southern California. He has written 2 other eBooks, including Office 2010 Tips & Tricks, and Developing apps for Windows 8. Click here to download this eBook now! Note: this eBook is free, but registration is required; after that, you can select more ebooks and videos for download without registering again. If you have questions / problems with the registration form, please read this.