This is the fifth advisory to be issued this year by Microsoft and concerns reports of an issue that impacts all versions of Windows and the handling of MHTML data.
The vulnerability could allow an attacker to cause a victim to run malicious scripts when visiting various Web sites, resulting in information disclosure. This impact is similar to server-side cross-site scripting (XSS) vulnerabilities. Microsoft is aware of published information and proof-of-concept code that attempts to exploit this vulnerability. At this time, Microsoft has not seen any indications of active exploitation of the vulnerability.
The Microsoft Security Response Center is actively working with partners to develop solutions to protect customers.
Curious what MHTML is? This is from the MSRC FAQ on the vulnerability:
What is MHTML?
MHTML (MIME Encapsulation of Aggregate HTML) is an Internet standard that defines the MIME structure that is used to wrap HTML content. The MHTML protocol handler in Windows provides a pluggable protocol (MHTML:) that permits MHTML encoded documents to be rendered in applications.
There is already a Knowledge Base Article (2501696) that provides a Microsoft Fix It solution to automate locking down MHTML on your system until the vulnerability is addressed through a security update.
Keep an eye on the MSRC blog to stay up to date on any developments relating to this issue.
