The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

security bulletin CVE-2011-1894

Windows: script execution via MHTML

Synthesis of the vulnerability

An attacker can invite the victim to click on a "mhtml:" link, in order to execute script code on his computer.
Severity of this bulletin: 2/4.
Creation date: 15/06/2011.
Références of this threat: 2544893, BID-48205, CERTA-2011-AVI-345, CVE-2011-1894, MS11-037, VIGILANCE-VUL-10731.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The RFC 2557 defines the MHTML (MIME Encapsulation of HTML) format, which is used to store in one file an HTML document and its images . When the user clicks on a "mhtml:" url, Internet Explorer is called.

The HTML "EMBED" element is used to insert a document (audio, video, etc.) in an HTML page. However, EMBED elements can also contain script code, which is interpreted by Internet Explorer in the wrong security context.

An attacker can therefore invite the victim to click on a "mhtml:" link, in order to execute script code on his computer.
Full Vigil@nce bulletin... (Free trial)

This cybersecurity announce impacts software or systems such as Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows 95, Windows Vista, Windows XP.

Our Vigil@nce team determined that the severity of this threat alert is medium.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this computer weakness alert.

Solutions for this threat

Windows: patch for MHTML.
A patch is available:
Windows XP SP3
Windows XP x64 SP2
Windows 2003 SP2
Windows 2003 x64 SP2
Windows 2003 Itanium SP2
Windows Vista SP1, SP2
Windows Vista x64 SP1, SP2
Windows Server 2008 32-bit Gold, SP2
Windows Server 2008 x64 Gold, SP2
Windows Server 2008 Itanium Gold, SP2
Windows 7 for 32-bit Gold, SP1
Windows 7 for x64 Gold, SP1
Windows Server 2008 R2 x64 Gold, SP1
Windows Server 2008 R2 Itanium Gold, SP1
The Microsoft announce indicates workarounds.
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a computer security bulletin. The Vigil@nce vulnerability database contains several thousand vulnerabilities. The technology watch team tracks security threats targeting the computer system. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.