Microsoft on Friday warned that all Windows desktops and servers were vulnerable to a script-handling flaw that could allow an attacker to spoof information displayed in a browser.
The disclosure was made in response to the publishing of a proof-of-concept distributed on the internet which uncovered problems in the way Windows handles MIME-formatted requests.
Maliciously-crafted script that runs on the client side could “spoof content, disclose information, or take any action that the user could take on the affected Web site on behalf of the targeted user,” Microsoft warned.
“The impact is the same a server-side cross-site scripting issue, but the vulnerability lies in the client,” Microsoft explained.
All Windows-run web services that interact with users via input fields are vulnerable, according to Microsoft.
While Redmond has identified a relatively simple client-side work-around, the temporary fix for servers is more complicated, prompting Microsoft to call in Google and other service providers to help solve the problem.
Without a patch or a server side work-around, Microsoft advised web site operators to tell customers to lock down the MHTML protocol handler.
More information can be found here.
Copyright © iTnews.com.au . All rights reserved.
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @itnews.com.au to your white-listed senders.