Microsoft on Friday warned that all Windows desktops and servers were vulnerable to a script-handling flaw that could allow an attacker to spoof information displayed in a browser.
The disclosure was made in response to the publishing of a proof-of-concept distributed on the internet which uncovered problems in the way Windows handles MIME-formatted requests.
Maliciously-crafted script that runs on the client side could “spoof content, disclose information, or take any action that the user could take on the affected Web site on behalf of the targeted user,” Microsoft warned.
“The impact is the same a server-side cross-site scripting issue, but the vulnerability lies in the client,” Microsoft explained.
All Windows-run web services that interact with users via input fields are vulnerable, according to Microsoft.
While Redmond has identified a relatively simple client-side work-around, the temporary fix for servers is more complicated, prompting Microsoft to call in Google and other service providers to help solve the problem.
Without a patch or a server side work-around, Microsoft advised web site operators to tell customers to lock down the MHTML protocol handler.
More information can be found here.