Microsoft on Friday warned that all Windows desktops and servers were vulnerable to a script-handling flaw that could allow an attacker to spoof information displayed in a browser.
The disclosure was made in response to the publishing of a proof-of-concept distributed on the internet which uncovered problems in the way Windows handles MIME-formatted requests.
Maliciously-crafted script that runs on the client side could “spoof content, disclose information, or take any action that the user could take on the affected Web site on behalf of the targeted user,” Microsoft warned.
“The impact is the same a server-side cross-site scripting issue, but the vulnerability lies in the client,” Microsoft explained.
All Windows-run web services that interact with users via input fields are vulnerable, according to Microsoft.
While Redmond has identified a relatively simple client-side work-around, the temporary fix for servers is more complicated, prompting Microsoft to call in Google and other service providers to help solve the problem.
Without a patch or a server side work-around, Microsoft advised web site operators to tell customers to lock down the MHTML protocol handler.
More information can be found here.
iTnews Executive Retreat - Security Leaders Edition
Huntress + Eftsure Virtual Event -Fighting A New Frontier of Cyber-Fraud: How Leaders Can Work Together
iTnews Cloud Covered Breakfast Summit
Live & Hands On Demo: Navigating the BMC AMI DevX Platform to Understand Code Faster Using AI
Melbourne Cloud & Datacenter Convention 2026
.jpg&h=271&w=480&c=1&s=1)
_(1).jpg&h=140&w=231&c=1&s=0)
