Microsoft has issued a security advisory over a flaw in all versions of Windows which could allow an attacker to run malicious scripts in Internet Explorer, to hoover up sensitive details or get folks installing malware.
Apparently the vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document, so Microsoft states.
The security advisory explains: “It is possible under certain conditions for this vulnerability to allow an attacker to inject a client-side script in the response of a Web request run in the context of the victim’s Internet Explorer.”
“The script could spoof content, disclose information, or take any action that the user could take on the affected Web site on behalf of the targeted user.”
Microsoft notes that there is no indication that this particular vulnerability is currently being exploited, fortunately. And a patch is underway, which will hopefully beat any attempts to do so.
Whether Microsoft issues the patch out of cycle, or as part of its monthly release of updates, still remains to be seen, and depends on “customer needs”, apparently.
Browsers such as Firefox and Chrome aren’t affected, because they don’t support MHTML, at least not in their default state.