HOME > VULNERABILITY NOTES


   VULNERABILITY NOTES

CERT-In Vulnerability Note CIVN-2006-78
Microsoft Windows MHTML Parsing Vulnerability

Original Issue Date: August 09, 2006

Severity Rating: Medium

Systems Affected

  • Microsoft Windows XP Service Pack 2
  • Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows Server 2003 Service Pack 1
  • Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
  • Microsoft Windows Server 2003 x64 Edition
  • Outlook Express 6 on Microsoft Windows XP Service Pack 2, XP Professional x64 Edition
  • Outlook Express 6 on Microsoft Windows Server 2003 Service Pack 1, x64 Edition
  • Outlook Express 6 on Microsoft Windows Server 2003 with SP1 for Itanium-based Systems

Overview

A Remote Code Execution vulnerability has been reported in Microsoft Windows due to incorrect parsing of the MHTML protocol.

Description

MHTML extends HTML to embed encoded objects, such as images, in the HTML document. Although it is actually the HTML rendering extension that renders MHTML, this functionality may also be referred to as the MHTML rendering extension.

vulnerability has been reported in Microsoft Windows due to incorrect parsing of the MHTML protocol. Malicious users can exploit this vulnerability by crafting malicious web page, link or HTML e-mail that could potentially lead to remote code execution if a user visited a specially crafted Web site or clicked a link in a specially crafted e-mail message. After exploitation a malicious user can login as an authorized user and he can delete, view create data with full admin rights.

Workarounds

• Disable active scripting or configure Internet Explorer to prompt before running Active Scripting.

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS06-043

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS06-043.mspx

Refrences

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS06-043.mspx

Security Focus
 http://www.securityfocus.com/bid/18198

FrSIRT
http://www.frsirt.com/english/advisories/2006/2088

Secunia
http://secunia.com/advisories/20384

CVE Name
CVE-2006-2766

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003