MHTML vulnerability under active exploitation

Friday, March 11, 2011 2:13 PM



We’ve noticed some highly targeted and apparently politically motivated attacks against our users. We believe activists may have been a specific target. We’ve also seen attacks against users of another popular social site. All these attacks abuse a publicly-disclosed MHTML vulnerability for which an exploit was publicly posted in January 2011. Users browsing with the Internet Explorer browser are affected.

For now, we recommend concerned users and corporations seriously consider deploying Microsoft’s temporary Fixit to block this attack until an official patch is available.

To help protect users of our services, we have deployed various server-side defenses to make the MHTML vulnerability harder to exploit. That said, these are not tenable long-term solutions, and we can’t guarantee them to be 100% reliable or comprehensive. We’re working with Microsoft to develop a comprehensive solution for this issue.

The abuse of this vulnerability is also interesting because it represents a new quality in the exploitation of web-level vulnerabilities. To date, similar attacks focused on directly compromising users' systems, as opposed to leveraging vulnerabilities to interact with web
services.
The comments you read here belong only to the person who posted them. We do, however, reserve the right to remove off-topic comments.

28 comments:

Roberto Bayardo said...

Wouldn't a better recommendation be to simply *stop using internet explorer*? It's really sad that Microsoft can't patch issues like this in a far more timely fashion.

Wilko said...

Is there a pattern to the activists being attacked - what are the issues they're active on, any common thread?

Frej said...

That is serious... Now it's not only website developers affected. I hope the day when IE legacy stops casting a bad light over MS is soon to come.

Nicci said...

my daughters gmail account was hacked and she was using Internet explorer

Franie said...

Use Google Chrome for the fastest or Firefox for the user friendly experience and don't use IE, we don't.
Fred

plexor said...

As I become more paranoid about my safety everywhere, it seems as though the biggest threat is from the Net - or more precisely - the ongoing threat caused by people who use Microsoft products from Browsers to Servers.
The only apparent solution would be to punish people for using these products the way irresponsible people are finally being punished for texting while driving.

Reverend Magdalen said...

I second the request for more information about what specific type of activist is being targeted. This information could be vital to protecting people in future. Please share at least the general topic of the activism.

Greg Zeng said...

Crippleware (SAFARI, CHROME, CHROMIUM, MOILLA, etc cannot save web pages in one compressed file: mht.

IE & its shells (Cray, Green, Maxthon, etc) probaly are affected by the IE bug as well.

Only truly effective browser is freeware, mistakenly labelled as shareware. It is available on Symbian, Linux, Android, Windows, etc. OPERA.

P J said...

@Greg Zeng

That's funny :) Because this is operating system's hole then opera is also affected ;)

hoptop said...

@P J I'm pretty sure only internet explorer (all versions, including the ie shells mentioned above) is affected, source: http://www.h-online.com/security/news/item/Microsoft-warns-of-cross-site-scripting-in-Windows-1180179.html

Mick said...

Is it *all* political activists? Is it a campaign against one particular flavor?

vu3mes said...

hi

i had two accounts with google mail which i had been using for years now. yesterday i could not access both the accounts and when it was open i had a warning that the accounts were acessessed by an ip no. based in china and duely instructed me to change my passwords. in the inbox i could see the mass mail circualted using my id which was returned non delivered by some addressees.

Scott Grayban said...

Why is anyone using Internet Expolder ? Why is google telling people to use a insecure browser in the first place ??? Seriouisly google if you are going to help at least get it right.

Bob said...

internet explorer is targeted because its the most popular browser. if everyone changed to firefox for example, do you think that attacks would suddenly stop? if you do your totally nieve and unrealistic. Internet explorer is popular, and whether you agree with that or not its not good enough to blame microsoft for the actions of those who will attack them. If firefox had the same market share - then firefox would be under attack. Microsoft bashing is all well and good, but at least have a coherant argument!

TheAllSeeingEye said...

...and the stupidity continues.

Anyone who uses Internet Explorer deserves this anyway!

Graham said...

@Plexor
Are you for real? Punish people for using IE?
People had to use IE in the past, which, quite rightly was fought and won against. Now to punish people for using IE is worse! Say someone uses IE and doen't have a GMail account? Say someone finds a way to hack into ALL browsers, does everyone get punished?
Microsoft are to blame and should be punished, not the users.

Frank.

Alvéric said...

"We’ve noticed some highly targeted and apparently politically motivated attacks against our users"

China against human-rights activists..?

James said...

I've found that any Microsoft product I've used has eventually encountered technical issues. While I understand the price of an iMac or another Apple product can sometimes be prohibitive, I've been using an iMac for several years and encountered very few issues - when I have the issue has been easily resolved. Safari all the way!

Bob said...

i wonder how many microsoft bashers here are actually using a microsoft operating system, and often use other microsoft software...

as far mac's being safe - indeed the are more secure - but again - only because the number of worldwide users are so so much smaller than those using microsoft products. Someone who is set to attack a group of users will obviously go for the largest user base, to cause the most disruption. Macs, safari, firefox are only safe because microsoft is taking the hit for you, not because the software or hardware is any better or more intelligently created. Im well aware of microsofts shortfalls, but i think everyone should imagine a world without microsoft products, sure there linux and all the different flavours thereof, but can you seriously imagine most of the population trying to be productive on a unix box?? absolutly wony happen. unix and linux are excellent - for specific uses. for a user friendly, easy to learn based market- no they arent fit for that purpose.

卢海玲 said...

Chinese government is becoming the new hidden Nazi now. It is torturing ,murdering and fooling its own ordinary citizen inside china. It has more than a quarter of a million internet polices doing all kinds of attacks, stealing info from other countries. The Chinese government is the biggest hiker organization in the world, it going to rule the world by its Mafia rules. All the west countries should work together to fight with it now in order to save everyone include chinese in the world.

pstavroulis said...

Why use gmail? It seems gmail is targeted cause it weak. I have 1 hotmail and 2 yahoo accounts.

Keith said...

@ James,

Safari is not any more secure than other browsers - people simply don't target it like IE is targeted. At PWN2OWN a MacBook Pro was hacked in 5 seconds via a Safari security hole.

http://news.themacfeed.com/2011/03/safari-security-hole-in-only-5-seconds/

amdgangster@gmail.com said...

People in China(here) use gmail because they belive the service of the world's best company is reliable.Google people ,please don't let us down.People may be put in a black jail because they offended the system,that's not a joke.I just don't know where the history is aheading...Anyway,we enjoyed youtube through自由门very much...the world is awesome!

rpr said...

Bob said: "internet explorer is targeted because its the most popular browser ... If firefox had the same market share - then firefox would be under attack."

Have a look at http://en.wikipedia.org/wiki/Usage_share_of_web_browsers The page says that in Feb 2011 the usage shares of most popular browsers were: IE 43.55%, FF 29%, Chrome 13.89%. So, the popularity of IE is not much larger than that of FF, but still IE is much more exploited for cyber attacks. I conclude that IE is much more vulnerable.

Adrianna said...

in the past day i had to change my password 3-4 times, somebody is accessing my e-mail and signing up for things, one that i know of so far. who is finding my passwords and not allowing me on unless i change it every time?
please help, i'm sick of it.

gp said...

You can't blame users for using the standard browser shipped with the OS. We should have some kind of a regulatory body that has the authority to fine companies for security vulnerabilities in their products. You can't just make people agree to a long list of terms and conditions and then not take responsibility for your incompetency.

Jon Carnes said...

Bob - you live in a dream world. Me telling you that won't change you though as you have massively consumed the MS kool-aid.
My company is 90% Unix/Linux and the users don't have any issues with the technology. Most of them don't even *know* they are running Linux.

Srk9 said...

gp, the answer here is for people to stop using Windows. Google should encourage people to use modern operating systems that have package managers like Ubuntu Linux.