Microsoft warns of cross-site scripting in Windows
A security advisory from Microsoft warns of a Windows vulnerability which allows scripts to be injected into apparently trusted websites. It is reportedly caused by a bug in the MHTML handler in all currently supported Windows versions (Windows XP to Windows 7, including the corresponding server versions). The bug is in a Windows DLL. Of the common browsers, only Internet Explorer makes use of the affected DLL to display MHTML. Locally saved MHTML files (extension .mht or .mhtml) are, however, opened by default using Internet Explorer.
MHTML, short for MIME (Multipurpose Internet Mail Extensions) HTML, is used as a web page archive format to combine resources on a web page into a single file. A script executed exploiting this vulnerability would run in Internet Explorer with the security context defined for the user and an attacker-specified website. With those privileges, such a script could modify the content of the specified site, emulate user data entry or eavesdrop on user data entered to the website.
A blog post by Dave Ross and Chengyun Chu from Microsoft's security team explains how to test a system for the vulnerability, how to apply a workaround which locks down network protocols and describes how to temporarily reactivate scripting and ActiveX for trusted MHTML files. There are also a number of further Windows and IE vulnerabilities that are already being exploited, for which Microsoft has released workarounds but no fix.