Microsoft has released a new security advisory dealing with an information disclosure vulnerability in the MHTML (MIME Encapsulation of Aggregate HTML) protocol handler:
- The impact of an attack on the vulnerability would be similar to that of server-side cross-site-scripting (XSS) vulnerabilities. For instance, an attacker could construct an HTML link designed to trigger a malicious script and somehow convince the targeted user to click it. When the user clicked that link, the malicious script would run on the user’s computer for the rest of the current Internet Explorer session. Such a script might collect user information (eg., email), spoof content displayed in the browser, or otherwise interfere with the user’s experience.
Further details can be found at Microsoft TechNet Security Advisories.