Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Microsoft on Friday warned that all Windows desktops and servers were vulnerable to a script-handling flaw that could allow an attacker to spoof information displayed in a browser.
The disclosure was made in response to the publishing of a proof-of-concept distributed on the internet which uncovered problems in the way Windows handles MIME-formatted requests.
Maliciously-crafted script that runs on the client side could “spoof content, disclose information, or take any action that the user could take on the affected Web site on behalf of the targeted user,” Microsoft warned.
“The impact is the same a server-side cross-site scripting issue, but the vulnerability lies in the client,” Microsoft explained.
All Windows-run web services that interact with users via input fields are vulnerable, according to Microsoft.
While Redmond has identified a relatively simple client-side work-around, the temporary fix for servers is more complicated, prompting Microsoft to call in Google and other service providers to help solve the problem.
Without a patch or a server side work-around, Microsoft advised web site operators to tell customers to lock down the MHTML protocol handler.
More information can be found here.
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.