[Japanese]

JVNDB-2007-000446

Internet Explorer vulnerable in MHTML handling

Overview

Internet Explorer is vulnerable in handling MHTML (MIME Encapsulation of Aggregate HTML) protocol, which allows an arbitrary script execution.

When Internet Explorer accesses a website with the MHTML protocol, Internet Explorer processes the contents as MHTML data, ignoring their actual content types.
This behavior may result in executing the scripts embedded in the contents.
The MHTML protocol handler is included in the Outlook Express component, and Microsoft provides the fix of the vulnerability for this component.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products


Microsoft Corporation
  • Microsoft Outlook Express 6
  • Microsoft Windows Mail
  • Microsoft Windows Server 2003
  • Microsoft Windows Server 2003 (itanium)
  • Microsoft Windows Server 2003 (x64)
  • Microsoft Windows Vista
  • Microsoft Windows Vista (x64)
  • Microsoft Windows XP sp3
  • Microsoft Windows XP (x64)

Impact

An arbitrary script may be executed in the user's web browser.
Solution

[Update the Software]

Apply the latest updates provided by the vendor.
Vendor Information

Microsoft Corporation
  • Microsoft Security Bulletin : MS07-034
CWE (What is CWE?)

CVE (What is CVE?)

  1. CVE-2007-2225
References

  1. JVN : JVNTA07-163A (Japanese)
  2. JVN : JVN#27203006
  3. JVN Status Tracking Notes : TRTA07-163A (Japanese)
  4. National Vulnerability Database (NVD) : CVE-2007-2225
  5. US-CERT Cyber Security Alerts : SA07-163A
  6. US-CERT Vulnerability Note : VU#682825
  7. US-CERT Technical Cyber Security Alert : TA07-163A
  8. Secunia Advisory : SA25639
  9. SecurityFocus : 24392
  10. FrSIRT Advisories : FrSIRT/ADV-2007-2154
Revision History

  • [2008/05/21]
      Web page published