Internet Explorer vulnerable in MHTML handling


Internet Explorer is vulnerable in handling MHTML (MIME Encapsulation of Aggregate HTML) protocol, which allows an arbitrary script execution.

When Internet Explorer accesses a website with the MHTML protocol, Internet Explorer processes the contents as MHTML data, ignoring their actual content types.
This behavior may result in executing the scripts embedded in the contents.
The MHTML protocol handler is included in the Outlook Express component, and Microsoft provides the fix of the vulnerability for this component.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 2.6 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
Affected Products

Microsoft Corporation
  • Microsoft Outlook Express 6
  • Microsoft Windows Mail
  • Microsoft Windows Server 2003
  • Microsoft Windows Server 2003 (itanium)
  • Microsoft Windows Server 2003 (x64)
  • Microsoft Windows Vista
  • Microsoft Windows Vista (x64)
  • Microsoft Windows XP sp3
  • Microsoft Windows XP (x64)


An arbitrary script may be executed in the user's web browser.

[Update the Software]

Apply the latest updates provided by the vendor.
Vendor Information

Microsoft Corporation
  • Microsoft Security Bulletin : MS07-034
CWE (What is CWE?)

CVE (What is CVE?)

  1. CVE-2007-2225

  1. JVN : JVNTA07-163A (Japanese)
  2. JVN : JVN#27203006
  3. JVN Status Tracking Notes : TRTA07-163A (Japanese)
  4. National Vulnerability Database (NVD) : CVE-2007-2225
  5. US-CERT Cyber Security Alerts : SA07-163A
  6. US-CERT Vulnerability Note : VU#682825
  7. US-CERT Technical Cyber Security Alert : TA07-163A
  8. Secunia Advisory : SA25639
  9. SecurityFocus : 24392
  10. FrSIRT Advisories : FrSIRT/ADV-2007-2154
Revision History

  • [2008/05/21]
      Web page published