What Microsoft didn't say about the latest Windows zero day flaw

On Friday Microsoft issued a Security Advisory warning about a previously unreported hole in the way all versions of Windows handle MHTML. Here's the rest of the story

Microsoft's Security Advisory 2501696 warns about a zero-day security breach in "all supported versions of Microsoft Windows." The affected software, per Microsoft's advisory, includes XP SP3, Vista, 32- and 64-bit versions of Windows 7, and Windows Server 2003 SP2 and 2008 SP2. But Microsoft fails to mention that only IE users -- including users of the latest IE 9 beta -- are vulnerable.

The problem lies in the way MHTML files get processed. MHTML is a file format Microsoft invented more than a decade ago that is designed to smash together disparate pieces of a Web page -- HTML, of course, but also Java applets, Flash files, and other multimedia content. The idea is to establish a kitchen-sink format so that you can save a Web page, with all of its pieces, in one file. Although MHTML has been published as an RFC-proposed standard, the format never took off. This particular zero day lets a jiggered MHTML file take over your computer if you click on a link to that file.

What Microsoft didn't make very clear is that the security hole can only be triggered through Internet Explorer. Firefox, Chrome, and Safari are quite safe because they don't support MHTML. They never have. While the buggy MHTML rendering pieces may sit inside Windows, you can only get bit by using IE. Any version of IE, no less, including the latest beta versions (and rumored Release Candidate) of Internet Explorer 9.

Of course, Microsoft doesn't want to cast aspersions on its latest browser. So Windows takes the fall.

In a masterpiece of Microsoft wordsmithing, we're told, "Internet Explorer is an attack vector, but because this is a Windows vulnerability, the version of IE is not relevant." Thus, IE isn't to blame. The dirty deed is done by Windows. Never mind that IE is the only attack vector, and that opening a contaminated MHTML file will allow IE to infect any default installation of Windows.

There's a Fixit available in KB article 2501696 that basically turns off MHTML.

Bottom line: Microsoft is trying to make this look like a hole in Windows. Literally, that's true, it is a hole in Windows. But the vulnerability comes about because of a defect in Internet Explorer, brought about by a design decision -- the MHTML format -- that Microsoft made long ago, and no other vendors have followed.

Using similar logic, Microsoft could claim that the enormous crop of ActiveX vulnerabilities we've slogged through over the past decade were all Windows fault, because the corrupt controls run under Windows. Internet Explorer was merely an attack vector, you see -- not the villain but the victim. Nothing like a little bit of revisionist history to prepare us for the release of IE 9, eh?

This article, "What Microsoft didn't say about the latest Windows zero day flaw," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow InfoWorld.com on Twitter.

Copyright © 2011 IDG Communications, Inc.