JVN#95019167 Internet Explorer vulnerable in handling MHTML protocol

2007-06-18T00:00:00
ID JVN:95019167
Type jvn
Reporter Japan Vulnerability Notes
Modified 2008-05-21T00:00:00

Description

## Description

When Internet Explorer accesses a website using MHTML (MIME Encapsulation of Aggregate HTML), Internet Explorer processes the contents as MHTML data, ignoring their actual content types, and it does not properly handle the Content-Disposition header field. This could cause a dialog box not to be displayed when downloading.
The MHTML protocol handler is included in Outlook Express component, and Microsoft provides the fix for this componet.

## Impact

An arbitrary script could be executed without explicit user consent, as the download dialog box is not displayed on the user's IE.

## Solution

Update the Software
Apply the updates provided by the vendor.

For more information, refer to the vendor's website.

## Products Affected

Some versions of Outlook Express are affected because the vulnerability is contained in Outlook Express component used by Internet Explorer.

  • Outlook Express 6
    Windows XP / Windows Server 2003
  • Windows Mail
    Windows Vista