Software giant Microsoft has confirmed that Internet Explorer users on all Windows XP, Vista and Windows 7 computers are vulnerable to have their personal data stolen via a new vulnerability it its still-popular web browser.
The security hole, known as MHTML script injection, allows hackers to use the protocol handler that enables MIME encapsulation of HMTL pages and run scripts that can steal data from the user’s computer.
The company has said that although it knows about the security hole and how it could be used, it has not seen an examples “in the wild”.
“We’re aware of published information and proof-of-concept code that attempts to exploit this vulnerability, but we haven’t seen any indications of active exploitation,” said Microsoft’s Angela Gunn in a blog post.
Dave Ross and Chengyun Chu from Microsoft’s Security Research and Defense centre have said in a seperate posting that because the fault is with Windows, it doesn’t matter which version of Internet Explorer is used. The fault affects all version of Window XP, Vista and Windows 7.
However, Microsoft does have a fix option available to close the security hole at http://support.microsoft.com/kb/2501696.
The fix involves locking down MHTML but the fix enables undoing the lock down as well. More details are available from Microsoft’s Knowledge Base.