CVE-2011-0096
published 2011-01-31CVE-2011-0096: The MHTML protocol handler in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2…
PriorityP279medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
46.82%
98.7th percentile
The MHTML protocol handler in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly handle a MIME format in a request for content blocks in a document, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site that is visited in Internet Explorer, aka "MHTML Mime-Formatted Request Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
PGJvZHk+DQo8c2NyaXB0IHNyYz0naHR0cDovL3d3dy44MHZ1bC5jb20vaGFja2dhbWUvZ28uanMnPjwvc2NyaXB0Pg0KPC9ib2R5Pg0K
bytes↗
PE9CSkVDVCBDTEFTU0lEPUNMU0lEOjEyMzQ1Njc4LTEyMzQtNDMyMS0xMjM0LTExMTExMTExMTExMSBDT0RFQkFTRT1jOi93aW5kb3dzL3N5c3RlbTMyL2NhbGMuZXhlPjwvT0JKRUNUPg==
- →Detect MHTML protocol handler abuse by monitoring for URLs or iframe src attributes beginning with 'mhtml:' in HTTP traffic or HTML content, which is the attack vector for this XSS vulnerability. ↗
- →Detect MHTML MIME boundary injection by looking for HTTP responses or uploaded files containing 'Content-Type: multipart/related; boundary=' combined with 'Content-Location:' and 'Content-Transfer-Encoding:base64' headers embedded in non-MIME content types (e.g., image files, JSON). ↗
- →Detect bypass of upload file format restrictions by inspecting files with image extensions (e.g., .jpg) for embedded MHTML MIME multipart headers, as attackers combine binary files with MHTML content using 'copy /b 1.jpg + 1.mhtml 2.jpg'. ↗
- →Detect X-Frame-Options bypass attempts where mhtml: protocol is used as an iframe src, since X-Frame-Options does not protect the mhtml protocol handler. ↗
- →Monitor for MHTML injection in JSON responses: attackers may inject MHTML MIME headers into JSON files to bypass Content-Type restrictions intended to prevent XSS. ↗
- →Publicly available exploit code exists for CVE-2011-0096; monitor for exploitation attempts even though targeted attacks had not been observed in the wild at time of disclosure. ↗
- ·Double URL-encoding is required for exploitation on Windows XP and Windows Server 2003 systems, whereas single encoding is used on Windows 7. ↗
- ·The 'Microsoft Word JavaScript execution' attack chain (scenario 5/6) only works on Office 2003 and Office 2007; other versions require a different delivery method. ↗
- ·The Cross Zone Scripting variant (scenario 6) using MHTML + file://uncpath + Word was tested and confirmed on IE6/IE7/IE8 running on Windows 2000, Windows XP, and Windows Server 2003. ↗
- ·No patch was available at time of initial disclosure; Microsoft issued only a security advisory with recommended workarounds and patch availability timeline was unknown. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c68r-4jrw-42vq: The MHTML protocol handler in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2,
ghsa_unreviewed·2022-05-14
CVE-2011-0096 [MEDIUM] CWE-79 GHSA-c68r-4jrw-42vq: The MHTML protocol handler in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2,
The MHTML protocol handler in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly handle a MIME format in a request for content blocks in a document, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site that is visited in Internet Explorer, aka "MHTML Mime-Formatted Request Vulnerability."
VulnCheck
Microsoft Windows Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2011·CVSS 6.1
CVE-2011-0096 [MEDIUM] Microsoft Windows Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Microsoft Windows Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The MHTML protocol handler in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly handle a MIME format in a request for content blocks in a document, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site that is visited in Internet Explorer, aka "MHTML Mime-Formatted Request Vulnerability."
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://learn.microso
No detection rules found.
Krebs
In a Zero-Day World, It’s Active Attacks that Matter – Krebs on Security
blogs_krebs·2012-10-01
In a Zero-Day World, It’s Active Attacks that Matter – Krebs on Security
The recent zero-day vulnerability in Internet Explorer caused many (present company included) to urge Internet users to consider surfing the Web with a different browser until Microsoft issued a patch. Microsoft did so last month, but not before experts who ought to have known better began downplaying such advice, pointing out that other browser makers have more vulnerabilities and just as much exposure to zero-day flaws.
This post examines hard data that shows why such reasoning is more emotional than factual. Unlike Google Chrome and Mozilla Firefox users, IE users were exposed to active attacks against unpatched, critical vulnerabilities for months at a time over the past year and a half.
Attackers exploited zero-day holes in Internet Explorer for at least 89 days over the past 19 mon
Krebs
In a Zero-Day World, It’s Active Attacks that Matter
blogs_krebs·2012-10-01
In a Zero-Day World, It’s Active Attacks that Matter
The recent zero-day vulnerability in Internet Explorer caused many (present company included) to urge Internet users to consider surfing the Web with a different browser until Microsoft issued a patch. Microsoft did so last month, but not before experts who ought to have known better began downplaying such advice, pointing out that other browser makers have more vulnerabilities and just as much exposure to zero-day flaws.
This post examines hard data that shows why such reasoning is more emotional than factual. Unlike Google Chrome and Mozilla Firefox users, IE users were exposed to active attacks against unpatched, critical vulnerabilities for months at a time over the past year and a half.
Attackers exploited zero-day holes in Internet Explorer for at least 89 days over the past 19 mon
Zscaler
Zscaler found Multiple Security Vulnerabilities | 01-28-2011
blogs_zscaler
Zscaler found Multiple Security Vulnerabilities | 01-28-2011
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Zscaler
Zscaler found Multiple Security Vulnerabilities | 04-12-2011
blogs_zscaler·CVSS 9.3
[CRITICAL] Zscaler found Multiple Security Vulnerabilities | 04-12-2011
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
http://blogs.technet.com/b/msrc/archive/2011/01/28/microsoft-releases-security-advisory-2501696.aspxhttp://blogs.technet.com/b/srd/archive/2011/01/28/more-information-about-the-mhtml-script-injection-vulnerability.aspxhttp://osvdb.org/70693http://secunia.com/advisories/43093http://www.80vul.com/webzine_0x05/0x05%20IE%E4%B8%8BMHTML%E5%8D%8F%E8%AE%AE%E5%B8%A6%E6%9D%A5%E7%9A%84%E8%B7%A8%E5%9F%9F%E5%8D%B1%E5%AE%B3.htmlhttp://www.exploit-db.com/exploits/16071http://www.kb.cert.org/vuls/id/326549http://www.microsoft.com/technet/security/advisory/2501696.mspxhttp://www.securityfocus.com/bid/46055http://www.securitytracker.com/id?1025003http://www.us-cert.gov/cas/techalerts/TA11-102A.htmlhttp://www.vupen.com/english/advisories/2011/0242https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-026https://exchange.xforce.ibmcloud.com/vulnerabilities/65000https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6956http://blogs.technet.com/b/msrc/archive/2011/01/28/microsoft-releases-security-advisory-2501696.aspxhttp://blogs.technet.com/b/srd/archive/2011/01/28/more-information-about-the-mhtml-script-injection-vulnerability.aspxhttp://osvdb.org/70693http://secunia.com/advisories/43093http://www.80vul.com/webzine_0x05/0x05%20IE%E4%B8%8BMHTML%E5%8D%8F%E8%AE%AE%E5%B8%A6%E6%9D%A5%E7%9A%84%E8%B7%A8%E5%9F%9F%E5%8D%B1%E5%AE%B3.htmlhttp://www.exploit-db.com/exploits/16071http://www.kb.cert.org/vuls/id/326549http://www.microsoft.com/technet/security/advisory/2501696.mspxhttp://www.securityfocus.com/bid/46055http://www.securitytracker.com/id?1025003http://www.us-cert.gov/cas/techalerts/TA11-102A.htmlhttp://www.vupen.com/english/advisories/2011/0242https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-026https://exchange.xforce.ibmcloud.com/vulnerabilities/65000https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6956
2011-01-31
Published
Exploited in the wild