Published: January 28, 2011-MS
^ But do you have it on your machines? Because of certain sites, I have to have it on my machine for work. I don't actively use it unless I'm using those sites... but still it's there...-wraith808 (February 01, 2011, 09:32 PM)
In a Web-based attack scenario, a Web site could contain a specially crafted link (MHTML:) that is used to exploit this vulnerability. An attacker would have to convince users to visit the Web site and open a specially crafted URL, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site, and then convincing them to click the specially crafted link.
From the MS Security Advisory (Mitigating Factors and Suggested Actions):In a Web-based attack scenario, a Web site could contain a specially crafted link (MHTML:) that is used to exploit this vulnerability. An attacker would have to convince users to visit the Web site and open a specially crafted URL, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker's Web site, and then convincing them to click the specially crafted link.So once again it's only those who blindly click away at anything that are (actually vulnerable) affected.Microsoft Security Advisory (2501696)-Stoic Joker (February 01, 2011, 11:01 PM)
My concern would be users of sites like Twitter, where shortened links are routinely used and you don't really know where they are going. Could one of these specially crafted links be shortened and then posted on Twitter with a catchy headline promising news about current events or other attractive content?-app103 (February 02, 2011, 03:58 AM)
My concern would be users of sites like Twitter, where shortened links are routinely used and you don't really know where they are going. Could one of these specially crafted links be shortened and then posted on Twitter with a catchy headline promising news about current events or other attractive content?-app103 (February 02, 2011, 03:58 AM)Now, that is an interesting question... While I'd be inclined to say no - exploit should have no effect if sent to the wrong page processor - I'm not entirely sure. But I've always had an aversion stubby links.-Stoic Joker (February 02, 2011, 06:50 AM)
My concern would be users of sites like Twitter, where shortened links are routinely used and you don't really know where they are going. Could one of these specially crafted links be shortened and then posted on Twitter with a catchy headline promising news about current events or other attractive content?-app103 (February 02, 2011, 03:58 AM)Now, that is an interesting question... While I'd be inclined to say no - exploit should have no effect if sent to the wrong page processor - I'm not entirely sure. But I've always had an aversion stubby links.-Stoic Joker (February 02, 2011, 06:50 AM)NPR had a talk with the head engineer (or some such title) at bit.ly. She said that there was inbuilt protection against this, using a combination of whitelists/blacklists and heuristics... if a link is questionable (it's not in either of these lists) it goes to a list to be manually checked... but they only have 20 people *total* so there is a window where a potentially malicious link is waiting to be checked and in the wild.-wraith808 (February 02, 2011, 12:38 PM)
