Microsoft KB 2501696 - MHTML Script Injection vulnerability
On January 28th 2011 Microsoft has released the Security Advisory 2501696 concerning a MHTML Script Injection vulnerability in Microsoft Internet Explorer. In context of this Security Advisory and respectively KB 2501696 Microsoft released a FixIt to address this issue preliminary to an official hotfix. According to Microsoft the only side effects they have encountered are script execution and ActiveX being disabled within MHT documents.
As Microsoft expects limited impacts in most environments due to the changes mentioned above, exploratory tests have shown no impact on Fabasoft Folio or the Fabasoft eGov-Suite. These tests have been performed using
- Fabasoft Folio 2010 Fall Release
- Fabasoft Folio 2010 Summer Release
- Fabasoft Folio 2010 Spring Release
- Fabasoft Folio 2009 Fall Release
- Fabasoft eGov-Suite 8.0 SP1
- Fabasoft eGov-Suite 8.0
- Fabasoft eGov-Suite 7.0 SP3
- Fabasoft eGov-Suite 7.0 SP2
In general Fabasoft Folio 2009 Fall Release (and higher) respectively Fabasoft eGov-Suite 8.0 (and higher) might not be affected as MHT is not used (e.g. for object-overviews) in these versions. As PDF-overviews are used instead we can't see an impact on these versions.
In contrast Fabasoft eGov-Suite 7.0 SP2 and SP3 used MHT e.g for file overviews and could be affected by this security enhancement by Microsoft. Nevertheless no impact could be found in our basic tests using file-overviews and file-documentations.
Please note that no comprehensive regression testing has been performed. This information is provide "as is" with no warranties. We suggest further testing in your environment if you are planning to deploy this security enhancement.