Microsoft KB 2501696 - MHTML Script Injection vulnerability

Last update: 4 August 2017

Microsoft KB 2501696 - MHTML Script Injection vulnerability

Information

On January 28th 2011 Microsoft has released the  Security Advisory 2501696 concerning a MHTML Script Injection vulnerability in Microsoft Internet Explorer. In context of this Security Advisory and respectively  KB 2501696  Microsoft released a FixIt to address this issue preliminary to an official hotfix. According to Microsoft the only side effects they have encountered are script execution and ActiveX being disabled within MHT documents.

As Microsoft expects limited impacts in most environments due to the changes mentioned above, exploratory tests have shown no impact on Fabasoft Folio or the Fabasoft eGov-Suite. These tests have been performed using

  • Fabasoft Folio 2010 Fall Release
  • Fabasoft Folio 2010 Summer Release
  • Fabasoft Folio 2010 Spring Release
  • Fabasoft Folio 2009 Fall Release
  • Fabasoft eGov-Suite 8.0 SP1
  • Fabasoft eGov-Suite 8.0
  • Fabasoft eGov-Suite 7.0 SP3
  • Fabasoft eGov-Suite 7.0 SP2

In general Fabasoft Folio 2009 Fall Release (and higher) respectively Fabasoft eGov-Suite 8.0 (and higher) might not be affected as MHT is not used (e.g. for object-overviews) in these versions. As PDF-overviews are used instead we can't see an impact on these versions.

In contrast Fabasoft eGov-Suite 7.0 SP2 and SP3 used MHT e.g for file overviews and could be affected by this security enhancement by Microsoft. Nevertheless no impact could be found in our basic tests using file-overviews and file-documentations.

Please note that no comprehensive regression testing has been performed. This information is provide "as is" with no warranties. We suggest further testing in your environment if you are planning to deploy this security enhancement.