A security researcher has published today details and proof-of-concept code for an Internet Explorer zero-day that can allow hackers to steal files from Windows systems.
The vulnerability resides in the way Internet Explorer processes MHT files. MHT stands for MHTML Web Archive and is the default standard in which all IE browsers save web pages when a user hits the CTRL+S (Save web page) command.
Modern browsers don't save web pages in MHT format anymore, and use the standard HTML file format; however, many modern browsers still support processing the format.
An XXE in IE 11
Today, security researcher John Page published details about an XXE (XML eXternal Entity) vulnerability in IE that can be exploited when a user opens an MHT file.
"This can allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed
Program version information," Page said. "Example, a request for 'c:\Python27\NEWS.txt' can return version information for that program."
Because on Windows all MHT files are automatically set to open by default in Internet Explorer, exploiting this vulnerability is trivial, as users only need to double-click on a file they received via email, instant messaging, or another vector.
Page said the actual vulnerable code relies on how Internet Explorer deals with CTRL+K (duplicate tab), "Print Preview," or "Print" user commands.
This normally requires some user interaction, but Page said this interaction could be automated and not needed to trigger the vulnerability exploit chain.
Furthermore, Internet Explorer's security alert system can also be disabled.
"Typically, when instantiating ActiveX Objects like 'Microsoft.XMLHTTP' users will get a security warning bar in IE and be prompted to activate blocked content," the researcher said. "However, when opening a specially crafted .MHT file using malicious < xml > markup tags the user will get no such
active content or security bar warnings."
Exploit works on Windows 7, 10, Server 2012 R2
Page said he successfully tested the exploit in the latest Internet Explorer Browser v11 with all the recent security patches on Windows 7, Windows 10, and Windows Server 2012 R2 systems.
Probably the only good news about this vulnerability disclosure is the fact that Internet Explorer's once dominating market share has now shrunk to a meager 7.34 percent, according to NetMarketShare, meaning the browser is seldom used.
But, as Windows uses IE as the default app to open MHT files, users don't necessarily have to have IE set as their default browser, and are still vulnerable as long as IE is still present on their systems, and they're tricked into opening an MHT file.
Microsoft was notified but declined to patch
Page said he notified Microsoft about this new IE vulnerability on March 27, but the vendor declined to consider the bug for an urgent security fix in a message sent to the researcher yesterday, April 10.
"We determined that a fix for this issue will be considered in a future version of this product or service," Microsoft said, according to Page. "At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case."
Following Microsoft's firm response, the researcher released details about the zero-day on his site, along with proof-of-concept code and a YouTube demo.
This vulnerability should not be taken lightly, despite Microsoft's response. Cybercrime groups have exploited MHT files for spear-phishing and malware distribution in previous years, and MHT files have been a popular way to package and deliver exploits to users' computers.
Because they can store malicious code, all MHT files should always be scanned before opening, regardless of if the file was recently received, or it's been standing there on your PC for months.
More vulnerability reports:
- Dragonblood vulnerabilities disclosed in WiFi WPA3 standard
- Tens of thousands of cars were left exposed to thieves due to a hardcoded password
- Adobe patch update squashes critical code execution bugs
- Backdoor code found in popular Bootstrap-Sass Ruby library
- Microsoft's April Patch Tuesday comes with fixes for two Windows zero-days
- Some enterprise VPN apps store authentication/session cookies insecurely
- KRACK attack: Here's how companies are responding CNET
- Top 10 app vulnerabilities: Unpatched plugins and extensions dominate TechRepublic