0-day vulnerability in IE 11 allows to steal files

[German]There is a vulnerability in Microsoft Internet Explorer that allows attackers in all versions of Windows to access and steal files. However, Microsoft has no ambitions to patch the vulnerability immediately.


Internet Explorer has been installed on all Windows systems since 1995. IE components (display of help files for instance) are integrated in the system in such a way that they cannot be removed. The current version of Internet Explorer 11 contains an XML External Entity Injection Vulnerability. The vulnerability was discovered by security researcher John Page, who posted a short note about the vulnerability here

XML External Entity Injection flaw

Internet Explorer is vulnerable to the attack on XML External Entity elements when a user opens a specially crafted .MHT file locally. This could allow remote attackers to potentially exfiltrate local files and perform remote sensing on locally installed systems.

Page has outlined an example: A query about the .mht file for "c:\Python27\NEWS.txt" could return version information for this program to the attacker about the returned .txt file. If the file does not exist, the attacker knows that Python is not installed.

When opening a malicious ".MHT" file locally, Internet Explorer should be started (this is still possible even in Windows 10, since the file type .mht is asssigned to IE 11). In the example, after opening IE 11, user interactions are simulated by a .mht file. So you can use the sent entities to execute "Ctrl+K" commands to open two tabs in the browser. Other interactions, such as right-clicking and selecting "Print Preview" or "Print" on the Web page, can also trigger the XXE vulnerability. On the other hand, a simple call to the Javascript function window.print() is sufficient to print a web page for demonstration purposes without user interaction. 

If files are downloaded from the Internet in a compressed archive and opened with certain archiving programs, the demo may not work as announced.

Typically, when users instantiate ActiveX objects such as Microsoft.XMLHTTP, they see a security warning bar in IE and are prompted to enable blocked content. However, when opening a specially created .MHT file with malicious <xml> markup tags, the user does not receive such a message.


Proof-of-Concept – Microsoft intents to patch later

Page has successfully tested this with the latest Internet Explorer 11 with the latest security patches on Win7/10 and Server 2012 R2. On YouTube you can watch this video showing the attack. On the page here you can find more information and an example for a .MHT file.

The security researcher reported the so-called Information Disclosure Vulnerability to Microsoft on March 27, 2019. The submission of the vulnerability was also confirmed by the manufacturer on March 27, 2019. On 28 March 2019, Microsoft opened a case to investigate the problem. On April 10, 2019 (one day after the April 2019 patchday), Page received the feedback:

"We determined that a fix for this issue will be considered in a future version of this product or service. At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case."

Microsoft has therefore decided to fix this vulnerability in an upcoming update. Currently, administrators can only remove the .mht file type association to Internet Explorer if they want to close the vulnerability. Thanks to blog reader Rudi for the tip. This article has some more information.

Cookies helps to fund this blog: Cookie settings

This entry was posted in browser, Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *