[German]There is a vulnerability in Microsoft Internet Explorer that allows attackers in all versions of Windows to access and steal files. However, Microsoft has no ambitions to patch the vulnerability immediately.
Internet Explorer has been installed on all Windows systems since 1995. IE components (display of help files for instance) are integrated in the system in such a way that they cannot be removed. The current version of Internet Explorer 11 contains an XML External Entity Injection Vulnerability. The vulnerability was discovered by security researcher John Page, who posted a short note about the vulnerability here.
XML External Entity Injection flaw
Internet Explorer is vulnerable to the attack on XML External Entity elements when a user opens a specially crafted .MHT file locally. This could allow remote attackers to potentially exfiltrate local files and perform remote sensing on locally installed systems.
Page has outlined an example: A query about the .mht file for “c:\Python27\NEWS.txt” could return version information for this program to the attacker about the returned .txt file. If the file does not exist, the attacker knows that Python is not installed.
If files are downloaded from the Internet in a compressed archive and opened with certain archiving programs, the demo may not work as announced.
Typically, when users instantiate ActiveX objects such as Microsoft.XMLHTTP, they see a security warning bar in IE and are prompted to enable blocked content. However, when opening a specially created .MHT file with malicious <xml> markup tags, the user does not receive such a message.
Proof-of-Concept – Microsoft intents to patch later
Page has successfully tested this with the latest Internet Explorer 11 with the latest security patches on Win7/10 and Server 2012 R2. On YouTube you can watch this video showing the attack. On the page here you can find more information and an example for a .MHT file.
The security researcher reported the so-called Information Disclosure Vulnerability to Microsoft on March 27, 2019. The submission of the vulnerability was also confirmed by the manufacturer on March 27, 2019. On 28 March 2019, Microsoft opened a case to investigate the problem. On April 10, 2019 (one day after the April 2019 patchday), Page received the feedback:
“We determined that a fix for this issue will be considered in a future version of this product or service. At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case.”
Microsoft has therefore decided to fix this vulnerability in an upcoming update. Currently, administrators can only remove the .mht file type association to Internet Explorer if they want to close the vulnerability. Thanks to blog reader Rudi for the tip. This article has some more information.