On Friday, April 12, information security specialist John Page published information about an unpatched vulnerability in the current version of Internet Explorer, and also demonstrated its implementation. The vulnerability could potentially allow an attacker to obtain the contents of local files on Windows users, bypassing browser security.
The vulnerability lies in the way Internet Explorer handles MHTML files, typically with the .mht or .mhtml extension. This format is used by Internet Explorer by default for saving web pages, and allows you to save the entire content of the page, along with all media content, as a single file. At the moment, most modern browsers no longer save web pages in the MHT format and use the standard WEB format for this - HTML, however, they still support processing files in this format, and can also use it to save with the appropriate settings or using extensions.
The vulnerability discovered by John belongs to the XXE (XML eXternal Entity) class of vulnerabilities and consists in a misconfiguration of the XML code handler in Internet Explorer. “This vulnerability allows a remote attacker to gain access to a user's local files and, for example, extract information about the version of the software installed on the system,” says Page. "So a query for 'c:Python27NEWS.txt' will return the version of this program (Python interpreter in this case)."
Since on Windows all MHT files open in Internet Explorer by default, exploiting this vulnerability is a trivial task, since the user only needs to double-click on a dangerous file received via email, social networks or instant messengers.
"Typically, when instantiating an ActiveX object such as Microsoft.XMLHTTP, the user will receive a security warning in Internet Explorer that will ask for confirmation to activate blocked content," explains the researcher. “However, when opening a pre-prepared .mht file using specially designed markup tags the user will not be warned about potentially dangerous content."
Page said he successfully tested the vulnerability in the current version of Internet Explorer 11 with all the latest security updates on Windows 7, Windows 10, and Windows Server 2012 R2.
Probably the only good news in making this vulnerability public is the fact that Internet Explorer's once-dominant market share has now dwindled to a mere 7,34%, according to NetMarketShare. But because Windows uses Internet Explorer as its default application to open MHT files, users don't have to set IE as their default browser and are still vulnerable as long as IE is still present on their systems and they don't pay attention to the format of downloaded files. online files.
Back on March 27, John notified Microsoft about this vulnerability in their browser, but on April 10, the researcher received a response from the company, where she indicated that she did not consider this problem critical.
"The fix will only be released with the next version of the product," Microsoft said in the letter. "We don't plan to release a fix for this problem at this time."
After an unequivocal reaction from Microsoft, the researcher posted details about the zero-day vulnerability on his website, as well as demo code and a YouTube video.
Although the vulnerability is not as straightforward to implement and would require the user to be somehow forced to run an unknown MHT file, this vulnerability should not be taken lightly, despite the lack of response from Microsoft. Hacker gangs have used MHT files for phishing and malware in the past, and there is nothing stopping them from doing so now.
However, in order to avoid this and many similar vulnerabilities, it is enough just to pay attention to the extension of the files that you receive from the Internet and check them with an antivirus or on the VirusTotal website. And for added security, simply set your favorite non-Internet Explorer browser as the default application for your .mht or .mhtml files. For example, in windows 10, this is done quite easily in the "Select standard applications for file types" menu.
Source: 3dnews.ru