Windows 10 News and info | Forum
April 20, 2019, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
 
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
  Print  
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: New Internet Explorer Zero-day exploit can get you even if you use Chrome  (Read 14 times)
javajolt
Administrator
Hero Member
*****
Offline Offline

Gender: Male
United States United States

Posts: 29912


I Do Windows


WWW Email
« on: April 14, 2019, 03:49:03 PM »
ReplyReply

A security researcher has published today details and proof-of-concept code for an Internet Explorer zero-day that can allow hackers to steal files from Windows systems.

The vulnerability resides in the way Internet Explorer processes MHT files. MHT stands for MHTML Web Archive and is the default standard in which all IE browsers save web pages when a user hits the CTRL S (Save web page) command.

Modern browsers don't save web pages in MHT format anymore, and use the standard HTML file format; however, many modern browsers still support processing the format.

AN XXE IN IE 11

Today, security researcher John Page published details about an XXE (XML eXternal Entity) vulnerability in IE that can be exploited when a user opens an MHT file.

"This can allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed
Program version information," Page said. "Example, a request for 'c:Python27NEWS.txt' can return version information for that program."

Because on Windows all MHT files are automatically set to open by default in Internet Explorer, exploiting this vulnerability is trivial, as users only need to double-click on a file they received via email, instant messaging, or another vector.

Page said the actual vulnerable code relies on how Internet Explorer deals with CTRL K (duplicate tab), "Print Preview," or "Print" user commands.

This normally requires some user interaction, but Page said this interaction could be automated and not needed to trigger the vulnerability exploit chain.

"A simple call to the window.print() Javascript function should do the trick without requiring any user interaction with the webpage," he said.

Furthermore, Internet Explorer's security alert system can also be disabled.

"Typically, when instantiating ActiveX Objects like 'Microsoft.XMLHTTP' users will get a security warning bar in IE and be prompted to activate blocked content," the researcher said. "However, when opening a specially crafted.MHT file using malicious < xml > markup tags the user will get no such
active content or security bar warnings."

EXPLOIT WORKS ON WINDOWS 7, 10, SERVER 2012 R2

Page said he successfully tested the exploit in the latest Internet Explorer Browser v11 with all the recent security patches on Windows 7, Windows 10, and Windows Server 2012 R2 systems.

Probably the only good news about this vulnerability disclosure is the fact that Internet Explorer's once dominating market share has now shrunk to a meager 7.34 percent, according to NetMarketShare, meaning the browser is seldom used.

But, as Windows uses IE as the default app to open MHT files, users don't necessarily have to have IE set as their default browser, and are still vulnerable as long as IE is still present on their systems, and they're tricked into opening an MHT file.

MICROSOFT WAS NOTIFIED BUT DECLINED TO PATCH

Page said he notified Microsoft about this new IE vulnerability on March 27, but the vendor declined to consider the bug for an urgent security fix in a message sent to the researcher yesterday, April 10.

"We determined that a fix for this issue will be considered in a future version of this product or service," Microsoft said, according to Page. "At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case."

Following Microsoft's firm response, the researcher released details about the zero-day on his site, along with proof-of-concept code and a YouTube demo.



This vulnerability should not be taken lightly, despite Microsoft's response. Cybercrime groups have exploited MHT files for spear-phishing and malware distribution in previous years, and MHT files have been a popular way to package and deliver exploits to users' computers.

Because they can store malicious code, all MHT files should always be scanned before opening, regardless of if the file was recently received, or it's been standing there on your PC for months.

source
« Last Edit: April 14, 2019, 04:01:52 PM by javajolt » Logged



Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page April 14, 2019, 04:07:10 PM