Microsoft has declined to patch a zero-day vulnerability in Internet Explorer for which a security researcher published details and proof-of-concept. The flaw can allow attackers to steal files from computers running Windows.
More specifically, the researcher successfully tested the zero-day exploit in the latest version of Internet Explorer Browser, v11, where all recent security patches were applied. The systems where the exploit was tested are Windows 7, Windows 10, and Windows Server 2012 R2 systems.
Zero-Day Exploit in Internet Explorer
Security researcher John Page just published details about an XEE (XML External Entity) flaw in Internet Explorer. The bug can be triggered when a user opens an MHT file.
What is an MHT file? MHT is a Web page archive file format. The archived Web page is an MHTML (short for MIME HTML) document. MHTML saves the Web page content and incorporates external resources, such as images, applets, Flash animations and so on, into HTML documents, TechTarget explains.
Note that when you save a web page in Internet Explorer as a web archive, the page is saved as an MHT file. Any relative links in the HTML (which don’t include all information about the location of the content but assume all content is in a directory on the host server) will be remapped so the content can be located.
The recently discovered zero-day in IE can enable attackers to exfiltrate Local files and conduct remote reconnaissance on locally installed Program version information, the researcher explained. An example is when a request for ‘c:\Python27\NEWS.txt‘ can return version information for that program, he added. In a nutshell, “Internet Explorer is vulnerable to XML External Entity attack if a user opens a specially crafted .MHT file locally.”
The fact that all MHT files are automatically set to open by default in IE makes the exploit rather trivial. Potential victims will only need to double-click on a file they previously received via email or instant messaging.
According to Page, the vulnerability relies on how Internet Explorer handles CTRL+K (duplicate tab), “Print Preview,” or “Print” user commands.
The vulnerability poses a risk to about 7.34 percent of users, according to NetMarketShare statistics, as less and less users are running Internet Explorer as they are relying on more modern browsers.
Nonetheless, the zero-day should not be neglected as Windows still uses IE as the default app to open MHT files. In fact, for users to be in danger, they don’t need to have IE set as default browser. The fact that IE is present in their Windows is enough to make them vulnerable, as attackers can still find a way to trick users into opening an MHT file.
What Did Microsoft Say?
The researcher notified Microsoft about the zero-day a couple of weeks ago, on March 27. The bad news is that company does not plan to fix the bug in an urgent security fix. Here’s the answer Page got from Microsoft on April 10:
We determined that a fix for this issue will be considered in a future version of this product or service. At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case.
After receiving this negative response, the researcher decided to make the zero-day public and even released a proof-of-concept code and a demo.