Malformed .MHT File in Internet Explorer May Lead To File Theft

As Microsoft is gearing up with a new version of Microsoft Edge based-on Chromium engine, Internet Explorer, its ugly step-mother remains as part of Windows 10, and it is dragging its vulnerability towards Redmond’s latest operating system. The Proof-Of-Concept code has been released to demonstrate the XML eXternal Entity flaw in Internet Explorer 11, which Microsoft refused to fix for an undisclosed reason. This is a huge departure to Microsoft’s earlier commitment that the software giant will continue to patch Internet Explorer 11 which is bundled on all versions of Windows.

Internet Explorer with its aging Trident engine has a flaw with handling MHTML Web Archive file format. A malformed. MHT file can allow remote actors to transfers/extract local files that reside in the computer’s hard drive. All the user need to do is to open an MHT file which by default is associated with Internet Explorer even if another browser is the default browser. The attacker can also launch a JavaScript file from the malformed .mht file in order to access local files that should not be accessible.

“This can allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed Program version information. Example, a request for ‘c:\Python27\NEWS.txt’ can return version information for that program. A simple call to the window.print() Javascript function should do the trick without requiring any user interaction with the webpage. Typically, when instantiating ActiveX Objects like ‘Microsoft.XMLHTTP’ users will get a security warning bar in IE and be prompted to activate blocked content. However, when opening a specially crafted .MHT file using malicious < xml > markup tags the user will get no such active content or security bar warnings. Typically, when instantiating ActiveX Objects like “Microsoft.XMLHTTP” users will get a security warning bar in IE and be prompted to activate blocked content. However, when opening a specially crafted .MHT file using malicious <xml> markup tags the user will get no such active content or security bar warnings,” explained John Page, a security researcher.

Internet Explorer is used for companies with Intranet systems still using ActiveX control, a legacy technology designed to deliver dynamic content to a webpage. However, such high interactivity comes with a huge setback, as malware from the early 2000s were based-on ActiveX technology. As Internet Explorer has almost the same market share as Mozilla Firefox today, users are advised to change the association of .mht files to notepad or some other text editor instead of Internet Explorer. This will cancel the possibility of automatically open .mht files in Internet Explorer.

“We determined that a fix for this issue will be considered in a future version of this product or service. At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case,” said a Microsoft representative in response to the issue.

Source: https://www.zdnet.com/article/internet-explorer-zero-day-lets-hackers-steal-files-from-windows-pcs/

Related Resources:

Use Of Internet Explorer Heavily Discouraged. Major Flaw Discovered

All Browser Vendors Unite: Goodbye to TLS 1.0 and 1.1 on 2020