A few days ago, security researchers discovered a security vulnerability in Internet Explorer. This vulnerability can be used by attackers to steal files or local information. According to the researchers, IE is the default opener for MHT files, so even if the user is using another browser, a malicious MHT file may be open by IE. MHT is a format used by Internet Explorer to download and save files offline. It can be used to save web content or to save e-mail.
The researchers found that there are XXE vulnerabilities in the IE browser that can bypass the ActiveX control module security. Normally, if you want to activate the ActiveX control object, IE will display a prompt in the address bar, and then the user must manually click Allow to execute. The exploiter only needs to trick the user into double-clicking to open the MHT file. After opening, the local file and related program version information will be leaked.
Security researcher wrote,
Internet Explorer is vulnerable to XML External Entity attack if a user opens a specially crafted .MHT file locally.
This can allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed Program version information. Example, a request for “c:\Python27\NEWS.txt” can return version information for that program.
Upon opening the malicious “.MHT” file locally it should launch Internet Explorer. Afterwards, user interactions like duplicate tab “Ctrl+K” and other interactions like right click “Print Preview” or “Print” commands on the web-page may also trigger the XXE vulnerability.
Typically, when instantiating ActiveX Objects like “Microsoft.XMLHTTP” users will get a security warning bar in IE and be prompted to activate blocked content. However, when opening a specially crafted .MHT file using malicious <xml> markup tags the user will get no such active content or security bar warnings.
This vulnerability has been confirmed by Microsoft after being submitted to Microsoft. Microsoft said it will consider the adjustment strategy to block this utilization in future versions. According to Microsoft, the company should think that this vulnerability is relatively minor. After all, the vulnerability can only steal extremely limited information without posing a serious threat.