Newsletter Archives

• That Internet Explorer XXE zero day poking through to Edge

  Posted on April 18, 2019 at 07:51 CDT by woody • Comment in the Forums

  I’ve been slammed for the past few days, and haven’t kept you folks apprised of the latest Internet Explorer 0day.

  It depends on you opening an infect MHT file. MHT is an old file format that’s almost always opened by IE — no matter which browser you’re using, no matter which version of Windows. Catalin Cimpanu has a good overview of this XXE vulnerability on ZDNet.

  It’s a doozy of security hole as it affects every recent version of IE, and it infects whether you’re actively browsing with IE or not.

  When you download files from the internet, they’re marked — the “Mark-Of-The-Web” — to tell programs that special care is required when opening the files. Thus, if you download an infected MHT file, IE will know that it needs to open the MHT file with caution (at “low integrity,” in a sandbox). That severely limits this exploit’s reach.

  There’s a lot of controversy about how bad this XXE hole really is. There have been lots of XXE holes discovered in the past. They’re used to pull files off your machine and send them to the bad guys. Microsoft figured this one isn’t all that bad, in part because of the MOTW mechanism. The folks who discovered this particular hole aren’t so sanguine. They responded to Microsoft’s snub last week by releasing details, proof of concept code, and even a video.

  Yesterday, Mitja Kolsek at 0patch revealed something disconcerting. If you use Edge to download an infected MHT file, Internet Explorer will open it like any other file. Says Kolsek:

  Does Edge not put the mark-of-the-web on downloaded files, or does it do it differently and somehow confuses Internet Explorer? That would be a serious flaw.

  He goes on to explain how Edge changes the permissions on downloaded files and, thus, why IE will open the infected MHT file as if it had no Mark-Of-The-Web.

  All fascinating stuff if you’re into this kind of thing. Ionut Ilascu has a synopsis on BleepingComputer.

  The 0patch company has a quick patch that you can apply, free, if you’re concerned about getting burned. I’m not going to link to it — I don’t want to take responsibility for 3rd-party patches to Windows — but you can find it quite easily if you’re really interested. That said, 0patch is highly regarded, and has made many useful hotfixes for Windows.

  What to do? That’s easy. Don’t open MHT files. And don’t use IE.

  Thx to @Alex5723 and others who have been posting about this problem while I’m off doing other things…..

  Let’s see if I get a definitive answer from this:

  About the IE/XXE 0day… does anybody know for sure…. If you reassign the default handler for the MHT filename extension – does that short-circuit the attack, even with Edge as intermediary? Sure is easier than removing IE. @mkolsek @BleepinComputer @GossiTheDog

  — Ask Woody https://infosec.exchange/@askwoody (@AskWoody) April 18, 2019

  UPDATE: @mkolsek, who published the report yesterday, confirms that reassigning the default handler for MHT files breaks the attack. He tested it. I’ll write this up.

  Windows Patches/Security 0patch, Edge, Internet Explorer, XXE 0day