Security researcher John Page (John Page) disclosed information about a vulnerability in the Microsoft Internet Explorer 11 browser that allows access to files on systems running Windows. The PoC code for this bug has also been published.
The problem is related to the processing of IE files in MHT (MHTML Web Archive) format. When you enter the command CTRL + S (save web page), the browser saves the page in this format by default. While modern browsers save web pages in the standard HTML format, many still support MHT.
As the expert explained, using the vulnerability, an attacker can extract local files. To do this, he will need to force the user to open the MHT file, which is not difficult, since all files in this format open in Internet Explorer by default. In order for the attack to work, the victim only needs to double-click on the file received by mail, messenger, etc.
The vulnerability is related to how the browser handles CTRL+K, Print Preview, or Print commands, Page explained. According to him, it is possible to automate the process and eliminate user interaction.
"A simple call to the window.print() function will suffice and no user interaction with the web page is required," the researcher writes. Moreover, it is possible to disable the IE notification system using a malicious MHT file.
Page successfully tested the exploit on systems running Windows 7, Windows 10, and Windows Server 2012 R2 with the latest security patches installed. A video showing the process is posted below.
The expert informed Microsoft about the vulnerability, but the company refused to release an unscheduled patch, noting that it intends to fix the problem in a "future version of the product or service."
Details and PoC
The problem is related to the processing of IE files in MHT (MHTML Web Archive) format. When you enter the command CTRL + S (save web page), the browser saves the page in this format by default. While modern browsers save web pages in the standard HTML format, many still support MHT.
As the expert explained, using the vulnerability, an attacker can extract local files. To do this, he will need to force the user to open the MHT file, which is not difficult, since all files in this format open in Internet Explorer by default. In order for the attack to work, the victim only needs to double-click on the file received by mail, messenger, etc.
The vulnerability is related to how the browser handles CTRL+K, Print Preview, or Print commands, Page explained. According to him, it is possible to automate the process and eliminate user interaction.
"A simple call to the window.print() function will suffice and no user interaction with the web page is required," the researcher writes. Moreover, it is possible to disable the IE notification system using a malicious MHT file.
Page successfully tested the exploit on systems running Windows 7, Windows 10, and Windows Server 2012 R2 with the latest security patches installed. A video showing the process is posted below.
Details and PoC