Internet Explorer zero-day lets hackers steal files from Windows PCs

Discussion in 'other security issues & news' started by mood, Apr 12, 2019.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    12,941
    Internet Explorer zero-day lets hackers steal files from Windows PCs
    Microsoft refused to patch issue so security researcher released exploit code online
    April 12, 2019

    https://www.zdnet.com/article/internet-explorer-zero-day-lets-hackers-steal-files-from-windows-pcs/
     
  2. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,498
    Location:
    Italy
    I wonder if the vulnerability can also affect I.E.8.
    Pale Moon (and New Moon) requires an extension to be installed to read and write MHT files:

    https://en.wikipedia.org/wiki/MHTML

    For the moment I have not installed the extension for New Moon but I have changed the default program to open these types of files:


    2a.JPG
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    11,523
    Location:
    The Netherlands
    That's why browsers should always be restricted with file/folder protection tools.
     
  4. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,109
    Location:
    Slovakia
    I guess uninstalling IE, disables mht file association?
     

    Attached Files:

  5. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,498
    Location:
    Italy

    There will be no default application for MHT and MHTML files.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,412
    Location:
    U.S.A.
    Talk about confusion on this issue.:rolleyes:

    To begin with, this is not an IE11 vulnerability but rather, an Edge vulnerability:
    Again .………….
    https://www.bleepingcomputer.com/ne...-permissions-clash-with-ie-allow-xxe-attacks/

    Finally and again if you don't use Edge and only IE11, you have nothing to worry about in this regard.
     
    Last edited: Apr 23, 2019
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,412
    Location:
    U.S.A.
  8. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,498
    Location:
    Italy
  9. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,412
    Location:
    U.S.A.
    I will also say this about this issue. It has been a long time since I've seen a security issue so misinterpreted.

    The latest fix "hack" for Win 10, which I already knew about, is given in this article: https://www.computerworld.com/artic...-block-the-ie-xxe-zero-day-security-hole.html. The problem is that their recommendation of assigning notepad.exe clearly indicates they are clueless about what the real problem is.

    The problem is this ……. implicit permission escalation. I believe the author of the issue, Page, got into this in his initial writeup on the problem. To begin with, this is only an issue on Win 10; it is the only thing that runs Edge. Now for the problem, IE11 misinterprets these Edge .mht files as w/o the mark-of-the-web. IE11 when executed via startup by a MOTW file will only open itself as a low integrity process. Without the MOTW designation on the file, IE11 will open under current logged on account privileges; i.e. medium integrity. Therefore if malware within the .mht file spawns a malicious child process, it is running at medium integrity level.

    Yet to be mentioned in all these articles is the impact of IE11 being configured with Enhanced Protected Mode. Configured as such and though observation of using IE11 for many years, IE11 will always open as appcontainer which by default is low integrity sandbox mode. Also any child process spawned is also appcontainer mode.

    Bottom line - if IE11 is configured with EPM , there is no issue in regards to this Edge "bork."
     
    Last edited: Apr 18, 2019
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,412
    Location:
    U.S.A.
    Proof of Concept For Above IE11 AppContainer Assumption

    What I did rather than using Edge, was to use IE11 to create a .mht file from an existing web site page. Much easier to do so in IE11 than in Edge; if possible at all. After creating the file on the desktop, I then manually removed the Mark-of-the-Web identifier from the file. This in essence duplicates the "borked" MOTW download of a .mht file in Edge:

    IE11_NoMOTW.png


    I then double clicked on the desktop .mht file and it opened IE11:

    IE11_MHT.png


    I finally verified that IE11 was indeed running in appcontainer mode as previously assumed:

    IE11_AppContainer.png
     
  11. SouthPark

    SouthPark Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    358
    Location:
    USA
    On Windows 10 Home, I ran an mht file I made years ago that had been stored on a non-NTFS USB drive and lost its MOTW. With IE 11 set to Enhanced Protected Mode, the computer restarted, and every security zone set to "Protected Mode," IE 11 unfortunately still ran with Medium Integrity.

    MHT.jpg
     
  12. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    12,941
    Unexpected protection added to Microsoft Edge subverts IE security
    Permissions that Edge added to downloaded files break important security feature
    April 19, 2019

    https://arstechnica.com/information...in-microsoft-edge-could-allow-for-file-theft/
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,412
    Location:
    U.S.A.
    I can duplicate this and the issue really isn't about whether MOTW exists or not. It is actually a permissions issue in the SID added to .MHT files downloaded by Edge.

    Getting back to my testing when a file is downloaded, including a .MHT file, from IE11 when running with EPM enabled for the Internet zone, the following SID is created:

    IE11_Perms.png

    A bit more detail:
    https://blogs.msdn.microsoft.com/ieinternals/2011/03/23/understanding-local-machine-zone-lockdown/

    As long as that SID exists for the .MHT file, it will always open in AppContainer mode; regardless of MOTW status. Now if I remove that SID for the .MHT file;

    IE11_Perms_2.png

    when I open that file by double clicking on it, the file will open in IE11 using my default logon account permissions; i.e. running as a medium integrity process.

    In regards to this old .MHT file on your USB drive, open up its Security settings and assumed, you will observe settings as shown in the second screen shot.

    Getting back to the current Edge issue, it is about not setting the correct permissions in the corresponding SID it creates on downloads, more that a per se MOTW issue.

    This also brings up an additional security issue in regards to .MHT files that are introduced to a device other than by Internet download.
     
    Last edited: Apr 19, 2019
  14. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,412
    Location:
    U.S.A.
    I came across this article titled: Enhanced Protected Mode and Local Files written by Microsoft a while back. The article states how IE handles .html local based files. Of note is:
    https://blogs.msdn.microsoft.com/ieinternals/2012/06/19/enhanced-protected-mode-and-local-files/

    Assumed is local .mht files, being archives, are initially extracted in the IE11 rendering process which always runs at medium integrity level. For the time being, I will assume what is extracted are individual .html files. Those will be formatted for browser display and rendered in a specific IE11 Zone based on MOTW status as described in the article. Of specific note is:
    "Wrapping my head" around the above and unless I am missing something, malware present in .mht files could very well be executed during the file extraction process in the IE11 broker process running at medium integrity level. And this current Edge "bug" really is unrelated to this fact. Perhaps the reason Microsoft won't patch it since doing so does not prevent any existing .mht malware infection method.

    -EDIT- Finally, I really don't believe this Edge issue is something "new" as the below excerpt from the Microsoft 'Enhanced Protected Mode and Local Files' article notes:
     
    Last edited: Apr 19, 2019
  15. SouthPark

    SouthPark Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    358
    Location:
    USA
    My file, which was created on Windows 7 IE with EPM, has these attributes (user info on Line 2 redacted):

    New0000.jpg

    I even tried installing 0patch, which said it was running code to patch the vuln, but the process still showed Medium integrity level in Proc. Exp.
     
  16. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    6,561
    Location:
    Among the gum trees
    My understanding is that 0Patch does its patching in memory, so I'm not surprised it didn't change as you expected.
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,412
    Location:
    U.S.A.
    https://securityintelligence.com/in...enhanced-protected-mode-epm-sandbox-research/

    Bottom line - any file locally created and not directly downloaded from IE11 w/EPM enabled or Edge will be missing SID S-1-15-3-4096. Without this SID, the file will open outside of AppContainer.

    Do this. Upload your .mta file to some file share. Now download via IE11 w/EPM enabled in Win 7. It should now open in AppContainer. Assumed is you are running Win 7 x(64) and IE11 x(64).
    The patch only applies to .mta files downloaded via Edge. It has no effect on .mta files created via IE11 or anything else for that matter.
     
    Last edited: Apr 20, 2019
  18. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,412
    Location:
    U.S.A.
    Also I would stay away from the 0Patch mitigation on this one. I state this based on this excerpt from their web site article:
    https://blog.0patch.com/2019/04/microsoft-edge-uses-secret-trick-and.html

    From the above, it is obvious they are clueless to the fact that Edge in essence always operates in equivalent IE11 EPM mode. This is what is adding those SIDS to the downloaded file.

    Now couple this with the fact that they are modifing urlmon.dll, a system32 .dll, code that is loaded by multiple Win system processes and I would say you're asking for "big trouble."
     
    Last edited: Apr 20, 2019
  19. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,412
    Location:
    U.S.A.
    This now leads us to what is the best mitigation against this .mht Edge issue? That is if it really is an issue which I am far from convinced it is.

    This is to permanently assign the .mta extension to another benign process as recently suggested. Notepad.exe should be fine. As noted in this article: https://www.lifewire.com/mht-file-4140714 , text editors can open .mta files w/o issue. Whether any code could be dynamically executed is doubtful. Nirsoft has a ref. to programs that can process .mht files and notepad.exe is not referenced: http://extension.nirsoft.net/mht .

    This mitigation will also eliminate the risk of encountering previous and known malware using .mht files.
     
    Last edited: Apr 20, 2019
  20. SouthPark

    SouthPark Registered Member

    Joined:
    Jun 13, 2012
    Posts:
    358
    Location:
    USA
    I found a mitigation on Ten Forums, assigning a Chromium browser as the default opener for .mht files. I was able to do it with Slimjet, which opened my .mht file in an app container by default. See post 3 of this thread:
    https://www.tenforums.com/windows-1...day-lets-hackers-steal-files-windows-pcs.html

    My laptop is acting strange after installing and uninstalling 0patch ("unexpected shutdown" on startup), so I don't know what is going on with that yet.

    ETA: Had to reinstall Windows due to blank screens and Error 41 on each startup, though I'm not 100% sure it was caused by 0patch.

    ETA further: The problem was with Windows power settings and was probably not caused by 0patch.
     
    Last edited: Apr 21, 2019
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,412
    Location:
    U.S.A.
    Oh my:ouch:

    Wanting to "tie up all loose ends" on this issue, it dawned on me I had not duplicated what the researcher did in his POC. That is, download a .mht file via Edge; something frankly I should have done initially. So that is exactly what I did.

    I uploaded my previously created .mht file to a file sharing web site. I then downloaded the file via Edge:

    IE11_Edge.png

    We now have the SIDs noted in the researcher's POC.

    I set IE11's Local Internet settings back to default level; Medium-low with Protected Mode disabled. I then double clicked on the above Edge downloaded .mht file. Guess what? It did indeed open up in an AppContainer IE11 child process!

    This gets us back to protected mode settings in IE11. Note there are two levels of protected mode. This first and lesser level is set at the various IE11 Zone settings. The more encompassing level is an optional "Enhanced Protected Mode" setting in IE11's -> Internet Tools -> Advanced settings. Again, EPM is not enabled by default in IE11. Additionally, EPM only offers maximum protection on IE11 x(64).

    Bottom line - as long as your using IE11 x(64) with EPM enabled. This .mht Edge download vulnerability is not an issue.

    Getting back to the researcher's POC, it appears he did this with IE11 set at its default settings. I guess this has some merit since the average user, especially one who never used IE11 in Win 10, would have never configured EPM.
     
  22. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    2,417
    Location:
    Canada
    I believe UAC is required to be enabled for EPM to work at all or at least to work with full functionality.
     
  23. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,412
    Location:
    U.S.A.
    I don't believe UAC has any bearing on IE11 operation. However, EPM after enabling requires a system restart to be in effect.
     
  24. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    1,498
    Location:
    Italy
    @itman


    "History usually repeats itself":

    https://www.securityweek.com/attackers-hide-malicious-macros-mhtml-documents

    the result today as in 2015 is a clear danger in the management of this type of files with the default application (I.E.).
     
  25. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,412
    Location:
    U.S.A.
    This isn't a good example since the malicious .mthml file was embedded in a Macro. I would think by now people would have the common sense to block Macros in MS Office files.

    However, a more "clear and present danger" is those who don't properly configure the e-mail client to show attachments in-line or don't have again the "security sense" to never open .mht attachments directly in your e-mail client. For a test, I attached one of my "sanitized" .mht files; no MOTW and no SID data. I then e-mailed it to myself using Thunderbird. Opened the attachment in T-Bird with the following result:

    TBird_MTH.png

    Bingo! The .mth content rendered w/o a peep. Well, not exactly. As you can see, I have all active content rendering disabled in T-Bird. I also only allow .txt content in my e-mails.

    In any case, I believe Outlook allows you to disable attachment opening by extension type. Thunderbird has like capability via an add-on extension you can download.

    Also, I have already stated that .mht malware exists. So this type of discussion is not directly related to this "supposed" Edge .mht download issue.

    -EDIT- If you're the e-mail security "brain impaired" type, using Thunderbird, and employ a HIPS, T-Bird will inject a hook into IE11 to render the .mht file. A HIPS rule that monitors IE11 against process modification will detect this activity.
     
    Last edited: Apr 22, 2019
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.