Internet Explorer zero-day lets hackers steal files from Windows PCs

Discussion in 'other security issues & news' started by mood, Apr 12, 2019.

  1. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,721
    Location:
    U.S.A.
    Getting back to the 0Patch detailed analysis, this "hidden" Win 10 setting they supposedly discovered in Edge .mht downloads in regards to MOTW is baloney in my opinion.

    Edge internal security settings are in reality just IE11 maximum security settings. Edge will always open in AppContainer and does so by always enforcing EPM internally. As such, any thing Edge downloads will reflect this EPM status via its SID assigned permissions. What happened here was IE11 did recognize the EPM status on the Edge download. However, IE11 itself was not configured to run in EPM, so it just ignored that request and opened the download in non-AppContainer mode. In other words, MOTW setting on the download really had nothing to do with the issue.
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,721
    Location:
    U.S.A.
    TrendMicro did a detail analysis on this here: https://blog.trendmicro.com/trendla...er-can-let-attackers-steal-files-system-info/. I must say it is the best analysis to date. To begin with, not once is any of this "MOTW" business mentioned. How the hell the security "powers to be" got that screwed up is beyond me.

    Trend also has Microsoft's official response to the issue which is:
    For once I find myself "partially" agreeing w/Microsoft. In typical Microsoft to quote a native American saying "speaking with forked tongue" fashion, they conveniently omitted what Trend notes in the article that the default extension assignment for .mht files is IE11. Just embed a .mht file in a MS Word .docx file and click the file icon in the document. At default MS Word security settings, the .mht file will open IE11 with the mhtml code rendered.

    Which takes us to the best way to handle this. Just permanently assign the .mht extension to notepad.exe or whatever, and be done with the issue.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,126
    Location:
    The Netherlands
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,721
    Location:
    U.S.A.
    In the POC, he uploaded system.ini from the C:\Windows directory. Do you monitor all read access to C:\Windows directory?
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,126
    Location:
    The Netherlands
    I care more about my private files being stolen. Who cares about C:\Windows.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    7,721
    Location:
    U.S.A.
    Yikes! The researcher just used that file as an example in his POC.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    12,126
    Location:
    The Netherlands
    Yikes! Is it really this hard to understand what I mean? For example, I have blocked my browser from getting access to my data partition, so this means that these type of exploits will almost certainly fail to steal data. Of course there is a drawback, because sometimes you might need to upload certain files, so then you can either copy those files to unprotected folders, or you can temporarily disable file/folder protection.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.