- The flaw can enable an attacker to steal confidential information or exfiltrate local files from the victim’s machine.
- XXE injection works if a user opens a specially crafted .MHT file.
A zero-day XML External Entity (XXE) injection vulnerability has been found in Microsoft Internet Explorer. The flaw can enable an attacker to steal confidential information or exfiltrate local files from the victim’s machine.
What’s the matter - According to a security researcher John Page, XXE injection works if a user opens a specially crafted .MHT file when interacting with the browser using ‘Ctrl+K’ key or ‘Ctrl+P’ key. This action triggers the XXE vulnerability and enables an attacker to exfiltrate files from the affected system.
Trend Micro researchers Ranga Duraisamy and Kassiane Westell reveal that the XXE injection vulnerability leverages CWE-611 and CWE-827 weaknesses for a successful injection attack.
“XXE injection works by exploiting an XML parser with an improperly restricted XML external entity reference (CWE-611), which is used to access unauthorized content. XXE injection also exploits misconfigured document type definition (CWE-827) used to define document types for markup languages like XML,” said the researchers.
What is the impact - A successful exploitation of the vulnerability can allow a threat actor to gain access to sensitive files. It can also provide reconnaissance information that can be used by attackers to execute more attacks or launch more payloads.
“For instance, it can divulge the client’s installed applications, network configuration, privileges, and details of antivirus protection to an attacker. The attacker could then use the obtained information to gain a foothold into the affected system’s network,” researchers added.
How is the flaw triggered - The attacker heavily rely on social engineering techniques such as phishing email to trick users into opening the malicious .MHT file. Once the malicious file is opened on the Internet Explorer, it automatically sends a GET request to the attacker’s server to retrieve the malicious XML file.
This malicious XML file contains details regarding the files specified for exfiltration, along with the uniform resource identifier (URI) of the attacker-controlled server.
The bottom line - The researcher has notified Microsoft about the flaw. The firm plans to release a fix to the vulnerability in a future version of the product. Meanwhile, users are urged to avoid opening any file from unknown sources.