Internet Explorer Browser Flaw Threatens All Windows Users (Apr 17, 2019)
Researcher John Page, known by the alias “hyp3rlinx,” has published Proof-of-Concept (POC) code for a vulnerability in Windows’ “Internet Explorer” (IE) web browser. The vulnerability, which some refer to as a “zero-day vulnerability because it is a known weakness for which there is no patch,” resides in the way IE handles its default web page archiving format, MHTML (MHT) files. A threat actor could distribute a malicious MHT file to a Windows 7, Windows 10, or Windows 12 R2 system because they by default would open them via IE. The MHT file could also contain malicious XML markup to prevent IE from showing a security warning. If opening of the MHT file through IE this takes place, a remote actor could gain the ability the steal Local files and “conduct reconnaissance on locally installed Program version information.” Even on Windows 10, there can be a short setup process that takes place when the machine is booted for the first time, thus potentially leaving all Windows users at risk of this vulnerability, albeit a slight and short timeframe for first-time startup.
Recommendation: Vulnerabilities located in Internet Explorer (IE) are seemingly found on a regular basis, and Microsoft apparently acknowledged the problems with the browser by moving Windows’ default web browsers to Microsoft Edge. Therefore, it would be prudent for you organization to prohibit the use of IE to avoid potential malicious activity. The default browser or application used for MHT file archiving should be changed from IE to something else to avoid possible exploitation of this vulnerability, and IE could be uninstalled completely if it is unneeded.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.