A recently disclosed vulnerability affecting Internet Explorer, yet to receive a fix from Microsoft, has received a micropatch that denies remote attackers the possibility to exfiltrate local files and run reconnaissance activity on the system.

An XML External Entity (XXE), the security flaw was discovered and reported on March 27 to Microsoft by security researcher John Page. He published the details on April 10, including proof-of-concept code to support his finding.

The researcher also published a video showing how the vulnerability can be exploited:

Exploitation is possible when users open a specially-crafted MHT file that was downloaded with Microsoft's Edge browser. This type of files are MHTML Web Archives, the default format Internet Explorer (IE) uses to save web pages. IE is also the default program to open them in Windows operating system.

Mitja Kolsek of ACROS Security analyzed the problem and determined that its origin is in "an undocumented security feature" in Edge that interferes with Internet Explorer's capability to read correctly the mark of the web (MOTW) flag applied to files downloaded from the web.

Until Microsoft releases a fix for this vulnerability, a micropatch is available through the 0Patch platform. It applies error checking routines that allow Internet Explorer to correctly interpret the mark of the web flag Edge sets for downloaded files.

Conflict between security features

MOTW is a security feature that makes sure IE asks for permission before running local scripts and active content with elevated privileges.

"In short the MOTW in a page allows the content to run as if from the Internet zone. So the script and active content will have the same privileges as if you were viewing it from a website and not be able to run with elevated access to machine resources," reads the explanation from Microsoft.

Kolsek found that the permissions for MHT files downloaded with IE are different from those retrieved by Edge, the latter adding two entries to the access control list (ACL):

S-1-15-3-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194:(OI)(CI)(R)

S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194:(OI)(CI)(R) 

The second one denies low integrity IE processes read access to a file's content or attributes. "We theorize that Edge is using this feature to further tighten the security of saved files against malicious code executing in its Low Integrity sandbox," says Kolsek.

It appears that the MOTW information is also stored in this data stream but IE encounters an error when it tries to read it. The browser ignores the error and the consequence is that the file gets the same treatment as if it did not have the MOTW flag, just like a regular local file that benefits from the same privileges as the user launching it.

The XXE vulnerability found by Page puts only Edge users at risk, Kolsek says, as he did not find the undocumented feature that enables exploitation on other popular browsers and email clients.