XXE Injection

By GoldSparrow in Vulnerability

The XXE Injection Vulnerability affecting Internet Explorer was discovered by vulnerability researchers on April 19th, 2019. The XXE Injection Vulnerability is being tracked under the tag CWE-611 and affects all versions of Microsoft's depreciated Internet Explorer. Unfortunately, IE is being used by many government agencies and banking institutions across the globe, and user caution is advised. The researchers describe CWE-611 as a "zero-day extensible markup language (XML) external entity (XXE) injection vulnerability." The XXE Injection is triggered when a user opens a weaponized .MHT file (MIME HTML Web archive) and loads its content in Internet Explorer. Successfully exploiting the XXE Injection Vulnerability requires users to open a new tab in IE and print the opened page.

Attackers may aim to exploit CWE-611 and access local files as well as resources on a remote Web server. Security researchers alert that the XXE Injection technique can be used to abuse the 'file://' protocol to read local files and abuse the 'http://' protocol to load code from a Web server. Moreover, a clever attacker can implement JavaScript functions like 'window.print()' and simulate user interaction without showing visual cues that there is something wrong going on. For example, a corrupted MHT file is sent to the user in an email that looks like an invoice and a notification for a charge to your credit card. The user opens the MHT file thinking it is a text document/PDF and a new tab is opened in IE. In a slightly different scenario, a fake document is loaded on the screen while a JavaScript code loads a hidden instance of Internet Explorer in the background.

In both cases, the attackers receive data on the user's PC that includes IP address, active username, Windows version, installed software and version log, attached peripheral devices (Keyboard, mouse, Webcam, scanners, printer, etc.) and Web browser bookmarks. The data pulled from systems can be used by attackers as reconnaissance information and can help to design second-stage attacks. Knowing your software and hardware configuration, as well as interests based on your Web browser activity can help attackers create a smart attack vector. Microsoft has published XXE Injection Vulnerability saying:

"Internet Explorer alone does not permit this type of malicious behavior. An attacker must trick or convince a user into downloading a malicious document through a socially engineered scheme, for example a spam email attachment or phishing campaign that triggers a download. The file must then be opened with the browser. To guard against this scheme, practice safe computing habits online, such as avoid downloading and opening untrusted files from the Internet."

We recommend users use something different than Internet Explorer and make sure to be vigilant when opening attached files. You may want to take advantage of Yahoo Mail, Gmail, Outlook and other email services providers that boast powerful spam filters.


Most Viewed