Researchers noted strange behavior in Windows 10 that can allow intruders remotely steal files that are stored on hard disks after user opens malware file in Microsoft Edge.For the first time problem was reported when cybersecurity researcher John Page published information about vulnerability in Microsoft Internet Explorer 11 that allows opening access to files on Microsoft OS. Page also published PoC-code for this bug after Microsoft refused developing a patch.
However, according to Mitja Kolsek, ACROS Security specialist, technological giant underestimated threat of this vulnerability as it manifests not only with outdated IE, but also in modern Edge. Moreover, published by Page exploit can be processed to a version that opens with Edge.
It may be strange, but firstly specialist could not repeat an attack with the use of IE in Windows 7 and could not upload malware MHT-file as Page described it. Though process manager showed that system.ini file that could be stolen was read by script in MHT-file, it was not sent to remote server.
“This looked like a classic “mark-of-the-Web” situation. When a file is obtained from the Internet, well-behaved Windows applications like Web browsers and email clients add a mark to such [a] file in [the] form of an alternate data stream named Zone.Identifier, containing a line ZoneId=3. This allows other applications to know that the file has come from an untrusted source—and should thus be opened in a sandbox or an otherwise limited environment.”, – Kolsek wrote.
According to Kolsek, IE really put a mark on uploaded MHT-file. When investigator tried to upload same file with Edge and open in in IE, exploit worked. After precise analysis expert established that Edge added two notes in access control list that adds right to read a file to some system service.
As advised Google Project Zero specialist James Foreshaw, added by Edge identifiers are group security identifiers for Microsoft.MicrosoftEdge_8wekyb3d8bbwe PACKET. After removing second line SID S-1-15-2 -* from the list of access control exploit did not work again. In this way, permission that added Edge allowed missing IE sandbox.
James Forshaw tweet
More detailed analysis demonstrated that established by Edge permission did not allow Win Api GetZoneFromAlternateDataStreamEx function to read Zone.Indetifier flow and returned an error. Finally, IE considered that file does not have mark-of-the-Web mark and sent it to remote server.
Despite additional details about vulnerability, it is unlikely that Microsoft will fix it soon.
“We determined that a fix for this issue will be considered in a future version of this product or service. At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case.”, — stated in Microsoft .
In this connection, ACROS Security has released a vulnerability patch, available on the 0Patch platform.