However, according to Mitja Kolsek, ACROS Security specialist, technological giant underestimated threat of this vulnerability as it manifests not only with outdated IE, but also in modern Edge. Moreover, published by Page exploit can be processed to a version that opens with Edge.
It may be strange, but firstly specialist could not repeat an attack with the use of IE in Windows 7 and could not upload malware MHT-file as Page described it. Though process manager showed that system.ini file that could be stolen was read by script in MHT-file, it was not sent to remote server.
“This looked like a classic “mark-of-the-Web” situation. When a file is obtained from the Internet, well-behaved Windows applications like Web browsers and email clients add a mark to such [a] file in [the] form of an alternate data stream named Zone.Identifier, containing a line ZoneId=3. This allows other applications to know that the file has come from an untrusted source—and should thus be opened in a sandbox or an otherwise limited environment.”, – Kolsek wrote.
According to Kolsek, IE really put a mark on uploaded MHT-file. When investigator tried to upload same file with Edge and open in in IE, exploit worked. After precise analysis expert established that Edge added two notes in access control list that adds right to read a file to some system service.
As advised Google Project Zero specialist James Foreshaw, added by Edge identifiers are group security identifiers for Microsoft.MicrosoftEdge_8wekyb3d8bbwe PACKET. After removing second line SID S-1-15-2 -* from the list of access control exploit did not work again. In this way, permission that added Edge allowed missing IE sandbox.
James Forshaw tweet
More detailed analysis demonstrated that established by Edge permission did not allow Win Api GetZoneFromAlternateDataStreamEx function to read Zone.Indetifier flow and returned an error. Finally, IE considered that file does not have mark-of-the-Web mark and sent it to remote server.
Despite additional details about vulnerability, it is unlikely that Microsoft will fix it soon.
“We determined that a fix for this issue will be considered in a future version of this product or service. At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case.”, — stated in Microsoft .
In this connection, ACROS Security has released a vulnerability patch, available on the 0Patch platform.
About Pbmsoultions.com Pbmsoultions.com pop-ups can not launch out of the blue. If you have actually…
About Prizestash.com Prizestash.com pop-ups can not expose out of the blue. If you have actually…
About Verifiedbreaking.com Verifiedbreaking.com pop-ups can not launch out of nowhere. If you have actually clicked…
About Themoneyminutes.com Themoneyminutes.com pop-ups can not launch out of the blue. If you have actually…
About News-xcidizi.com News-xcidizi.com pop-ups can not introduce out of nowhere. If you have clicked some…
About Everytraffic-flow.com Everytraffic-flow.com pop-ups can not launch out of nowhere. If you have actually clicked…