The vulnerability is a XML eXternal Entity or XXE attack. The attack occurs when an XML parser processes an XML input that includes a reference to an external entity. This type of attack could lead to the unwanted disclosure of sensitive information and a slew of other issues. In Page’s demonstration, he opened a malicious MHL file with a file manager. Internet Explorer automatically uploaded several files to a remote server.
Page also noticed a peculiarity. When he downloaded and opened the file through Internet Explorer, information was not sent to the remote server. However, when Page downloaded the file through Microsoft Edge and opened it through Internet Explorer, the exploit worked as it was intended. This vulnerability was also tested by Mitja Kolsek the CEO of ACROS Security, and they reached the same conclusion.
The behavioral differences are due to a “classic ‘mark-of-the-Web’ situation”. Web browsers and email clients are supposed to add a “mark” to files that come from untrusted sources. The file is then opened in a sandbox or otherwise rather limited environment. Internet Explorer added the “mark-of-the-web”, but Microsoft Edge did not. According to James Forshaw of Google’s Project Zero vulnerability team, Edge instead “capability and group SIDs for the Microsoft.MicrosoftEdge_8wekyb3d8bbwe package.” Once Forshaw deleted one of Edge’s added entries, the vulnerability no longer worked.
Internet Explorer appears to be confused by Edge’s added entries. Internet Explorer was unable to read the malicious MHT’s data stream and therefore assumed that it did not include a mark-of-the-web. Kolsek noted, “An undocumented security feature used by Edge neutralized an existing, undoubtedly much more important feature (mark-of-the-web) in Internet Explorer.”
Spoiler, the secret is the capability and group SIDs for the "Microsoft.MicrosoftEdge_8wekyb3d8bbwe" package :-) This seems par for the course with Edge, adding backdoors all over the place. Wonder if this approach will apply to Edgium? /cc @ericlaw https://t.co/lu78M7N0qO— James Forshaw (@tiraniddo) April 17, 2019
Page and other researchers reached out to Microsoft, but the company does not intend on fixing the bug any time soon. Microsoft insists that the exploit requires significant “social engineering” and therefore does not pose a serious threat. While it was initially believed that the vulnerability affected the latest version of IE on Windows 7, Windows 10, and Windows Server 2012 R1 operating systems, it now appears that it is only a threat to Windows 10 users.
We would encourage users to always practice caution when downloading and opening files. It may also not hurt to simply choose a different browser. Hopefully Microsoft’s upcoming Chromium-based version of the Microsoft Edge browser will be more secure.