XXE Injection

The XXE Injection is a sub-class of attacks that exploit structural weaknesses in the XML extensible markup language. Versions of this attack may use crafted, corrupted Web content, such as download links for MIME mime Web archives, as a way of harvesting system information and implementing more attacks that can infect the system. Users can protect themselves by avoiding opening suspicious Web content or files, using safe Web-browsing practices, and having anti-malware protection that blocks the XXE Injection attacks.

The Link to a File Becomes a Link into Your PC

Although the XXE Injection is a classification of software exploits whose existence goes hand-in-hand with XML, a new version of it may cause more problems than expected for Windows users. The XXE Injection, in general, misuses a combination of XML entity references and document definitions for achieving preliminary attacks that can let attackers download files onto the victim's system or collect system data for inspecting. Unfortunately, a recent version of this technique is currently unpatched, as of late April, and can run after a victim does little other than open a new file with a default browser.

This newest, zero-day strategy requires victims opening an MHT or MIME HTML Web archive, which the threat actor designs for this purpose, along with a counterpart XML that the first one references. The victim must open the first of these files in Internet Explorer, which, conveniently, is the default program for reading MHTs. No immediate signs of the attack are necessarily visible.

A threat actor could use this form of the XXE Injection for several purposes, such as accessing important files or gathering 'recon' intelligence like the network configuration, which can be opening steps to infecting the user's computer or another device. However, malware researchers currently are rating the technique as theoretically abusive and see no campaigns using it in the wild. This variant of the XXE Injection does not work in other browsers, such as Chrome or Safari, but the same limitations don't apply to all variant exploits in this classification.

Exploring the Internet with a Little Less Fear

Zero-day attacks are more than just the XXE Injection and include any software vulnerability that has no security patch, update or hotfix for mitigating or preventing it. Until Microsoft issues an appropriate fix for their IE browser, users can switch to a different Web-browsing application and should avoid opening MHT files that aren't from definitively-safe sources. Threat actors may be disguising these files with fake extensions or icons that make them look like DOC documents, JPG pictures or other content.

Social engineering strategies for browser-based attacks can avail themselves of a range of lures. A threat actor may send an SMS message with a link to your phone, spam a hijacked Facebook account, or insert the corrupted content into a website that they own or have hacked into through brute-force or other means. Anti-malware programs that include browser protection should detect an XXE Injection attempt and block it.

Patching your XML libraries and processors can help with cutting down the types of the XXE Injection attacks that criminals have available at their selection. But when even patches can't help, it's only all the more critical for users to practice common-sense guidelines for being on their safest behavior online, as well as offline.