![]() ![]() This is what makes this attack so stealthy! The Windows Mail and Calendar version where I tried my exploit was version 17.8600.40445.0 (This bug was reported too).īut there are other ways to deliver the file, depending on the target's installed programs. There is probably no antivirus program that would recognize my file as malicious, and, I could extract the files over a secure HTTPS connection. When I sent the email as an attachment and waited until a user opened it, it would immediately send local files of my choosing to my server, where I could store and read them. I expected that the app, like the Edge browser, would block the attachment. I drafted an email from another computer, added the file as an attachment and then opened the attachment in the Mail and Calendar app. After all, we request many HTML files in our browsers every day. But HTML files? There is no obvious immediate danger. If you can't deliver your HTML file through the browser, why not simply mail it to your victim? In the last few years we've become all too cognisant of the fact that it can be A Very Bad Thing to open unknown attachments such as. Is This a Realistic Threat? Or Is It a Theoretical Scenario?ĭo you think an attacker could somehow convince a potential victim to download a HTML file and execute it?ĭue to the existence of another attack vector, it turns out that this is not merely a theoretical scenario. At least, this was the case when I tested the attack. In addition, Windows might block the file you just downloaded, since it came from another computer. You might conclude that this is not a very convincing attack vector – perhaps because you've never download random HTML files. In other words, if the browser developers wouldn't take the special format of file:// urls into consideration, it would be possible for me to read the content of any local file if you simply opened a malicious HTML file saved on your machine!
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |