The Same Origin Policy (SOP) has been an implicit operational condition for browsers since 1995. It stops scripts contained in one web page from accessing data in a second web page unless the two sites have the same origin. An origin is defined as a combination of URI scheme (domain or subdomain), host name and port number.
Now, however, Netsparker security researcher Ziyahan Albeniz has found that older versions of Microsoft's Edge browser could be fooled into allowing this type of access from one web page to another.
Albeniz discovered that in the case of an HTML file sent via email and then run by Edge, the end result that SOP was supposed to forbid would happen. A local file could be read and exfiltrated from a target machine.
Of course, there is some social engineering involved in all of this. The user needs to download the HTML file in that poisoned email to start things off. HTML is not a usual file format transferred in this way, so the email will call attention to itself when it is encountered.
What actually happens if the email is opened is fairly simple. The HTML file is loaded by the file:// protocol when read from the email. Since it becomes a local file, there is no domain or port value associated with it.
The local file on the target machine will also not have a domain or port. So, in this case the ports on the two items match since both will have no port.
The hostname will also match. There is none in the file:// protocol. Finally, the protocol scheme between the two match. It’s file://.
So, SOP will present no objections to this intermingling.
The researcher felt that the Mail and Calendar app would sound the alarm if it was forced into executing a malicious HTML file. That didn't happen.
As Albeniz put it:
When I sent the email as an attachment and waited until a user opened it, it would immediately send local files of my choosing [from the target machine —ed.] to my server, where I could store and read them. There is probably no antivirus program that would recognize my file as malicious, and, I could extract the files over a secure HTTPS connection. This is what makes this attack so stealthy!
This approach requires the attacker to know where the file desired is located, but there are routine locations used in many OS configurations.
So, while the approach may not serve well as a vehicle for the wide distribution of malware, a more specific approach designed for a high value target -- especially if it is used after some directory transversal recon malware has been first run on the target machine -- seems possible.
Albeniz writes that this vulnerability has already been fixed by Microsoft in both Edge and Mail and Calendars.
So, mitigation is straightforward. Use the latest versions of the programs, and don't open unknown HTML files in email. But be aware that this sort of attack is possible -- and deadly.
— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.