CVE-2015-6127

Vulnerability

Windows Media Center link files (.mcl) can include a 'url' parameter that specifies a URL to be loaded by the embedded web browser. A specially crafted .mcl file with a 'url' parameter pointing to the file itself causes Windows Media Center to render the .mcl as a local HTML file within the embedded Internet Explorer instance. This bypasses the FEATURE_LOCALMACHINE_LOCKDOWN security feature, allowing scripts in the local zone to read arbitrary files. Affected versions include Windows Vista SP2, Windows 7 SP1, Windows 8, and Windows 8.1; the advisory specifically tested Windows 7 x64 SP1 with Internet Explorer 11 installed [1].

Exploitation

An attacker must deliver a malicious .mcl file to the user, typically via email, a web download, or other means. When the user opens the file in Windows Media Center, the ehexthost.exe process loads the 'url' parameter (pointing to the .mcl file itself) into an embedded Internet Explorer instance running in the local machine zone. Because the local machine lockdown is not enabled, the attacker can use script code within the crafted .mcl file to read and exfiltrate local files [1].

Impact

Successful exploitation allows an attacker to read arbitrary files on the target system, leading to information disclosure. The attacker gains the same user rights as the current user [2]. This vulnerability does not by itself enable remote code execution (a separate vulnerability, CVE-2015-6131, addresses RCE) [2].

Mitigation

Microsoft released security bulletin MS15-134 on December 8, 2015, which includes a patch that corrects how Windows Media Center handles resources in .mcl files [2]. Affected users should apply the update (KB3108669) as soon as possible. No workarounds are documented [2]. The vulnerability is not listed in the Known Exploited Vulnerabilities (KEV) catalog.