Internet Explorer WebBrowser Control Attack Chain Enables RCE
Researchers have detailed a sophisticated attack chain that leverages the legacy Internet Explorer WebBrowser control to achieve remote code execution (RCE) on Windows systems, even after IE's retirement.
Despite the official retirement of Internet Explorer, its embedded WebBrowser control remains a significant security risk, as researchers from PT Security have demonstrated an attack chain capable of turning a user's click into remote code execution (RCE). This exploit targets older applications that embed the IE WebBrowser control, particularly those with local web interfaces running on http://localhost. These applications often lack robust HTML and JavaScript sanitization, making cross-site scripting (XSS) a viable entry point for attackers.
The attack chain cleverly abuses Internet Explorer's zone model, specifically its handling of the localhost and local file zones. Once an attacker achieves script execution within the localhost context, they can exploit IE's lenient treatment of these zones to open local HTML files from disk. This effectively elevates remote JavaScript to the privilege level of local scripts, bypassing certain security restrictions.
While Microsoft has since patched the direct method of opening local files from a localhost script, the researchers found a way to chain this with other vulnerabilities. The exploit involves using crafted JavaScript to open a Microsoft Edge window to an attacker-controlled URL. Under specific conditions, Edge can be tricked into downloading an HTML payload to the user's Downloads directory without applying a Mark of the Web (MOTW) tag. This is a critical step in bypassing Windows' standard "Open File – Security Warning" prompts.
Following the download, the IE WebBrowser control is redirected to this newly downloaded local file. Because the file lacks MOTW restrictions, it is treated as a trusted local document, allowing its embedded scripts to execute with elevated privileges. The attack then proceeds to instantiate high-risk COM objects, such as WScript.Shell, via ActiveX.
These COM objects are historically known to enable arbitrary command execution when exposed to untrusted input. While IE typically displays an ActiveX security warning for such actions, the attack chain is designed to present this prompt in a way that encourages the user to click "Yes." This second click, following the initial one to trigger the Edge download, completes the "two-click RCE" chain, allowing attackers to launch commands like calc.exe or deploy malware.
Further research indicates that attackers can reduce reliance on explicit prompts by exploiting IE's folder views and ZIP browsing capabilities within the WebBrowser control. By using clickjacking techniques with tiny, cursor-following iframes that host these views, attackers can ensure that any user click effectively double-clicks a malicious file within the embedded Explorer view, enabling payload execution with weaker MOTW enforcement.
Security professionals are advised to treat any use of the IE WebBrowser control as a legacy risk. Mitigation strategies include replacing it with modern, sandboxed web rendering controls, eliminating XSS vulnerabilities on localhost web UIs, restricting ActiveX and COM object usage via policy, and strengthening MOTW-based execution rules to close this significant attack surface.