Bright Nexus

Published on June 8, 2026

Internet Explorer WebBrowser Control Attack Chain Turns Clicks Into RCE

Severity

High

Detail

Researchers from Positive Technologies (PT Security) have identified an attack chain that abuses the legacy Internet Explorer (IE) WebBrowser control to achieve RCE on Windows systems. Although Internet Explorer has been officially retired, its mshtml rendering engine and WebBrowser control remain embedded in numerous legacy desktop applications, particularly older VB, .NET, and C/C++ applications that rely on localhost-based web interfaces.

The attack chain exploits weaknesses in Internet Explorer’s security model, including its handling of security zones, local files, Mark of the Web (MOTW), and ActiveX/COM components. Applications that expose web interfaces on localhost and fail to properly sanitize user-controlled HTML or JavaScript content may be vulnerable to cross-site scripting (XSS), providing attackers with an initial foothold.

How?

The attack progresses through several stages that elevate a standard web vulnerability into local system command execution. Cross-site scripting (XSS) on http://localhost serves as the initial entry point, as many legacy desktop applications lack adequate HTML and JavaScript sanitization on their local interfaces. Following successful script execution, attackers exploit a timing flaw in Internet Explorer’s handling of window operations and dialog boxes. This flaw allows local HTML files to be opened directly from disk without triggering standard security prompts, effectively transitioning remote script execution into a trusted local context.

A handoff between Internet Explorer and Microsoft Edge is then used to bypass standard Open File – Security Warning protections. The localhost XSS payload opens a Microsoft Edge window that navigates to an attacker-controlled URL. Under specific conditions, Edge downloads an HTML file into the user’s Downloads directory without applying a Mark of the Web (MOTW) tag. The legacy IE WebBrowser control is subsequently redirected to the downloaded file, which is treated as a trusted local HTML document with active scripting enabled. Operating within the Local Machine zone, the malicious script can instantiate high-risk COM objects through ActiveX, including WScript.Shell.

An ActiveX security prompt is displayed when these objects are invoked. Social engineering techniques may be used to persuade the user to approve the prompt. Once approved, the malicious page can execute arbitrary system commands, such as launching calc.exe or deploying malware. The complete attack chain results in a two-click RCE scenario. The first user interaction initiates the Edge download process, while the second approves the ActiveX security prompt within the affected application.

Affected System

The following systems and application environments may be vulnerable to this attack chain if they rely on the legacy Internet Explorer WebBrowser control and expose insecure localhost-based web interfaces:

  • Applications built using Visual Basic (VB), .NET (Windows Forms / WPF), and C/C++ that embed the legacy Microsoft IE WebBrowser control (mshtml.dll).
  • Applications hosting internal or administrative web services bound to http://localhost.

Recommendation

Organizations should assess their exposure to legacy Internet Explorer components and implement the following security measures to reduce the risk of exploitation:

  • Implement strict HTML/JavaScript input sanitization and context-aware output encoding on all localized http://localhost web UIs to eliminate XSS entry points entirely.
  • Enforce strict Group Policies (GPOs) to restrict or completely disable the instantiation of ActiveX controls and high-risk COM objects, such as WScript.Shell within legacy application environments.
  • Implement robust endpoint protection rules and Windows Defender SmartScreen policies to tightly enforce MOTW-based execution and monitor anomalous file creation in user download directories.
  • Completely disable or restrict the legacy Internet Explorer standalone and embedded components via Windows Optional Features configurations where operationally feasible.

Source

https://cybersecuritynews.com/internet-explorer-webbrowser-attack/