RCE via Clickjacking in Internet Explorer

A researcher from the PT SWARM team describes a chain of vulnerabilities in Internet Explorer and its WebBrowser component that enables remote code execution via clickjacking. The core issue lies in the fact that Internet Explorer allows interaction with local files (file://) from the http://localhost context, as well as in the behavior of ActiveX components (e.g., Shell.Explorer.2).

The exploitation combines XSS and clickjacking: an attacker places an invisible iframe (e.g., pointing to an SMB share or archive) that follows the user's cursor. As a result, user clicks are effectively redirected to a hidden element, triggering execution of a file (for example, from a ZIP archive). Despite the presence of security prompts, the chain can be escalated to RCE with just a few clicks, and in some scenarios without additional restrictions when interacting with local resources.

📎 Article: https://swarm.ptsecurity.com/the-click-that-shouldnt-have-worked-rce-via-clickjacking-in-internet-explorer/