2 min read

It doesn't matter if you don't use Internet Explorer, you could still be at risk from this IE zero-day vulnerability

Graham CLULEY

April 17, 2019

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
It doesn't matter if you don't use Internet Explorer, you could still be at risk from this IE zero-day vulnerability

You might think that any security issues with Internet Explorer shouldn’t be much of a problem anymore.

After all, most computer users have moved on to more modern alternative browsers like Chrome, Brave, Firefox, Safari, or Microsoft Edge.

And even Microsoft itself has been warning companies of the “perils” of setting Internet Explorer as their default browser, as it is no longer being updated to support new web standards and might leave your users in the equivalent of the browser Ice Age.

There are even some who have argued that Microsoft should stop issuing security patches for Internet Explorer’s legacy code four years after Edge’s arrival, and that instead they should force customers to move on.

Well, if you needed another reason to ditch Internet Explorer, security researcher John Page (known as @hyp3rlinx on Twitter) may have just given it to you.

Page has published proof-of-concept code (we won’t link to it here for obvious reasons) that demonstrates how users who open a boobytrapped .MHT file locally can unwittingly share information with a remote attacker.

.MHT files (the extension stands for MHTML web archive) are the default format used when users ask Internet Explorer browsers to save a webpage.

If you try to open an .MHT file on a computer running Windows 7, Windows 10, or Windows Server 2012 R2 then it will attempt to load the file using Internet Explorer – regardless of the default browser in place. (Internet Explorer 11 ships with every consumer version of Windows, including Windows 10. If you have an education or enterprise license than it can be optionally excluded.)

And what Page has found is a way to exploit a zero-day XXE (XML eXternal Entity) vulnerability in how Internet Explorer processes MHT files.

According to Page, “this can allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed program version information.”

The researcher cites an example of how if the MHT files requests a file at c:\Python27\NEWS.txt it could reveal details of the version of the software that had been installed – potentially useful information for someone attempting to attack a system.

All an attacker would need to do is convince their potential target via social engineering to open a malicious .MHT file.

Although Internet Explorer’s marketshare has dwindled to around 7% of desktop browser use the fact that it continues to be installed on so many systems means it poses a potential risk.

Page told Microsoft about the problem at the end of March, but their response suggests that they’re not promising a fix:

“We determined that a fix for this issue will be considered in a future version of this product or service. At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case.”

So, what should you do? Well, at the very least you need to be wary of unsolicited .MHT attachments. But maybe, if you have no use for Internet Explorer any more, consider uninstalling Internet Explorer via Control Panel from your Windows PCs.

tags


Author



Right now

Top posts

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Prison for ex-eBay staff who aggressively cyberstalked company's critics with Craigslist sex party ads and funeral wreaths Prison for ex-eBay staff who aggressively cyberstalked company's critics with Craigslist sex party ads and funeral wreaths
Graham CLULEY

September 30, 2022

2 min read
Honolulu Man Sabotaged Former Employer’s Network and Business Using Still-Active Credentials Honolulu Man Sabotaged Former Employer’s Network and Business Using Still-Active Credentials
Silviu STAHIE

September 30, 2022

1 min read
North Korean Gang Uses Compromised Open Source Software to Distribute Malware, Researchers Find North Korean Gang Uses Compromised Open Source Software to Distribute Malware, Researchers Find
Silviu STAHIE

September 30, 2022

1 min read