Internet Explorer flaw leaves Windows users vulnerable to hackers -- even those who don't use the browser
A zero-day exploit found in Internet Explorer means hackers could steal files from Windows users. What's particularly interesting about this security flaw is that you don't even need to be an Internet Explorer user to be vulnerable.
A security researcher has revealed details of an unpatched exploit in the way IE handles MHT files, and the problem affects Windows 7, Windows 10 and Windows Server 2012 R2. It leaves users vulnerable not only to having their files stolen by hackers, but also means they could be spied upon.
See also:
- Microsoft email hack was worse than first thought -- some users' messages were accessed
- Microsoft reveals hackers gained access to its web email services for three months
- How to secure Windows 10 -- Microsoft reveals SECCON framework to protect systems
- April's Patch Tuesday updates are causing Windows to freeze or slow down
Details of the vulnerability were exposed by security researcher John Page after Microsoft refused to issue a patch. As ZDNet explains, MHT files (the MHTML Web Archive format downloaded web pages are saved in) are opened in Internet Explorer by default. Such a file could be easily sent to someone via email or instant message, exposing their system to a hacker.
The risk exists because Internet Explorer suffers with an unpatched XXE (XML eXternal Entity) vulnerability which, as Page explains:
... can allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed Program version information. Example, a request for 'c:\Python27\NEWS.txt' can return version information for that program.
While Internet Explorer has a security system which should alert a user if anything suspicious happens, a malicious MHT file can be designed to disable this warning. The vulnerability relates specifically to the way Page says Internet Explorer deals with CTRL+K, Print Preview, and Print commands, and it can be easily exploited with a JavaScript function call.
You can see the vulnerability being exploited in the video below:
Page told Microsoft about the vulnerability nearly three weeks go on March 27, but the company does not regard it as being important enough to issue an immediate fix, saying:
We determined that a fix for this issue will be considered in a future version of this product or service. At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case.
If you are concerned about this, you should change the default association of MHT files to something other than Internet Explorer.
Image credit: Rose Carson / Shutterstock