Internet Explorer hit by exploit that lets hackers steal users’ data – even for those who don’t use the browser
- Flaw let hackers gain control of a victim’s computer by opening a malicious file
- It relies on ‘.MHT’ files, a file type that only runs on Microsoft’s Internet Explorer
- Microsoft is aware of the security issue but hasn’t issued an urgent security fix
A security researcher has discovered a critical exploit in Microsoft’s Internet Explorer browser that could let hackers steal files from your system.
What’s worse, even if you no longer use the archaic web browser, you could still fall prey to the attack.
Security researcher John Page published proof-of-concept code detailing how the flaw could be carried out.
A critical exploit in Microsoft’s Internet Explorer could let hackers steal files from your system. Even if you no longer use the archaic web browser, you could still fall prey to the attack
‘Internet Explorer is vulnerable to XML External Entity attack if a user opens a specially crafted .MHT file locally,’ Page explained.
‘This can allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed Program version information.’
Just 7 percent of Windows users continue to use Internet Explorer, however, over 1 billion computers run Windows 7 or Windows 10 and have the browser installed on their machine, Forbes noted.
This means that while only a fraction of users are still on Internet Explorer, the threat is actually much larger, given the way the security flaw operates.
The flaw relies on ‘.MHT’ files, which is a file type used for web pages that are saved on Internet Explorer.
For example, when a user saves a webpage, either manually or by typing CRTL and the ‘S’ key, it saves in .MHT format.
Just 7 percent of Windows users continue to use Internet Explorer, however, over 1 billion computers run Windows 7 or Windows 10 and have the browser installed on their machine
All users need to do is open the malicious .MHT file on their device and it should launch Internet Explorer.
Modern browsers save webpages in .HTML format, so opening a .MHT file triggers Internet Explorer automatically.
‘Afterwards, user interactions like duplicate tab “Ctrl+K” and other interactions like right click “Print Preview” or “Print” commands on the web-page may also trigger the XXE vulnerability,’ Page continued.
Additionally, the exploit works around Internet Explorer’s typical security alert system.
The flaw was successfully tested on the latest Internet Explorer Browser version, as well as on systems running Windows 7, Windows 10 and Windows Server 2012 R2.
Microsoft was notified of the flaw last month, but chose not to issue an urgent patch for it, adding that it will release a fix in a future version ‘of this product or service,’ Page said, according to ZDnet.
WHAT OTHER SECURITY ISSUES HAVE HIT INTERNET EXPLORER?
Last December, Microsoft was urging Internet Explorer users to update to the latest version of Internet Explorer after it discovered a serious flaw.
The move came after a Google security engineer uncovered a memory-corruption vulnerability in the browser that was actively being exploited by hackers.
It allowed them to easily takeover your PC by executing some malicious code.
An emergency security patch was immediately issued by Microsoft to fix the vulnerability.
Microsoft didn’t say how many users have been affected by the vulnerability, known as CVE-2018-865.
‘A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer,’ the firm explained.
‘The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
‘An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,’ Microsoft added.
Microsoft said if the user is logged on with administrative rights, an attacker could use the vulnerability to effectively take control of the user’s entire PC.
If users have Windows Update installed and turned on, their computer should automatically update to the latest version of Internet Explorer.
The firm said Windows users should install the latest update even if they don’t use Internet Explorer regularly.