Nearly four years after it was replaced by Edge as Microsoft’s preferred Windows browser, researchers keep finding unpleasant security flaws in Internet Explorer (IE).
The latest is a proof of concept (POC) published by researcher John Page (aka hyp3rlinx) that exploits a weakness in the way the browser handles MHTML (MHT) files, IE’s default web page archiving format.
If Windows 7, Windows 10 or Windows Server 2012 R2 encounters one of these, it attempts to open them using IE which means that an attacker simply has to persuade the user to do that. Success would…
Allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed Program version information.
IE should throw up a security warning, but this could be bypassed Page said:
Opening a specially crafted .MHT file using malicious <xml> markup tags the user will get no such active content or security bar warnings.
No escape
Does this matter to users who’ve moved on to Windows 10 or simply stopped using IE years ago?
Unfortunately, it does because IE 11 ships with every consumer Windows PC – including Windows 10 – for compatibility reasons (only Enterprise and Education licensees can optionally exclude it).
However, on Windows 10, IE still needs to go through a short setup process when it runs for the first time, something that might draw attention to attacks targeting the flaw discovered by Page.
Our first advice, then, is that if you have no intention of using IE in Windows 10, don’t enable it. Better still, if you’re sure you don’t need it, de-install it completely via the Control Panel after manually turning it off and hitting restart.
When Page reported the issue to Microsoft on 27 March, Microsoft responded with this reply:
We determined that a fix for this issue will be considered in a future version of this product or service. At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case.
Interpreting this as dismissive, on 10 April Page released his proof of concept (POC) and video demonstrating that his exploit works as claimed.
This has prompted some to call it a “zero-day vulnerability” because it is a known weakness for which there is no patch (as opposed to a zero-day attack – a known attack targeting a previously unknown vulnerability for which there is no patch).
Doubtless, Microsoft will fix the flaw in a future update, hopefully in May’s Patch Tuesday on 14 May.
Until that happens, our second piece of advice for anyone still using a computer with IE on it is to be extremely sceptical about MHT attachments.
Jamie Tyler
What about sites that demand java runs to work? IE is the last browser to support it
Paul Ducklin
There are very, very few Java sites left – most browsers dumped it years ago.
jamie tyler
Unfortunately, the European central banks still use it.
Paul Ducklin
That’s still “very, very few websites” given that there are only as many European central banks as there are European countries :-)
Ken P
DON’T REMOVE OR UNINSTALL IE11. Based on my experience, once this is done, ALL Office related internal hyperlinks will no longer work. Excel. Word, etc., Don’t work. The following message is displayed; This operation has been cancelled due to restrictions in place on this machine. Contact system administrator. So far I have found no way to fix this. One suggestion is to reinstall IE11. We will see??????
banksepah
True, but if you work in a bank and need to access the central banks’ site, ie all banks this is still an absolutly 100% necessary option to continue operations. Similarly, we have banking software that uses java and jboss to work and so will only display on ie correctly (although one will work in IE Tab, the other two wont). So, although I love IE Tab, it it cant be used for these systems as they need specific java configuration on the PC to run and IT Tab doesn’t pick it up.
Malcolm D
… very, very *few* Java … ??
Paul Ducklin
Typo – now fixed, thanks! [For those reading after this comment went live, I originally wrote “very, very Java” -rather the opposite of what I meant!]
Magyver
Lol, a very rare mistake by the “Duck”, verifying he is indeed human …*grins* – have a blessed Easter holiday Paul.
sam
I only use ie for downloading chrome so i think i am fine there :)
Corey Reynolds (@cvr24)
Remove the mht file association should stop this dead, no?
MikeP_UK
It’s a pity that \windows versions earlier than W10 do not allow you to remove IE at all. You have to have it for the OS to oprate correctly. So even if you don’t use it yourself, perhaps using Chrome or Firefox etc, you are still stuck with IE and all its faults. Many people are still using W7 or W8.1 and they have to have IE operational.
Ben
I’m sorry to contradict you Mike, but it is very easy to uninstall Internet Explorer 11 inside Windows 7 and Windows 8.1 :
The procedure is the same for both.
“control panel”
“Program uninstalling”
“Activate or deactivate Windows functionalities”
Scroll down the list,
Unmark “Internet Explorer 11”
Don’t bother the (“threatening”) message box,
Say yes, and you’re in.
Do not forget to download Firefox BEFORE uninstalling IE :-)
BL
Spryte
There are also those of us you occasionally Save Page As… *.mht. My browser supports them but others?
And there may be others like me who build HTA pages to manage their systems through VBScript. Have not tested this in Edge but now that it has gone chromium I have my doubts these will be supported.
PJ Wells
I’m in the situation that I must have Java Script to work with some of my programs, and can’t do it using their instructions. Can yo help?
I have a Dell Inspiron and a Apple iPad.
Thanking you
PJ
Paul Ducklin
JavaScript is enabled by default in every mainstream graphical browser I have used in the last many years, including Internet Explorer, Edge, Safari (Mac and iPhone variants), Tor Browser, Firefox, Chromium, Chrome (laptop and Android variants) and various others.
Are you mixing up JavaScript and Java, perhaps?
https://nakedsecurity.sophos.com/sophos-techknow-all-about-java/
Robin Davey
I disabled IE11 in W10 and quickly realized I could no longer open weblinks from Outlook email.
John E Dunn
This is why disabling it before de-installing it is a good place to start. This is a good example of why Microsoft left it in Windows 10 despite the downsides. Thanks for the feedback.
Magyver
John, I’m not sure I’m reading you right here – are you saying disabling IE is sufficient to eliminate the threat? Hopefully so, but but sadly you guys may have to show us how to do that as well, for I’m at a loss on how to accomplish it..
urawizardharry
All, You can easily use IEtab in chrome for viewing any page that requires IE. I have been using it for years, and have yet to come across a page that required IE that it couldn’t load.
Gnoah
Just chage the default application for opening both file types.. then they will not be oped in ie…
Corbett
Until Microsoft fixes this issue within IE 11, I would suggest using the Brave browser. I’m been using this browser for two weeks now and it’s extremely fast. I believe it’s built on the Chrome engine.