Nearly four years after it was replaced by Edge as Microsoft’s preferred Windows browser, researchers keep finding unpleasant security flaws in Internet Explorer (IE).
The latest is a proof of concept (POC) published by researcher John Page (aka hyp3rlinx) that exploits a weakness in the way the browser handles MHTML (MHT) files, IE’s default web page archiving format.
If Windows 7, Windows 10 or Windows Server 2012 R2 encounters one of these, it attempts to open them using IE which means that an attacker simply has to persuade the user to do that. Success would…
Allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed Program version information.
IE should throw up a security warning, but this could be bypassed Page said:
Opening a specially crafted .MHT file using malicious <xml> markup tags the user will get no such active content or security bar warnings.
No escape
Does this matter to users who’ve moved on to Windows 10 or simply stopped using IE years ago?
Unfortunately, it does because IE 11 ships with every consumer Windows PC – including Windows 10 – for compatibility reasons (only Enterprise and Education licensees can optionally exclude it).
However, on Windows 10, IE still needs to go through a short setup process when it runs for the first time, something that might draw attention to attacks targeting the flaw discovered by Page.
Our first advice, then, is that if you have no intention of using IE in Windows 10, don’t enable it. Better still, if you’re sure you don’t need it, de-install it completely via the Control Panel after manually turning it off and hitting restart.
When Page reported the issue to Microsoft on 27 March, Microsoft responded with this reply:
We determined that a fix for this issue will be considered in a future version of this product or service. At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case.
Interpreting this as dismissive, on 10 April Page released his proof of concept (POC) and video demonstrating that his exploit works as claimed.
This has prompted some to call it a “zero-day vulnerability” because it is a known weakness for which there is no patch (as opposed to a zero-day attack – a known attack targeting a previously unknown vulnerability for which there is no patch).
Doubtless, Microsoft will fix the flaw in a future update, hopefully in May’s Patch Tuesday on 14 May.
Until that happens, our second piece of advice for anyone still using a computer with IE on it is to be extremely sceptical about MHT attachments.