You May Not Be Using Internet Explorer But It Can Still Expose You to Security Threats
Microsoft's Internet Explorer isn't known for its security features, but things get worse when it can expose Windows users who aren't even using the browser to threats. Through a proof of concept video and code, security researcher John Page has warned that IE has a critical security vulnerability that allows malicious hackers to get access to your files and steal your data using specially crafted MHT files.
While the browser may be archaic, it's still present on billions of devices. According to Page, the problem is with the browser's handling of MHT files and since Windows opens these files using IE by default, even users who don't run the browser explicitly will be at risk of exposure. All a user has to do is to open an attachment sent through an email to expose themselves to this vulnerability.
The issue comes from an unpatched XXE (XML eXternal Entity) vulnerability, which "can allow remote attackers to potentially exfiltrate local files and conduct remote reconnaissance on locally installed Program version information," Page explains. While IE should be alerting users for this, a malicious MHT file can be used to disable this warning.
Upon opening the malicious ".MHT" file locally it should launch Internet Explorer. Afterwards, user interactions like duplicate tab "Ctrl+K" and other interactions like right click "Print Preview" or "Print" commands on the web-page may also trigger the XXE vulnerability.
Typically, when instantiating ActiveX Objects like "Microsoft.XMLHTTP" users will get a security warning bar in IE and be prompted to activate blocked content. However, when opening a specially crafted .MHT file using malicious <xml> markup tags the user will get no such active content or security bar warnings.
In response to the disclosure, Microsoft reportedly told the researcher that the exploit doesn't deserve an urgent security fix. "We determined that a fix for this issue will be considered in a future version of this product or service," Microsoft told Page. "At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case."
This puts users at further risk since now the proof of concept is out in the open with no fixes in sight. While the company has promised to consider a fix in a future release, users are advised to be cautious about email attachments and perhaps use another app to open MHT files.
Microsoft has already started alerting the Windows users to be aware of the "perils of using Internet Explorer as your default browser." However, it is probably time to delete it altogether to avoid these kind of security issues that will only become more frequent with time.
Note: the bug affects Windows 7, Windows 10 and Windows Server 2012 R2.