Security researcher John Page warns that Microsoft's Internet Explorer has a critical security flaw that allows hackers to spy on you and steal personal data from your PC. That warning may seem irrelevant to you since Internet Explorer was officially discontinued in 2015. It's now an archaic web browser, only in use by about 7% of Windows users. But if take into account the total market share of Windows 7 and Windows 10, the legacy web browser is installed on more than 1 billion computers. Why does this matter? Because the flaw that's been discovered can be exploited even if you never intentionally use Internet Explorer.
Yikes.
As Page explains (via ZDNet), the vulnerability taps into a file extension known as .MHT, which is a format used by Internet Explorer to handle archived web pages. If you were to launch Internet Explorer and save a web page, this is one of the file extensions that could be used.
And if someone were to send you a malicious .MHT file (perhaps disguised as a download link or an email attachment), Internet Explorer would be the default application to open it.
According to Page, once a user opens this malicious .MHT file, the specific flaw in the code relies on the user to first issue certain keystrokes first, such as CTRL+K (to duplicate a tab) or various Print commands. At that point, an external attacker can "exfiltrate local files and conduct remote reconnaissance."
That already sounds scary, but then Page says that a simple javascript call within the file (such as invoking the Print Preview function) can do this automatically and without user interaction.
And if that isn't enough, Page drops this bomb:
"Typically, when instantiating ActiveX Objects [...] users will get a security warning bar in IE and be prompted to activate blocked content. However, when opening a specially crafted .MHT file using malicious < xml > markup tags the user will get no such active content or security bar warnings."
Page demonstrates this via a YouTube video which shows the attack succeeding even with Windows SmartScreen activated. He says the exploit applies to Windows 7, Windows 10 and Windows Server 2012.
Microsoft's Response
Mr. Page says the reason he publicly disclosed this exploit -- and the accompanying code to pull it off -- is because Microsoft acknowledged the threat but refused to treat it as an urgent matter. Page notified Microsoft on March 27, and Microsoft opened a case the next day. Here is the response Page received from Microsoft on April 10:
"We determined that a fix for this issue will be considered in a future version of this product or service. At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case."
Some interesting context: 2 months ago Microsoft published a blog post titled "The perils of using Internet Explorer as your default browser." In it, Microsoft writes that it is "committed to keeping Internet Explorer a supported, reliable, and safe browser."
Right now Internet Explorer is included in Windows as nothing more than a compatibility solution, but with vulnerabilities like this popping up, you should seriously just disable or delete it. Between Windows Updates, supply chain attacks and malware spreading via popular file-sharing websites, you already have enough to worry about.
To disable Internet Explorer on Windows 10, follow Microsoft's suggested steps:
- Press the Windows logo key+R to open the Run box.
- Type appwiz.cpl, and then select OK.
- In the the Programs and Features item, select Turn Window features on or off.
- In the Windows Features dialog box, locate the entry for the installed version of Internet Explorer. For example, locate the Internet Explorer 11 entry. Then, clear the check box.
- Select OK to commit the change.
- Restart the computer.
