Top
image credit: William / Flickr

A New Vulnerability in Internet Explorer

April 15, 2019

Category:

Microsoft’s Internet Explorer browser has been the subject of unrelenting criticism and ridicule over the years—and not without reason. However, despite it being plagued with numerous security issues, some people are still using it, or at least have it installed on their computer. After all, how much harm can an internet browser do simply by… being there?

Well, a lot, apparently. Security researcher John Page discovered that Internet Explorer is the cause of a new Windows exploit, which could let hackers access and obtain operating system user data. The worst part? Any user with Internet Explorer installed on their computer is vulnerable to the exploit, whether or not they’re currently using the browser or have even opened it before. The hack has been successfully tested in the latest version of Internet Explorer 11 on Windows 7, Windows 10 and Windows Server 2012 R2.

This vulnerability relies on the fact that online modern browsers, Internet Explorer has the ability to save web pages in the .MHT file format, which automatically makes it the default application for such files. Attackers can exploit this by sending users an infected .MHT file via email or other messaging services. When opened, this file allows hackers to gain access to local files and program version information on the target’s computer.

Page claims to have warned Microsoft about the vulnerability, but the company reportedly refused to consider the bug for an urgent security fix. Instead, the company said that it would consider it in a future release, leaving millions of users potentially vulnerable until then, unless they remove Internet Explorer from their computer or select a different default application for opening .MHT files.

After Microsoft’s Response, Page revealed details about the exploit on his website, along with proof-of-concept code and a video demo. Despite Microsoft’s response, this vulnerability should definitely be taken seriously, since cyberattackers have exploited MHT files for spear-phishing and malware distribution in the past. This format is actually a popular way to package and deliver exploits to targets’ computers.

In their defense, Microsoft have repeatedly advised users to move on to a new browser due to various security implications. Senior cybersecurity architect Chris Jackson explained that developers are no longer testing their sites for IE, which could compromise security and stability. He stated: “You see, Internet Explorer is a compatibility solution. We’re not supporting new web standards for it and, while many sites work fine, developers by and large just aren’t testing for Internet Explorer these days. They’re testing on modern browsers.” However, many enterprises still use Internet Explorer to run legacy web apps, as the outdated browser still supports them, but now the risks definitely outweigh the benefits. By continuing to use Internet Explorer, companies are incurring additional costs later down the road.

So the next time you receive an .MHT file, make sure that your default application isn’t Internet Explorer. Or better yet, stay safe and remove Internet Explorer completely from your computer. Modern browsers are a much better alternative for pretty much every use case.