Posted On 02 May 2019
Security researcher John Page has recently published information, including a proof of concept code, regarding a zero-day vulnerability in Internet Explorer that could provide hackers with a method by which they can steal files from computers that use the Windows operating system.
The problem stems from the ways in which Internet Explorer handles MHT (MHTML Web Archive) files, which is the default setting for saving webpages through Internet Explorer. Although current browsers don’t use the MHT format, preferring HTML, many of them continue to support it.
Page has pointed out an XXE (XML eXternal Entity) weakness that hackers can use when MHT files are opened. Remote attackers could use the witness to access local files and then run reconnaissance on locally installed programs.
In Windows, the default for MHT files is to open them with Internet Explorer; as such, all hackers need to do to infiltrate a system is to send an MHT file through email or other channels and get the unsuspecting user to open it. The vulnerability in the Internet Explorer code is related to its duplicate tab, print preview, and print commands. Normally, these would need a user to trigger them, but Page claims this can be done automatically. It is also possible to use an MHT file to disable the usual security warnings that Internet Explorer typically issue to users when a potential attack is detected.
Page went on to disclose that he had tested the vulnerability with the latest version of Internet Explorer (v11) and it works with the fully up-to-date versions of Windows 7, Windows 10, and Windows Server 2012 R2. Although Internet Explorer is now used for just 7.34% of browsing, this does not mitigate the danger as Windows will automatically use Internet Explorer for MHT files, no matter what browser a user prefers.
Page has notified Microsoft regarding the vulnerability; however, on April 10, Microsoft informed him that they would consider fixing the issue in future product releases, but were not going to release a security patch. Facing this lack of urgency from the company, Page released details of the problem on his website and via YouTube.
Although Microsoft doesn’t seem to be taking the problem seriously, users definitely should. Cybercriminals have been using MHT files for years to undertake phishing and malware attacks, so it’s essential you run a scan on any MHT file you receive before you open it.