CATEGORIES
home News

Unpatched Internet Explorer Zero-Day Exploit Lets Hackers Steal Files

by Brandon HillSunday, April 14, 2019, 02:58 PM EDT

Although Microsoft is hoping for a big browser comeback with the Chromium-based version of the Microsoft Edge browser, there’s another browser in the company’s repertoire that many people have already forgotten about. Of course, we’re talking about the “undead” Internet Explorer.

Internet Explorer has a long history of poor security (which was one of the reasons for its dwindling popularity), and now a new exploit that takes advantage of the browser has been brought to light. John Page, a security researcher, has discovered an XML eXternal Entity (XXE) vulnerability that takes advantage of MHT files.

Internet explorer

The main issue is that by default, Windows-based operating systems are set to open MHT files with Internet Explorer. And because this unpatched vulnerability lies in Internet Explorer – which is still installed by default on Windows systems for backwards compatibility --  it leaves systems ripe for remote execution attacks.

"This can allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed Program version information," writes Page. "Example, a request for 'c:\Python27\NEWS.txt' can return version information for that program."

While interacting with an MHT file would usually require user intervention (i.e. clicking on an attachment that was sent in an email), ZDNetadds that the exploit could be triggered using a window.print() Javascript command that would be automatically run by simply visiting a malicious website.

Page adds that what makes this exploit even more troubling is that, "when opening a specially crafted .MHT file using malicious < xml > markup tags the user will get no such active content or security bar warnings [in Internet Explorer]."

As of now, the exploit affects versions of Internet Explorer 11 that are installed on Windows 7, Windows 10 and Windows Server 2012 R1 operating systems.

Microsoft has responded to Page's research by stating, "We determined that a fix for this issue will be considered in a future version of this product or service. At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case."

That seems like a half-baked response to us, and it seems as though this exploit should have Microsoft's full attention rather than simply being "considered."

If you'd prefer not to wait for Microsoft to patch the issue, you can simply uninstall Internet Explorer 11 in Windows 10 -- chances are that you aren't using it anyway. Simply navigate to Settings--> Apps--> Apps & features. From there, you will see an option "Related Settings" for Programs and Features. Next, click "Turn Windows features on or off" from the left panel.

Finally, unselect the Internet Explorer 11 option and hit "OK". Restart your machine to rid yourself of the useless browser.

Tags:  Microsoft, Windows 7, Internet Explorer, Zero-Day, Internet Explorer 11, Windows 10, (nasdaq:msft)
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment