Finally stopped using Internet Explorer? Well! But now is the time to completely remove it from your computer.
John Page, security researcher, has made a new one that allows hackers to steal data from Windows users through Internet Explorer. The craziest part: Windows users never even have to open the obsolete web browser to allow malicious actors to use this exploit. It must simply exist on their computer.
"Internet Explorer is vulnerable to attacks from external XML entities if a user opens a locally crafted .MHT file," Page. "This can allow remote attackers to potentially leak local files and perform remote discovery on locally installed program version information."
Basically, this means that hackers exploit a vulnerability by using .MHT files, which is the file format used by Internet Explorer for its web archives. Current web browsers do not use the .MHT format. So, when a PC user tries to access this file, Windows opens IE by default.
To start the exploit, a user simply needs to open an attachment received by email, mail, or other file transfer service.
"[For] For example, a request for "c: Python27 NEWS.txt" might return information about the version of this program, "explains Page." When opening the malicious .mht file locally. , it should launch Internet Explorer.Subsequently, user interactions such as duplicate tab 'Ctrl + K' and other interactions such as 'commands' right click "or" Print "on the web page may also trigger the XXE vulnerability."
The exploit has been tested with the latest version of Internet Explorer, IE 11. It concerns users of Windows 7, Windows 10 and Windows Server 2012 R2.
Most worrying, according to Page, is that Microsoft told him it would only "consider" a fix in a future update. The security researcher claims to have contacted Microsoft in March before publicizing the problem.
As pointed out by the Internet Explorer site, although it uses less than 10% of the market of Web browsers, it does not have any particular importance in this case because the exploit simply requires that the user has the navigator on his PC.
Earlier in 2019, Chris Jackson, a cybersecurity expert at Microsoft, finally urged anyone who still used Internet Explorer. The company officially stopped its former flagship web browser in 2015.