A security researcher has discovered a critical exploit in Microsoft’s Internet Explorer browser that could let hackers steal files from your system.
What’s worse, even if you no longer use the archaic web browser, you could still fall prey to the attack.
Security researcher John Page published proof-of-concept code detailing how the flaw could be carried out.
‘Internet Explorer is vulnerable to XML External Entity attack if a user opens a specially crafted .MHT file locally,’ Page explained.
‘This can allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed Program version information.’
Just 7 percent of Windows users continue to use Internet Explorer, however, over 1 billion computers run Windows 7 or Windows 10 and have the browser installed on their machine, Forbes noted.
This means that while only a fraction of users are still on Internet Explorer, the threat is actually much larger, given the way the security flaw operates.
The flaw relies on ‘.MHT’ files, which is a file type used for web pages that are saved on Internet Explorer.
For example, when a user saves a webpage, either manually or by typing CRTL and the ‘S’ key, it saves in .MHT format.
All users need to do is open the malicious .MHT file on their device and it should launch Internet Explorer.
Modern browsers save webpages in .HTML format, so opening a .MHT file triggers Internet Explorer automatically.
‘Afterwards, user interactions like duplicate tab “Ctrl+K” and other interactions like right click “Print Preview” or “Print” commands on the web-page may also trigger the XXE vulnerability,’ Page continued.
Additionally, the exploit works around Internet Explorer’s typical security alert system.
The flaw was successfully tested on the latest Internet Explorer Browser version, as well as on systems running Windows 7, Windows 10 and Windows Server 2012 R2.
Microsoft was notified of the flaw last month, but chose not to issue an urgent patch for it, adding that it will release a fix in a future version ‘of this product or service,’ Page said, according to ZDnet.