Microsoft’s Internet Explorer was already useless for most of us, but now it is dangerous to have the obsolete browser on your computer. A security researcher, John Page, found a new security flaw in Internet Explorer that allows hackers to steal data.
Security researcher John Page discovered the security flaw, finding that any user with Internet Explorer installed on their system is vulnerable to the exploit, whether or not they’re currently using the browser or have even opened it before. This flaw affects your Windows PC even if you never open the browser. So just by existing on your PC, IE allows malicious actors to steal Windows users’ data.
“Internet Explorer is vulnerable to XML External Entity attack if a user opens a specially crafted. MHT file locally,” writes Page. “This can allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed Program version information.”
To initiate the exploit, a user simply needs to open an attachment received by email, messenger, or other file transfer service.
“[For] example, a request for “c:\Python27\NEWS.txt” can return version information for that program,” Page explains. “Upon opening the malicious ‘.MHT’ file locally it should launch Internet Explorer. Afterwards, user interactions like duplicate tab ‘Ctrl+K’ and other interactions like right click ‘Print Preview’ or ‘Print’ commands on the web-page may also trigger the XXE vulnerability.”
Page reportedly reached out to Microsoft last month, warning them of the exploit and requesting an urgent security fix, but the tech giant responded by saying that “a fix for this issue will be considered in a future version of this product or service”.