You might think that any security issues with Internet Explorer shouldn’t be much of a problem anymore.
After all, most computer users have moved on to more modern alternative browsers like Chrome, Brave, Firefox, Safari, or Microsoft Edge.
And even Microsoft itself has been warning companies of the “perils” of setting Internet Explorer as their default browser, as it is no longer being updated to support new web standards and might leave your users in the equivalent of the browser Ice Age.
There are even some who have argued that Microsoft should stop issuing security patches for Internet Explorer’s legacy code four years after Edge’s arrival, and that instead they should force customers to move on.
Well, if you needed another reason to ditch Internet Explorer, security researcher John Page (known as @hyp3rlinx on Twitter) may have just given it to you.
Page has published proof-of-concept code (we won’t link to it here for obvious reasons) that demonstrates how users who open a boobytrapped .MHT file locally can unwittingly share information with a remote attacker.
.MHT files (the extension stands for MHTML web archive) are the default format used when users ask Internet Explorer browsers to save a webpage.
If you try to open an .MHT file on a computer running Windows 7, Windows 10, or Windows Server 2012 R2 then it will attempt to load the file using Internet Explorer – regardless of the default browser in place. (Internet Explorer 11 ships with every consumer version of Windows, including Windows 10. If you have an education or enterprise license than it can be optionally excluded.)
And what Page has found is a way to exploit a zero-day XXE (XML eXternal Entity) vulnerability in how Internet Explorer processes MHT files.
According to Page, “this can allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed program version information.”
The researcher cites an example of how if the MHT files requests a file at c:\Python27\NEWS.txt it could reveal details of the version of the software that had been installed – potentially useful information for someone attempting to attack a system.
All an attacker would need to do is convince their potential target via social engineering to open a malicious .MHT file.
Although Internet Explorer’s marketshare has dwindled to around 7% of desktop browser use the fact that it continues to be installed on so many systems means it poses a potential risk.
Page told Microsoft about the problem at the end of March, but their response suggests that they’re not promising a fix:
“We determined that a fix for this issue will be considered in a future version of this product or service. At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case.”
So, what should you do? Well, at the very least you need to be wary of unsolicited .MHT attachments. But maybe, if you have no use for Internet Explorer any more, consider uninstalling Internet Explorer via Control Panel from your Windows PCs.