A researcher has published a zero-day Internet Explorer exploit that Microsoft allegedly refused to patch. John Page's proof-of-concept details a method attackers can use to remotely steal files from a Windows PC.
“Upon opening the malicious ‘.MHT' file locally it should launch Internet Explorer. Afterwards, user interactions like duplicate tab ‘Ctrl+K' and other interactions like right click ‘Print Preview' or ‘Print' commands on the web-page may also trigger the XXE vulnerability,” explained Page.
This ultimately means attackers may be able to steal local files or spy on users. As MHT files open with Internet Explorer by default, all users have to do is click on an emailed file to become a target. As a result, this vulnerability affects Windows 10, Windows 7, and Server 2012 R2.
Fix ‘Will be Considered'
It doesn't seem that Microsoft is in any particular rush to fix this vulnerability, hence the exploit's publication. According to page, he notified the tech giant of the issue on March 27. The security team replied on April 10 stating:
“A fix for this issue will be considered in a future version of this product or service.
At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case.”
MHT files have been a popular avenue of attack for some time due to their ability to store malicious code. Usually, users are warned before downloading, but hackers can bypass this by packaging them in a .rar or .zip file.
It's not yet clear how wary users should be of this attack, given Microsoft's lack of concern, but basic security practices never go amiss. Users should never open emailed files from an unknown source and should scan zip before opening.
In general, average users shouldn't have much use for MHT files. They're used primarily for archived webpages but aren't particularly common. Coming across one in the wild should always ring alarm bells.
In fact, users would probably be well served to uninstall Internet Explorer entirely, if it's an option. We've seen multiple exploits surface in the past year, and Microsoft itself doesn't recommend the browser.
When you don't even have to use IE for it to become an attack vector, it's probably time to say goodbye.