Microsoft’s Internet Explorer (IE) was revolutionary when it made its debut in 1995. The web browser was at one point so popular it peaked with a 95 percent usage share in 2003. However following stiff competition from Firefox and Google Chrome, the browser went into swift decline, as evidenced by its many security vulnerabilities.
Security researcher John Page has discovered a new security flaw allowing hackers to steal Windows users’ data thanks to Internet Explorer.
And the mot worrying aspect is that Windows users don’t ever even have to open the now-obsolete web browser for malicious actors to use the exploit.
For Internet Explorer only needs to exist on their PC, for the vulnerability to exist.
Mr Page wrote: “Internet Explorer is vulnerable to XML External Entity attack if a user opens a specially crafted .MHT file locally.
“This can allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed Program version information.”
Hackers are reportedly exploiting a vulnerability using .MHT files – the file format used by Internet Explorer for its web archives.
Current web browsers do not use the .MHT format, so Windows automatically opens IE by default when a user attempts to access this file.
To initiate the exploit, a user simply needs to open an attachment sent by email or other file transfer service.
Mr Page explained: “For example, a request for “c:Python27NEWS.txt” can return version information for that program.
“Upon opening the malicious ‘.MHT’ file locally it should launch Internet Explorer.
“Afterwards, user interactions like duplicate tab ‘Ctrl+K’ and other interactions like right click ‘Print Preview’ or ‘Print’ commands on the web-page may also trigger the XXE vulnerability.”
The exploit has been tested using the last version of Internet Explorer, IE 11.
The flaw affects Windows 7, Windows 10, and Windows Server 2012 R2 users.
However Page believes the most troubling aspect is Microsoft’s apparent lack of urgency in fixing the issue, telling the researcher it would only “consider” a fix in a future update.
Mr Page says he contacted Microsoft in March before now going public with the issue.
While Internet Explorer usage now only accounts for less than 10 percent of the web browser market share, the exploit only requires a Windows user to have the browser on their computer.
Earlier in 2019, Microsoft cybersecurity expert Chris Jackson urged anyone still using Internet Explorer to finally give it up.
Microsoft officially discontinued its former flagship web browser in 2015.