FYI: Internet Explorer hack could steal your data even if you don’t use IE

It’s good that you don’t use internet explorer any more however it’s the time now to delete it completely from your computer.

As reported by the security researcher John Page, there is a new security flaw in the internet explorer that allows hackers to steal Windows users’ data even if they don’t use IE.

Whether the Windows users open internet explorer or not, the malicious actors just need IE to exist on their computer to use the exploit.

“Internet Explorer is vulnerable to XML External Entity attack if a user opens a specially crafted .MHT file locally,” writes Page. “This can allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed Program version information.”

Mainly, it’s a sign that hackers are making use of a vulnerability through .MHT files, which is the file format Internet Explorer uses for its web archives.

Web browsers these days like Chrome or Firefox don’t make use of the .MHT format, however you must have observed at times Windows opens IE by default, this is when you attempt to access this file.

To kick off the exploit all you need is to simply open an attachment received by any file transfer service like email, messenger and so on.

“[For] example, a request for “c:\Python27\NEWS.txt” can return version information for that program,” Page explains. “Upon opening the malicious ‘.MHT’ file locally it should launch Internet Explorer. Afterwards, user interactions like duplicate tab ‘Ctrl+K’ and other interactions like right click ‘Print Preview’ or ‘Print’ commands on the web-page may also trigger the XXE vulnerability.”

 

The testing has been done on the last version of Internet Explorer, IE 11 to confirm the exploit. It affects Windows 7, Windows 10, and Windows Server 2012 R2 users.

As per the report, John Page has already contacted Microsoft in March before he went public with the issue. According to Page, Microsoft told him that the company would consider a fix for the issue in a future update.

Earlier in 2019, Microsoft cybersecurity expert Chris Jackson had already urged to those who were still using Internet Explorer to finally give it up. The company officially had put an end to its former flagship web browser in 2015.