Almost four years after its younger sibling, Microsoft Edge, was born, security researchers keep finding troublesome security bugs in Internet Explorer.
The most recent bug found is a proof of concept published by John Page (aka hyp3rlinx), a security researcher. The flaw takes advantage of a weakness in the way the browser deals with MHTML (MHT) files. These are Internet Explorers default web page archiving format.
If Windows 7, Windows 10 or Windows Server 2012 R2 runs into one of these files, it will open by default with Internet Explorer, which means that an attacker would only have to convince the user to open the file. Succeeding in that would allow remote attackers to pull local files from your machine and conduct remote reconnaissance.
So, what if you use Google Chrome or have moved on to Edge? Unfortunately, this is still a problem because most Windows computers come with Internet Explorer when you buy them. With Windows 10, Internet Explorer will still need to undergo a small setup process on the first startup. This may draw some attention to attacks that exploit this bug.
One thing you can do to avoid the exploit is to not enable Internet Explorer. If you can, go ahead and uninstall it through the Control Panel. When John Page (aka hyp3rlinx) reported the bug to Microsoft, Microsoft replied with this:
“We determined that a fix for this issue will be considered in a future version of this product or service. At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case.”
Reading this as dismissive, John Page published his proof of concept and video demonstrating that his exploit works as claimed. Some have started to call it a “zero-day vulnerability” because it is a known bug with no patch, while a zero-day attack is an attack targeting a previously unknown bug.
Microsoft will undoubtedly patch the vulnerability in the future, hopefully sooner than later.