A security researcher has found a new vulnerability in how Internet Explorer 11 handles .MHT saved web pages which would allow hackers to steal files on your PC.
Crucially because Internet Explorer is the default handler for .MHT files the zero-day, unpatched exploit would still work even if you use Chrome as your default for browsing the web.
Discovered by John Page, the XXE (XML eXternal Entity) vulnerability in IE uses XML to bypass Internet Explorer’s protection against activating ActiveX modules and requires only that the user double click on the .MHT file (for example if some-one email or messages them the file).
“Typically, when instantiating ActiveX Objects like ‘Microsoft.XMLHTTP’ users will get a security warning bar in IE and be prompted to activate blocked content,” the researcher said. “However, when opening a specially crafted .MHT file using malicious < xml > markup tags the user will get no such active content or security bar warnings.”
The exploit is ideal for spearfishing attacks, allowing malicious actors to steal files or information.
“This can allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed Program version information,” Page said.
Unfortunately, it appears Microsoft is not planning to fix the issue, responding to the reporting of the issue by saying:
“We determined that a fix for this issue will be considered in a future version of this product or service. At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case.”
The vulnerability can be seen demonstrated in video below, with full detail, including a proof of concept available here.
The exploit works for Windows 7, 8 and 10. At this point, until Microsoft lets us uninstall IE11, the general advice to not click on files you do not expect is likely the best defence.