Internet Explorer exploit lets hackers steal data even if you never it

Even if you never open Internet Explorer, a newly discovered Windows security flaw found that hackers can use the old web browser to steal your data.
Even if you never open Internet Explorer, a newly discovered Windows security flaw found that hackers can use the old web browser to steal your data.

Image: Alexander Hassenstein/Getty Images

Finally stopped using Internet Explorer? Good! But, now it’s time to completely delete it from your computer, too.

Security researcher John Page has a new that allows hackers to steal Windows users’ data thanks to Internet Explorer. The craziest part: Windows users don’t ever even have to open the now-obsolete web browser for malicious actors to use the exploit. It just needs to exist on their computer.

“Internet Explorer is vulnerable to XML External Entity attack if a user opens a specially crafted .MHT file locally,” Page. “This can allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed Program version information.”

Basically, what this means is that hackers are taking advantage of a vulnerability using .MHT files, which is the file format used by Internet Explorer for its web archives. Current web browsers do not use the .MHT format, so when a PC user attempts to access this file Windows opens IE by default. 

To initiate the exploit, a user simply needs to open an attachment received by email, messenger, or other file transfer service.

“[For] example, a request for “c:Python27NEWS.txt” can return version information for that program,” Page explains. “Upon opening the malicious ‘.MHT’ file locally it should launch Internet Explorer. Afterwards, user interactions like duplicate tab ‘Ctrl+K’ and other interactions like right click ‘Print Preview’ or ‘Print’ commands on the web-page may also trigger the XXE vulnerability.”

The exploit has been tested using the last version of Internet Explorer, IE 11. It affects Windows 7, Windows 10, and Windows Server 2012 R2 users.

Most worrisome, according to Page, is that Microsoft told him that it would just “consider” a fix in a future update. The security researcher says he contacted Microsoft in March before now going public with the issue.

As points out, while Internet Explorer usage less than 10 percent of the web browser market, it doesn’t particularly matter in this case as the exploit just requires a user to have the browser on their PC.

Earlier in 2019, Microsoft cybersecurity expert Chris Jackson urged anyone still using Internet Explorer to finally . The company officially discontinued its former flagship web browser in 2015.

Uploads%252fvideo uploaders%252fdistribution thumb%252fimage%252f90112%252fc3b3ffde d94e 4e37 8408 80383acfc071.jpg%252foriginal.jpg?signature=mjmuq9hcdloughk99f5wjtdh3p4=&source=https%3a%2f%2fblueprint api production.s3.amazonaws

Source

more recommended stories

  • Study finds connection between using emoji and having sex

    Recent studies suggest that frequent use.

  • Huawei’s foldable phone may come with a more powerful chip and camera

    Huawei’s Mate X — the company’s.

  • Finally a ‘dream job’ contest that let’s you decide what that is

    Follow your dreams.  That’s nice advice.

  • Making calls with Siri or Google could lead to you getting scammed

    If you’ve ever used Siri or.

  • Flip flops made of grass, live hermit crabs, and more weird stuff on Amazon this week

    Just to let you know, if.

  • Netflix’s ‘Diagnosis’ is real-life ‘House’ for the digital age: Review

    The following is a spoiler-free review.

  • TomTom GPS devices on sale for 30% off at Amazon — now $118

    Just to let you know, if.

  • Bumble and Tinder are paying frats to throw parties, acquire new users

    The wholesome, all-American tradition of drunken.

  • Jonathan Groff sings insanely sweet voice memos for kids as Kristoff from ‘Frozen’

    RIP my ovaries: Jonathan Groff, who.

  • Samsung might launch a phone with a graphene battery next year

    Samsung is working to launch a.

  • Bear breaks into a house and escapes ‘like the Kool-Aid Man’ when the cops arrive

    Bears are a lot like the.

  • Ninja accuses Twitch of pushing porn on his unused account

    Ninja has beef with Twitch, the.

  • He tried to prank the DMV. Then his vanity license plate backfired big time.

    Everyone hates parking tickets. Not everyone,.

  • For Season 3, ‘GLOW’ stays in Vegas while everyone changes

    It’s an old saying, and super.

  • Orphaned baby koala gets a tiny arm cast after falling from tree

    These adorable images of a baby.

  • 46% of social media users are ‘worn out’ by politics on social media

    We’re more than a year away.

  • ‘Game of Thrones’ creators are heading to Netflix

    Game of Thrones creators and showrunners.

  • Stephen Colbert catches out Fox News admitting Trump might be a racist

    After comparing America’s gun culture to.

  • Get the Fire TV Stick and Echo Dot together for $25 off on Amazon

    Just to let you know, if.

  • Best back-to-school sales this week: iPad, Bose, Keurig

    Heads up: All products featured here.

  • Cloudflare announces termination of 8chan’s service

    Cloudflare has announced that it will.

  • Pre-order ‘FIFA 20’ from GAME for under £35 (UK deal)

    Just to let you know, if.

  • Hailstones the size of baseballs pound parts of Canada

    The Earth continues to drop casual.

  • Domain registry moves to ban cryptocurrency names

    Sorry, crypto companies, you can’t register.

  • Desperate farmer destroys rare Lion King toy on live TV to make a point about online bullying

    On Friday morning, Australian time, a.

  • Soon you might be able to access Google Play content for $4.99 a month

    Disclosure Every product here is independently.

  • ‘Queer Eye’ stars share the disgusting incident that made Antoni literally pee himself laughing

    You’re used to the cast of.

  • No, you can’t watch Netflix while driving your Tesla

    While an upcoming update means you’ll.

  • 100 million Americans’ data accessed in massive Capitol One hack

    Well, this is not good.  Finance.

  • Apple’s three 2020 iPhones will all reportedly be 5G-ready

    Get your salt shakers ready; it’s.

  • Someone has to make the family mac and cheese. I was worried it couldn’t be me.

    Mashable bites into a creamy, nutty,.

  • Bear burglar performs acrobatics to make off with bird feeder

    Cat burglars? Out. Bear burglars? In..