Internet Explorer vulnerability ‘could expose users’ files’

Internet Explorer vulnerability 'could expose users' files'

Windows users who have Internet Explorer (IE) installed on their device could be at risk from a newly-discovered vulnerability that may allow hackers to steal files from their system – even if they do not use the application.

According to details published by security researcher John Page, the flaw takes advantage of the way IE processes MHT files, which is the default standard the browser uses to save web pages.

Because Windows opens these files using IE by default, even users who don’t run the browser will be at risk of exposure. All a hacker has to do is to send an attachment via email which will expose uses to the vulnerability if opened.

Mr Page said the bug works on Windows 7, 10 and Server 2012 R2 devices that have IE11 installed. He also noted that when he informed Microsoft of the issue, the firm declined to work on an urgent security fix.

He said Microsoft's response to the vulnerability stated: "We determined that a fix for this issue will be considered in a future version of this product or service. At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case."

Therefore, Mr Page opted to release details of the flaw in order to bring attention to the issue.

Although the majority of users have moved away from the archaic IE – with only around seven per cent of people opting for it as their primary web browser – many devices are still likely to have the application installed in the background, even if it is never opened. 

Therefore, it could still have widespread potential for use by hackers, as ZDNEt noted that cybercrime groups have been known to exploit MHT files for spear-phishing and malware distribution in the past.

It should also highlight the importance of effective management of Windows systems, such as removing outdated and unneeded programs – like IE – that could pose security issues, especially as they reach the end-of-life and developers cease extended support, such as patches.