Hello old friend, what do you have for me? Oh, malware. Thanks.
A BUG IN Internet Explorer is a bit like hearing about an unpatched vulnerability in BlackBerry Messenger. Yes, it would be better if the issue didn’t exist, but in 2019 does anybody really care?
Well, for this particular bug, yes you should, because even if you favour Chrome, Firefox or Safari, the exploit can still apply as long as you’re running Windows.
Security researcher John Page has explained that the way Windows treats MHT files, combined with an unfixed bug in Internet Explorer means that it’s pretty trivial for hackers to steal files.
To back up a moment, MHT stands for MHTML Web Archive, which is an old-school way in which browsers save web pages. Although few web browsers use the format any more, all can still read the files – but in Windows, Internet Explorer is the default, and awkwardly it can be easily exploited.
“This can allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed Program version information,” Page wrote. “Example, a request for “c:Python27NEWS.txt” can return version information for that program.”
In other words, if a victim receives the MHT file as an attachment and double clicks it, then the PC is compromised. Normally this would trigger a security warning in Internet Explorer, but Page explains that blocking that is equally trivial for a hacker that knows what they’re doing.
“Typically, when instantiating ActiveX Objects like ‘Microsoft.XMLHTTP’ users will get a security warning bar in IE and be prompted to activate blocked content. However, when opening a specially crafted .MHT file using malicious < xml > markup tags the user will get no such active content or security bar warnings.”
Page found that this attack method worked in Windows 10, Windows 7 and Windows Server 2012.
That’s bad enough, but the worst thing is that this is a live vulnerability with no patch because Microsoft didn’t deem it important enough to fix when Page privately disclosed it to the company.
Releasing proof-of-concept code is a high stakes gamble, given it risks the security of millions of computers around the globe, but the theory is that once a company has declined to fix something privately, their hands have to be forced.
Yes, this means that hackers around the world have a step-by-step guide for a new attack method, but without the publicity, they could have been doing it on the down low anyway. At least this way, Microsoft might be shamed into taking action.
Hopefully, Microsoft will take a second look at the bug, but in the meantime, be wary of saved web page attachments sent your way. At the very least open them in Chrome instead. µ