19 April 2019
A new vulnerability has been discovered by security researchers in Internet Explorer that could allow hackers to steal sensitive user data. The vulnerability has been revealed by John Page (aka hyp3rlinx) which could potentially allow attackers to access a user’s computer's local files and spy on the user remotely.
The researcher states that the most troubling part of this discovery is that users don’t need to run the browser in order to expose a user’s computer to this flaw. A simple wrong attachment or message could be enough to expose the user’s data.
John Page states, "Internet Explorer is vulnerable to XML External Entity attack if a user opens a specially crafted.MHT file locally."
MHT (aka MHTML Web Archive) files which open in Internet Explorer by standard, is enough to start the process even if IE isn't your default browser. The report reveals that Microsoft was notified of the vulnerability on 27 March, however, the company has declined to release an urgent fix for the problem.
Microsoft has stated, "We determined that a fix for this issue will be considered in a future version of this product or service. At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case."
Till the fix is released by Microsoft millions of users will be left vulnerable to the exploit. The data shows a steady decline in Internet Explorer use, still, a number of Windows users who are using the platform are vulnerable to hackers.