Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Microsoft

Internet Explorer Exploit Steals Data From Windows Users-- Even If They Never Use Internet Explorer (mashable.com) 80

Security researcher John Page has revealed a new zero-day exploit that allows remote attackers to exfiltrate Local files using Internet Explorer. "The craziest part: Windows users don't ever even have to open the now-obsolete web browser for malicious actors to use the exploit," reports Mashable. "It just needs to exist on their computer..." [H]ackers are taking advantage of a vulnerability using .MHT files, which is the file format used by Internet Explorer for its web archives. Current web browsers do not use the .MHT format, so when a PC user attempts to access this file Windows opens IE by default. To initiate the exploit, a user simply needs to open an attachment received by email, messenger, or other file transfer service...

Most worrisome, according to Page, is that Microsoft told him that it would just "consider" a fix in a future update. The security researcher says he contacted Microsoft in March before now going public with the issue. As ZDNet points out, while Internet Explorer usage makes up less than 10 percent of the web browser market, it doesn't particularly matter in this case as the exploit just requires a user to have the browser on their PC.

This discussion has been archived. No new comments can be posted.

Internet Explorer Exploit Steals Data From Windows Users-- Even If They Never Use Internet Explorer

Comments Filter:
  • Nani?! (Score:5, Funny)

    by jargonburn ( 1950578 ) on Sunday April 14, 2019 @05:52PM (#58437342)
    Oh, wait, you mean I have to open a malicious attachment to be exposed to this risk? Your shocking headline had me concerned, for a moment.
    • by JcMorin ( 930466 )
      Agree, I had the impression if I had IE installed I could be at risk but I have to open the freaking files. Nothing to see. I could say the same thing if you open a .exe! As far as I know, I never open attachment if I don't know the sender and expect the file.
    • by Anonymous Coward

      Damn near every single security hole is exploited via ID-10T and PEBCAK methods these days.

    • It's a clunky explanation. You have software X installed to handle filetype A, and you never use software X. Then you get a file of filetype A, and it opens the software. "WE CAN EXPLOIT THE SOFTWARE EVEN IF YOU NEVER RUN IT!" ... just like Microsoft Word with malicious DOCX files...

  • by Anonymous Coward

    User opens malicious attachment. Ok...this is new how?

    Also, if a user never has to use IE, then why do they have to open the attachment in IE?

    • by Anonymous Coward

      Also, if a user never has to use IE, then why do they have to open the attachment in IE?

      For in the depths of the spaghetti patchwork commonly referred to as "Windows" lies code that defaults to opening .mht files with IE.

  • Mitigation (Score:5, Interesting)

    by alexo ( 9335 ) on Sunday April 14, 2019 @05:58PM (#58437362) Journal

    Chrome can open MHTML files [wikipedia.org], Firefox used to (with an add-on) but not anymore, and there are free viewers available. All one has to do is to set the association of .MHT files to another program.

    • Chrome can open MHTML files [wikipedia.org], Firefox used to (with an add-on) but not anymore, and there are free viewers available. All one has to do is to set the association of .MHT files to another program.

      You could also try associating .mht files with say, an antivirus program instead of a defunct browser. Seems like a difficult fix...

      • by Anonymous Coward

        Till the next build resets the file association.

        • If you do not use IE then renaming the directory containing Internet Explorer will bring up a "name.mht" file choose application to open this file dialogue. As a temporary defense this works for me.

    • If you associate to another browser, won't that also expose the exploit? Wouldn't it be better not to associate anything to an .mhtml file?
  • by xack ( 5304745 ) on Sunday April 14, 2019 @06:24PM (#58437430)
    Over 20 years since IE started coming bundled with Windows in a deeply integrated manner. There will be outbreaks of IE malware for years due to the fact so many buisnesnesses only supported IE as their web browser. The same thing will happen with the widespread adoption of chromium instead of developing multiple independant browsers to ensure web diversity. Now Mo$Illa had been bribed to downgrade their browser we are now in the era of adverbrowsers and will contain more ways to attack your browser due to the constant bloat being added to them. Prepare for the Wannacry decade powered by ChromIE.
  • ... by setting all the "dangerous" file associations to non-MS programs.

    File extensions like .mht, .xls*, .doc*, even .csv. .mht files have been known-dangerous for a decade now. Useless plus dangerous should be enough of a signal to the security conscious to have made them harmless by now.

  • It is a natural use of Mime. And it allows HTML to be used as a document format,in one document.

    It is really annoying that the other browsers refused to support it just because it was Microsoft's idea.

  • on the list of possible risks this ranks low to non-existent for most users as you have to get the fucking exploit file onto the machine in the first place and it is a file type that is basically universally blocked by any sane system and is even the default in MS's own mail products. So no it doesn't just require the user to have IE installed, it requires them to have no file filtering and be a fucking moron (admittedly many meet that bar, but not both).
  • This is the first app I uninstall when I first use a Windows machine.

  • by Anonymous Coward

    The average person can't fix this, but it's not hard. I've never even seen an MHT file. I'm not worried about missing them.
    So? Go into HKEY_CLASSES_ROOT\.mht and HKEY_CLASSES_ROOT\.mhtml. Change the default value to "txtfile". Delete the content type entry. Now it's just a text file, opened in Notepad.

  • So here "never used internet explorer" need some context - on whether the exploit is based on files related to opening web files or was it related to the executable.

  • Contact Chrome, Safari and other browser makers and ask them to prompt the user and get assigned as the default handler for these extensions?
  • What the fuck is the point of calling an exploit "zero day" when the relevant software hasn't been updated in years anyways?

    Zero day used to mean that it came out *before* the main release of whatever it applied to, but if there is no otherwise upcoming release, then it isn't really "before" anything... it's just a previously unknown exploit.

    • LOL NO. Zero day means the information released to the wild prior to a fix or knowledge of the problem being available to the authors of the software. It has nothing to do with upcoming releases.
      • by mark-t ( 151149 )

        Zero day means the information released to the wild prior to a fix or knowledge of the problem being available to the authors of the software

        Exactly.... "prior to".

        This software is not being actively updated anymore. There is no notion of being before *anything* here.

  • A program that works even when no one use it!
  • Not even close to a shocking/unknown exploit. Next up: opening .exe files in email attachments may be risky - where do I submit this for MS to pay me?
  • ... nothing to see here.

    > To initiate the exploit, a user simply needs to open an attachment received by email, messenger, or other file transfer service.

    When you can convince a user to open a malicious attachment, there are many many options open to you. This is nothing new.

    • by ledow ( 319597 )

      Yep... especially MHT which is just HTML, in effect.

      If you're aren't already blocking that file format at your email server, you're in trouble anyway.

      Though it would be nice occasionally to get a 2019 email client that doesn't just open attachments and execute them in the general user context.

    • You'd also have to convince me to stop using Linux and go back to Windows.

  • by Keramos ( 1263560 ) on Monday April 15, 2019 @09:16AM (#58439670)
    Find Command Prompt in whatever start menu you have (it's probably under Accessories), and right-click on it, then select Run as administrator.
    You should get a User Account Control prompt, select yes.
    To see what the current association is, enter

    assoc .mht

    and press Enter/Return. It'll likely return

    .mht=mhmtlfile

    and if you wish to check if IE is the handler for that file type enter

    ftype mhtmlfile

    and press Enter. If the result mentions iexplore.exe, that's IE.
    Enter the following two lines (pressing Enter after each) to break the association for IE archives (there are two extensions associated):

    assoc .mht=

    assoc .mhmtl=

    Close the prompt (type exit and press Enter, or click the "X" close window control).
    A somewhat safer way (in terms of other possible exploits, not in mucking up your PC) is to use ftype to list any file types opened by IE ( ftype | find "iexplore" ) and then delete those filetypes ( ftype filetype= ), but if you're not confident with what you're doing, skip that.

news: gotcha

Working...