Security researcher John Page has revealed a new zero-day exploit that allows remote attackers to exfiltrate Local files using Internet Explorer. “The craziest part: Windows users don’t ever even have to open the now-obsolete web browser for malicious actors to use the exploit,” reports Mashable. “It just needs to exist on their computer…”
[H]ackers are taking advantage of a vulnerability using .MHT files, which is the file format used by Internet Explorer for its web archives. Current web browsers do not use the .MHT format, so when a PC user attempts to access this file Windows opens IE by default. To initiate the exploit, a user simply needs to open an attachment received by email, messenger, or other file transfer service…
Most worrisome, according to Page, is that Microsoft told him that it would just “consider” a fix in a future update. The security researcher says he contacted Microsoft in March before now going public with the issue. As ZDNet points out, while Internet Explorer usage makes up less than 10 percent of the web browser market, it doesn’t particularly matter in this case as the exploit just requires a user to have the browser on their PC.
Read more of this story at Slashdot.