Skip to main content

Internet Explorer zero-day exploit makes files vulnerable to hacks on Windows PCs

Windows 10 Surface Pro 4 stock photo
Mark Von Holden/AP Images for AP Images for Windows/Microsoft Image Gallery

There were already a number of reasons to not use Internet Explorer. But if you needed another one, here it is.

According to ZDNet, a security researcher named John Page has published evidence of an Internet Explorer zero-day exploit that renders Windows PCs vulnerable to having their files stolen by hackers.

Recommended Videos

The zero-day exploit itself lies within Internet Explorer’s use of MHT files when users save webpages. But the file-stealing vulnerability isn’t necessarily in the saving of webpages in this format; as Page notes, it’s in the opening of MHT files:

“Internet Explorer is vulnerable to XML External Entity attack if a user opens a specially crafted .MHT file locally.This can allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed Program version information. Example, a request for “c:\Python27\NEWS.txt” can return version information for that program.”

And as, ZDNet notes, even if you don’t use Internet Explorer as your main browser, your PC could still be vulnerable to this specific zero-day attack if you still have Internet Explorer installed and you open an MHT file. This is because MHT files are still opened by Internet Explorer by default on Windows PCs.

Page published the evidence (including a YouTube video and proof-of-concept code) online on April 12 and has claimed that not only did Microsoft know about the vulnerability, but that the technology company opted to not patch it when he notified them about it on March 27.

According to Page’s post, Microsoft replied to his message on April 10 with the following response:

“We determined that a fix for this issue will be considered in a future version of this product or service. At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case.”

While there isn’t a patch for this zero-day exploit, it’s still worth mentioning that Page was able to confirm that the exploit works on Internet Explorer 11 on the following Windows systems: Windows 10, Windows 7, and Windows Server 2012 R2.

In general, though, as you would with files from unknown senders, you should exercise caution when opening MHT files regardless of your operating systems, since, as ZDNet notes, MHT files have a history of being used to transmit malware.

Anita George
Anita George has been writing for Digital Trends' Computing section since 2018. So for almost six years, Anita has written…
Windows 11 may launch tabbed File Explorer, smarter Clipboard
Windows 11 device sitting on a stool.

Microsoft is holding an event featuring Surface and Windows Chief Panos Panay on April 5, and even though it seems to be catered to enterprises, some high expectations are being set. Rumors indicate that Microsoft could announce some big Windows 11 features come event day.

The leading belief is that Windows 11's clipboard could get a lot smarter, according to The Verge. Microsoft might announce the addition of suggested actions to the Windows clipboard, including being able to call a copied phone number or send an email to a copied email address.

Read more
Upcoming Windows update will kill Internet Explorer for good
windows 10 june update will kill internet explorer for good poznan  pol may 1 2021 laptop computer displaying logo

Internet Explorer is set to have its final end-of-life update on June 15. The Windows 10 update will be sent out to PCs after that date, disabling the browser and wiping it from devices.

While Microsoft has detailed its plans to retire Internet Explorer since May 2021, the Redmond, Washington company says the upcoming end-of-life update will disable the browser in a fashion that will redirect users to the Microsoft Edge browser when they try to access the feature.

Read more
Frustrated security researcher discloses Windows zero-day bug, blames Microsoft
Laptop sitting on a desk showing Windows 11's built-in Microsoft Teams experience.

There's a new zero-day issue in Windows, and this time the bug has been disclosed to the public by an angry security researcher. The vulnerability relates to users leveraging the command prompt with unauthorized system privileges to share dangerous content through the network.

According to a report from Bleeping Computer, Abdelhamid Naceri, the security researcher who disclosed this bug, is frustrated with Microsoft over payouts from the bug bounty program. Bounties have apparently been downgraded significantly over the past two years. Naceri isn't alone, either. One Twitter user reported in 2020 that zero-day vulnerabilities no longer pay $10,000 and are now valued at $1,000. Earlier this month, another Twitter user reported that bounties can be reduced at any time.

Read more