A security researcher named John Page has discovered a flaw in Microsoft’s Internet Explorer (IE) browser which is reported to allow hackers to sneak into the victim files even if they are not using it.
John said that the said browser of Microsoft is vulnerable to XML External Entity Attack if in case a user opens a specially crafted.MHT file locally. The security research claims that when a victim opens such files, it will allow remote hackers to exfiltrate into the local files and conduct remote scouting on the program version info which is locally installed.
Readers of Cybersecurity Insiders should notify a fact over here that the IE browser has just a 7% usage rate in the world. But stats counter estimates that it has been installed on more than a billion computers running on Windows 7 and Windows 10.
As security researcher John claims that the vulnerability can expose even those who are not using the browser, the severity rate seems to be going full throttle.
What is the .MHT Threat in actual?
When the user of an online service saves a webpage, either manually or by tying CNTRL and S, it generally saves the webpage in .MHT format. And if users open the malicious.MHT file on their device it immediately launches the IE.
All modern day browsers save webpages in .HTML format. So, when a.MHT file is opened it automatically activates the IE.
Note- This is not the first time when Microsoft hit the news headlines for all wrong reasons when it comes to Internet Explorer. Last year, it issued a security alert when a security engineer from Google exposed a memory corruption in the IE which could be exploited by hackers who could later execute malicious code. Microsoft issued an immediate fix to it but did not say how many of the IE users could have been impacted by the susceptibility. But the Google engineer said that all users who were logged in with admin rights could have been exposed to hackers by the vulnerability as it allows cybercriminals to take control of the PC.
