Slashdot Mirror

← Back to Stories (view on slashdot.org)

Internet Explorer Exploit Steals Data From Windows Users-- Even If They Never Use Internet Explorer (mashable.com)

Posted by EditorDavid on from the bad-browser-bugs dept.

Security researcher John Page has revealed a new zero-day exploit that allows remote attackers to exfiltrate Local files using Internet Explorer. "The craziest part: Windows users don't ever even have to open the now-obsolete web browser for malicious actors to use the exploit," reports Mashable. "It just needs to exist on their computer..." [H]ackers are taking advantage of a vulnerability using .MHT files, which is the file format used by Internet Explorer for its web archives. Current web browsers do not use the .MHT format, so when a PC user attempts to access this file Windows opens IE by default. To initiate the exploit, a user simply needs to open an attachment received by email, messenger, or other file transfer service...

Most worrisome, according to Page, is that Microsoft told him that it would just "consider" a fix in a future update. The security researcher says he contacted Microsoft in March before now going public with the issue. As ZDNet points out, while Internet Explorer usage makes up less than 10 percent of the web browser market, it doesn't particularly matter in this case as the exploit just requires a user to have the browser on their PC.

80 comments

  1. [H]ackers? by Anonymous Coward · · Score: 0

    What's with that bracket?

    1. Re:[H]ackers? by SlayerOfKings · · Score: 1

      Tribute to the now sadly defunct [H]ardOCP?

    2. Re:[H]ackers? by Anonymous Coward · · Score: 0

      It means it's part of a sentence that is taken out of context.

    3. Re: [H]ackers? by Anonymous Coward · · Score: 0

      Learn to read.

    4. Re:[H]ackers? by parkinglot777 · · Score: 1

      What's with that bracket?

      Normally, you would put [sic] right behind the misspelled word, but in this case it is not. Here is the original quote from TFA...

      Basically, what this means is that hackers are taking advantage of a vulnerability using .MHT files, which is the file format used by Internet Explorer for its web archives. Current web browsers do not use the .MHT format, so when a PC user attempts to access this file Windows opens IE by default.

      Basically, the summary took a portion of the whole paragraph starting from 'hackers' and later on. As a result, the summary wants to start a sentence with a lower case without quotations and it seems to be grammatically incorrect. Normally, a pair of square brackets is used to correct certain incorrect word in-place for readers. As a result, the word 'hacker' becomes '[H]acker' because it is the starting word of a sentence.

      To me, they should simply quote the whole paragraph and stop being smart to just take a portion from TFA. Besides, it is only a small portion that they took out.

    5. Re:[H]ackers? by Anonymous Coward · · Score: 0

      What's with the lying in the article?

      [H]ackers are taking advantage of a vulnerability using .MHT files, which is the file format used by Internet Explorer for its web archives. Current web browsers do not use the .MHT format

      MHT format files have been around for a long time. I've used them with Vivaldi, Opera (both old and new), Chromium, Firefox and Pale Moon. What the fuck is this bullshit about only IE using MHT?

  2. Now obsolete? by Anonymous Coward · · Score: 0

    There are plenty of corporations that still force their employees to use IE.

    1. Re:Now obsolete? by nukenerd · · Score: 1

      There are plenty of corporations that still force their employees to use IE.

      Microsoft told us that it was "part of the operating system", so they must be using it if they use Windows.

  3. Nani?! by jargonburn · · Score: 5, Funny

    Oh, wait, you mean I have to open a malicious attachment to be exposed to this risk? Your shocking headline had me concerned, for a moment.

    1. Re:Nani?! by JcMorin · · Score: 0

      Agree, I had the impression if I had IE installed I could be at risk but I have to open the freaking files. Nothing to see. I could say the same thing if you open a .exe! As far as I know, I never open attachment if I don't know the sender and expect the file.

    2. Re:Nani?! by Anonymous Coward · · Score: 0

      Not a big deal to YOU, but’s it’s a huge deal for someone who manages tens of thousands of end points and the probability of at least a few users to open a well worded and disguised exploitative email is high.

    3. Re:Nani?! by JcMorin · · Score: 1

      Could .MHT files be consider dangerous like .exe, .bat and other various? Is that really used anyway?

    4. Re:Nani?! by Anonymous Coward · · Score: 1, Insightful

      If you are dealing with tens of thousands of users and you haven't already blocked potentially malicious file attachment types (or in this case you would have had to unblock them as this is a default blocked one) then you are simply a fail admin and really should be sacked.

    5. Re: Nani?! by Anonymous Coward · · Score: 1

      Nope, it's not a concern for it managers either.

      They just simply disable MHT since nobody really uses it. Problem solved

    6. Re:Nani?! by Anonymous Coward · · Score: 0

      "at least a few users to open a well worded and disguised exploitative email"
      Yes and this is the number one way exploits are taken advantage of. The article makes this exploit sound like it is some type of new and unknown vector that must be dealt with immediately. Users are still the number one security risk out there.

    7. Re:Nani?! by gravewax · · Score: 1

      you were modded down but are mostly correct. This is NOT a problem in larger environments as users have protections in place to prevent users from being brain dead idiots and if they don't then that is on the admins.

    8. Re:Nani?! by Anonymous Coward · · Score: 0

      Oh, wait, you mean I have to open a malicious attachment to be exposed to this risk?

      Not necessarily:

      • Firefox users are open to drive-bys with this. Depending on security settings it either prompts to open multipart/related content with Internet Explorer, or just opens it without consent (the default).
      • Edge users will find multipart/related content automatically downloaded to their Downloads folder (without prompt). If they subsequently open items from the Downloads folder then it will open them in MS-IE.
      • Chrome users are at least prompted to save multipart/related content to disk by default.
    9. Re:Nani?! by Anonymous Coward · · Score: 0

      as users have protections in place to prevent users from being brain dead idiots

      I would have liked it to be able to delete certain extensions from the HKCR registry branch without seeing them being auto-added again-and-again.

      Also, a lot of extensions there are for stuff I've never ever used, and can't remember having ever seen on a file (on my 'puter), in my (a couple of decades) long use of Windows.

      Its like having a (front)door with lots of locks - most of which you are not even aware of them being there - each-and-every one capable of opening it. Its not a question of if, but when someone finds one of them and (ab)uses it.

    10. Re:Nani?! by Anonymous Coward · · Score: 1

      Damn near every single security hole is exploited via ID-10T and PEBCAK methods these days.

    11. Re:Nani?! by Bert64 · · Score: 1

      Block files with that extension, and push a policy to disassociate that extension so users don't open the files by mistake...

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    12. Re:Nani?! by Jason+Levine · · Score: 1

      Back in the days when Windows Scripting Host and viruses based on it reigned supreme, I wrote a small program to stop them. It took over the WSH file association. It would check the file when run, warn you of any potential issues (e.g. "this script will delete files") and give you the opportunity to either stop the script from ever running or run it (if it was a valid script you meant to run). As the years passed, this program had a small following but it died out as other anti-virus tools got this capability (and more).

      Getting back to the MHT vulnerability, couldn't you simply break the MHT-IE association? Either with a program that would warn the user and give them a chance to back out, or just by deleting the association entirely?

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    13. Re:Nani?! by CaptainDork · · Score: 1

      I agree.

      I worked what we used to call, "the big site mentality," long before the word, "enterprise," came along. We automated shit and blocked extensions that we didn't like and pushed those out to the desktop using login files on the servers.

      This shit about blaming the user is old. Failures aren't because of "stupid users," the failures are the property of the goddam admins.

      --
      It little behooves the best of us to comment on the rest of us.
    14. Re:Nani?! by bluefoxlucid · · Score: 1

      It's a clunky explanation. You have software X installed to handle filetype A, and you never use software X. Then you get a file of filetype A, and it opens the software. "WE CAN EXPLOIT THE SOFTWARE EVEN IF YOU NEVER RUN IT!" ... just like Microsoft Word with malicious DOCX files...

      --
      Support my political activism on Patreon.
  4. Um by Anonymous Coward · · Score: 1

    User opens malicious attachment. Ok...this is new how?

    Also, if a user never has to use IE, then why do they have to open the attachment in IE?

    1. Re:Um by Anonymous Coward · · Score: 1

      Also, if a user never has to use IE, then why do they have to open the attachment in IE?

      For in the depths of the spaghetti patchwork commonly referred to as "Windows" lies code that defaults to opening .mht files with IE.

  5. Mitigation by alexo · · Score: 5, Interesting

    Chrome can open MHTML files, Firefox used to (with an add-on) but not anymore, and there are free viewers available. All one has to do is to set the association of .MHT files to another program.

    1. Re:Mitigation by bobstreo · · Score: 0

      Chrome can open MHTML files, Firefox used to (with an add-on) but not anymore, and there are free viewers available. All one has to do is to set the association of .MHT files to another program.

      You could also try associating .mht files with say, an antivirus program instead of a defunct browser. Seems like a difficult fix...

    2. Re:Mitigation by ISoldat53 · · Score: 2

      If you associate to another browser, won't that also expose the exploit? Wouldn't it be better not to associate anything to an .mhtml file?

    3. Re:Mitigation by Anonymous Coward · · Score: 1

      Till the next build resets the file association.

    4. Re:Mitigation by coastwalker · · Score: 1

      If you do not use IE then renaming the directory containing Internet Explorer will bring up a "name.mht" file choose application to open this file dialogue. As a temporary defense this works for me.

      --
      Facts are history now plebs have politics for religion on social media.
    5. Re:Mitigation by Anonymous Coward · · Score: 0

      Associate it with MS Paint.

    6. Re:Mitigation by Anonymous Coward · · Score: 0

      or just make an empty file called "temp.mht", shift right-click=>open as/with, choose new default other than internet explorer.

      easier than mukking with registry, or with antivirus block lists, or windows' default apps settings, or even with your fix of directory names of directories that windows expects to find (or could mess up future updates or other software).

    7. Re:Mitigation by squiggleslash · · Score: 1

      Only if that browser has the same bug.

      The issue here is not .MHT, it's bugs in Internet Explorer. .MHT is just being used as a way to get the payload to IE. Send it somewhere else, be it /dev/null or Chrome, and you've solved the problem.

      --
      You are not alone. This is not normal. None of this is normal.
    8. Re:Mitigation by Anonymous Coward · · Score: 0

      Open with Notepad++

  6. Easy to fix by Anonymous Coward · · Score: 0

    Things like this are why I uninstalled IE months ago

    1. Re:Easy to fix by Anonymous Coward · · Score: 0

      I uninstalled IE

      Glad to see more people are switching to Linux.

    2. Re:Easy to fix by Anonymous Coward · · Score: 0

      VERY EASY for the AVERAGE PERSON!
      Right click on desktop or in whatever folder
      then left click create new document to Create new notepad document name it
      Anything.mht
      right click on the new document, then left click "open with"
      find notepad in your list of programs and left click it,
      also left click always open with this program, ok you're done!
      Enjoy! :D

  7. You cannot escape IE by xack · · Score: 4, Insightful

    Over 20 years since IE started coming bundled with Windows in a deeply integrated manner. There will be outbreaks of IE malware for years due to the fact so many buisnesnesses only supported IE as their web browser. The same thing will happen with the widespread adoption of chromium instead of developing multiple independant browsers to ensure web diversity. Now Mo$Illa had been bribed to downgrade their browser we are now in the era of adverbrowsers and will contain more ways to attack your browser due to the constant bloat being added to them. Prepare for the Wannacry decade powered by ChromIE.

    1. Re:You cannot escape IE by Anonymous Coward · · Score: 0

      Its called junk code, Obscure executables, called directly, indirectly, by association indirectly,OR by common oprating system module linkage.
      AV software could be enhanced by logging what is called, then printing a report by age of module sorted by functional product name. probably a lot of pre-2000 modules with no string length checking,
      You assume a competent vendor would be on top of this, but you would be wrong.
      Plenty of other targets are still buried in there. Start by looking for the oldest unrefreshed/unrefactored module, sorted by ring level..

    2. Re:You cannot escape IE by Anonymous Coward · · Score: 0

      It's not IE, it's Microsoft. Stop using shit that company makes!

    3. Re:You cannot escape IE by Anonymous Coward · · Score: 0

      IE is a virus. Pure and Simple.
      Chrome isn't much better.

      Just move to a system that uses neither browser.

  8. cve number by Anonymous Coward · · Score: 0

    Is there one? Or is it still fresh out the oven?

  9. Fixed long ago... by WoodstockJeff · · Score: 0

    ... by setting all the "dangerous" file associations to non-MS programs.

    File extensions like .mht, .xls*, .doc*, even .csv. .mht files have been known-dangerous for a decade now. Useless plus dangerous should be enough of a signal to the security conscious to have made them harmless by now.

  10. To disclose that capitalization was changed by tepples · · Score: 2

    I think it was supposed to mean that the "h" was lowercase in the featured article but uppercase in the quotation. The corresponding sentence in TFA begins as follows: "Basically, what this means is that hackers are taking advantage of a vulnerability..."

    But in this sense, the word was was used in the sense of electronic intruders, not people who enjoy playful cleverness. I personally would have marked the entire first word as rephrased: "[Intruders] are taking advantage of a vulnerability..."

    1. Re:To disclose that capitalization was changed by nukenerd · · Score: 1

      I personally would have marked the entire first word as rephrased: "[Intruders] are taking advantage of a vulnerability..."

      Why change a word? That's worse. I always indicate that I have removed parts of sentenses by ellipses : "... hackers are taking advantage of a vulnerability ..."

    2. Re: To disclose that capitalization was changed by Anonymous Coward · · Score: 0

      But why will clean up the mess?
      Soooo many hackers forcing themselves on innocent computers and exploiting them...
      Will any drive Bay or opening be safe?

    3. Re:To disclose that capitalization was changed by tepples · · Score: 1

      Why change a word? That's worse.

      In this particular case, I recommended disambiguating "hackers" to "intruders" to distinguish it from other senses of the word. Using a more specific term avoids the fallacy of equivocation.

  11. MHT is a good format by aberglas · · Score: 1

    It is a natural use of Mime. And it allows HTML to be used as a document format,in one document.

    It is really annoying that the other browsers refused to support it just because it was Microsoft's idea.

    1. Re:MHT is a good format by Anonymous Coward · · Score: 0

      It is a natural use of Mime. And it allows HTML to be used as a document format,in one document.

      It is really annoying that the other browsers refused to support it just because it was Microsoft's idea.

      Opera has supported the mht format since forever.

    2. Re:MHT is a good format by Anonymous Coward · · Score: 0

      I remember asking Firefox to support MHT ages ago on the official tracker.
      If Firefox had been supporting it, then Firefox users would have been safe.

  12. not much to see here by gravewax · · Score: 1

    on the list of possible risks this ranks low to non-existent for most users as you have to get the fucking exploit file onto the machine in the first place and it is a file type that is basically universally blocked by any sane system and is even the default in MS's own mail products. So no it doesn't just require the user to have IE installed, it requires them to have no file filtering and be a fucking moron (admittedly many meet that bar, but not both).

  13. Good thing by Berkyjay · · Score: 1

    This is the first app I uninstall when I first use a Windows machine.

    1. Re: Good thing by Anonymous Coward · · Score: 0

      Iâ(TM)m confused, how do you download Firefox if you donâ(TM)t have Internet Explorer?

  14. Easy to fix by Anonymous Coward · · Score: 1

    The average person can't fix this, but it's not hard. I've never even seen an MHT file. I'm not worried about missing them.
    So? Go into HKEY_CLASSES_ROOT\.mht and HKEY_CLASSES_ROOT\.mhtml. Change the default value to "txtfile". Delete the content type entry. Now it's just a text file, opened in Notepad.

  15. You have always used explorer.exe by SYSS+Mouse · · Score: 1

    So here "never used internet explorer" need some context - on whether the exploit is based on files related to opening web files or was it related to the executable.

    1. Re:You have always used explorer.exe by Anonymous Coward · · Score: 0

      So here "never used internet explorer" need some context - on whether the exploit is based on files related to opening web files or was it related to the executable.

      Tell me something, have you always confused explorer.exe for iexplore.exe?

      Internet Explorer version 11 is the program that needs to be installed on your Windows 10 machine in order for this exploit to work, so I'd say it's pretty clear where the problem is.

      It's called RTFA.

  16. Everyone uses Internet explorer by Anonymous Coward · · Score: 0

    Internet explorer is basically a superset of the windows explorer, even if you are not using the browser you are using it that is why an IE vulnerability is a Windows Explorer's vulnerability and the opposite is also true.
    Every time you open a folder the explorer is opening a small portion of every known file, if it's an executable it will execute it to get the icons.

  17. In Windows 10... by Anonymous Coward · · Score: 0

    Setting>Apps>Manage Optional Features. Choose Internet Explorer 11, Uninstall.

  18. Why contact IE? by 140Mandak262Jamuna · · Score: 1

    Contact Chrome, Safari and other browser makers and ask them to prompt the user and get assigned as the default handler for these extensions?

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  19. "Zero day".... by mark-t · · Score: 1

    What the fuck is the point of calling an exploit "zero day" when the relevant software hasn't been updated in years anyways?

    Zero day used to mean that it came out *before* the main release of whatever it applied to, but if there is no otherwise upcoming release, then it isn't really "before" anything... it's just a previously unknown exploit.

    --
    File under 'M' for 'Manic ranting'
    1. Re:"Zero day".... by gravewax · · Score: 1

      LOL NO. Zero day means the information released to the wild prior to a fix or knowledge of the problem being available to the authors of the software. It has nothing to do with upcoming releases.

    2. Re:"Zero day".... by Anonymous Coward · · Score: 0

      Indeed, and since MS was informed of the exploit in March, revealing it to the public only today doesn't make it a zero-day. It's still bullshit to call it that way.

    3. Re:"Zero day".... by mark-t · · Score: 1

      Zero day means the information released to the wild prior to a fix or knowledge of the problem being available to the authors of the software

      Exactly.... "prior to".

      This software is not being actively updated anymore. There is no notion of being before *anything* here.

      --
      File under 'M' for 'Manic ranting'
  20. Amazing! by hcs_$reboot · · Score: 1

    A program that works even when no one use it!

    --
    Slashdot, fix the reply notifications... You won't get away with it...
  21. "Security researcher" mad he didn't get paid by NicknameUnavailable · · Score: 1

    Not even close to a shocking/unknown exploit. Next up: opening .exe files in email attachments may be risky - where do I submit this for MS to pay me?

    1. Re:"Security researcher" mad he didn't get paid by Brett+Buck · · Score: 1

      But they said my computer had a virus and this executable would clean it up!

    2. Re:"Security researcher" mad he didn't get paid by Anonymous Coward · · Score: 0

      Researcher wasn't looking to get paid, he was looking to be *HEARD* and for a patch to come out. You do realize that people report vulnerabilities to vendors for reasons other than cold hard cash, don't you?

  22. Move along... by DrStrangluv · · Score: 1
    ... nothing to see here.

    > To initiate the exploit, a user simply needs to open an attachment received by email, messenger, or other file transfer service.

    When you can convince a user to open a malicious attachment, there are many many options open to you. This is nothing new.

    1. Re:Move along... by ledow · · Score: 1

      Yep... especially MHT which is just HTML, in effect.

      If you're aren't already blocking that file format at your email server, you're in trouble anyway.

      Though it would be nice occasionally to get a 2019 email client that doesn't just open attachments and execute them in the general user context.

    2. Re:Move along... by Anonymous Coward · · Score: 0

      So many /. users want so badly for me to "move along", there must be something /really/ interesting here...

    3. Re:Move along... by vandamme · · Score: 1

      You'd also have to convince me to stop using Linux and go back to Windows.

  23. Re:APK Hosts File Engine 3.0++ blocks this... apk by Anonymous Coward · · Score: 0

    Your static hosts file now scans incoming email attachments too? Wow, I want what you are drinking.

  24. To Disable The Association in Windows... by Keramos · · Score: 5, Informative
    Find Command Prompt in whatever start menu you have (it's probably under Accessories), and right-click on it, then select Run as administrator.
    You should get a User Account Control prompt, select yes.
    To see what the current association is, enter

    assoc .mht

    and press Enter/Return. It'll likely return

    .mht=mhmtlfile

    and if you wish to check if IE is the handler for that file type enter

    ftype mhtmlfile

    and press Enter. If the result mentions iexplore.exe, that's IE.
    Enter the following two lines (pressing Enter after each) to break the association for IE archives (there are two extensions associated):

    assoc .mht=

    assoc .mhmtl=

    Close the prompt (type exit and press Enter, or click the "X" close window control).
    A somewhat safer way (in terms of other possible exploits, not in mucking up your PC) is to use ftype to list any file types opened by IE ( ftype | find "iexplore" ) and then delete those filetypes ( ftype filetype= ), but if you're not confident with what you're doing, skip that.

    1. Re:To Disable The Association in Windows... by Anonymous Coward · · Score: 0

      Windows has a habit of clobbering over registry changes after updates. What's to prevent that from happening? It would be *nice* if the registry allowed admins to lock down changes and be prompted when an update wants to revert them, but that would require Microsoft to actually make an operating system that's designed sanely and properly.

      But no, to have the "luxury" of your update manager prompting you to accept, reject or merge changes to your system's global configuration, you need to run Linux. It's sad, because Microsoft could compete with Linux by copying some of these ideas; they just chose not to. Most customers don't know what they're missing anyway, so why bother?

    2. Re: To Disable The Association in Windows... by Anonymous Coward · · Score: 0

      Thereâ(TM)s this thing called Group Policy Preferences which can centrally set regkeys among other things....

    3. Re:To Disable The Association in Windows... by Anonymous Coward · · Score: 0

      I sure hope you're not claiming to be an expert

  25. Who you replied to wasn't really me... apk by Anonymous Coward · · Score: 0

    Who you replied to wasn't I: It's an IMPOSTOR/IMPERSONATOR of me & I said so here in reply to him https://it.slashdot.org/commen...

    * NOW, it's probably just YOU doing the IMPERSONATING of me too - GROW UP.

    APK

    P.S.=> HOWEVER - I will tell you what hosts files do for EMAIL vs. BOGUS email payload links - it BLOCKS THEM so you can't be poisoned by them & their payload... apk