Slashdot Mirror

← Back to Stories (view on slashdot.org)

Internet Explorer Exploit Steals Data From Windows Users-- Even If They Never Use Internet Explorer (mashable.com)

Posted by EditorDavid on from the bad-browser-bugs dept.

Security researcher John Page has revealed a new zero-day exploit that allows remote attackers to exfiltrate Local files using Internet Explorer. "The craziest part: Windows users don't ever even have to open the now-obsolete web browser for malicious actors to use the exploit," reports Mashable. "It just needs to exist on their computer..." [H]ackers are taking advantage of a vulnerability using .MHT files, which is the file format used by Internet Explorer for its web archives. Current web browsers do not use the .MHT format, so when a PC user attempts to access this file Windows opens IE by default. To initiate the exploit, a user simply needs to open an attachment received by email, messenger, or other file transfer service...

Most worrisome, according to Page, is that Microsoft told him that it would just "consider" a fix in a future update. The security researcher says he contacted Microsoft in March before now going public with the issue. As ZDNet points out, while Internet Explorer usage makes up less than 10 percent of the web browser market, it doesn't particularly matter in this case as the exploit just requires a user to have the browser on their PC.

40 of 80 comments (clear)

  1. Nani?! by jargonburn · · Score: 5, Funny

    Oh, wait, you mean I have to open a malicious attachment to be exposed to this risk? Your shocking headline had me concerned, for a moment.

    1. Re:Nani?! by JcMorin · · Score: 1

      Could .MHT files be consider dangerous like .exe, .bat and other various? Is that really used anyway?

    2. Re:Nani?! by Anonymous Coward · · Score: 1, Insightful

      If you are dealing with tens of thousands of users and you haven't already blocked potentially malicious file attachment types (or in this case you would have had to unblock them as this is a default blocked one) then you are simply a fail admin and really should be sacked.

    3. Re: Nani?! by Anonymous Coward · · Score: 1

      Nope, it's not a concern for it managers either.

      They just simply disable MHT since nobody really uses it. Problem solved

    4. Re:Nani?! by gravewax · · Score: 1

      you were modded down but are mostly correct. This is NOT a problem in larger environments as users have protections in place to prevent users from being brain dead idiots and if they don't then that is on the admins.

    5. Re:Nani?! by Anonymous Coward · · Score: 1

      Damn near every single security hole is exploited via ID-10T and PEBCAK methods these days.

    6. Re:Nani?! by Bert64 · · Score: 1

      Block files with that extension, and push a policy to disassociate that extension so users don't open the files by mistake...

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    7. Re:Nani?! by Jason+Levine · · Score: 1

      Back in the days when Windows Scripting Host and viruses based on it reigned supreme, I wrote a small program to stop them. It took over the WSH file association. It would check the file when run, warn you of any potential issues (e.g. "this script will delete files") and give you the opportunity to either stop the script from ever running or run it (if it was a valid script you meant to run). As the years passed, this program had a small following but it died out as other anti-virus tools got this capability (and more).

      Getting back to the MHT vulnerability, couldn't you simply break the MHT-IE association? Either with a program that would warn the user and give them a chance to back out, or just by deleting the association entirely?

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    8. Re:Nani?! by CaptainDork · · Score: 1

      I agree.

      I worked what we used to call, "the big site mentality," long before the word, "enterprise," came along. We automated shit and blocked extensions that we didn't like and pushed those out to the desktop using login files on the servers.

      This shit about blaming the user is old. Failures aren't because of "stupid users," the failures are the property of the goddam admins.

      --
      It little behooves the best of us to comment on the rest of us.
    9. Re:Nani?! by bluefoxlucid · · Score: 1

      It's a clunky explanation. You have software X installed to handle filetype A, and you never use software X. Then you get a file of filetype A, and it opens the software. "WE CAN EXPLOIT THE SOFTWARE EVEN IF YOU NEVER RUN IT!" ... just like Microsoft Word with malicious DOCX files...

      --
      Support my political activism on Patreon.
  2. Um by Anonymous Coward · · Score: 1

    User opens malicious attachment. Ok...this is new how?

    Also, if a user never has to use IE, then why do they have to open the attachment in IE?

    1. Re:Um by Anonymous Coward · · Score: 1

      Also, if a user never has to use IE, then why do they have to open the attachment in IE?

      For in the depths of the spaghetti patchwork commonly referred to as "Windows" lies code that defaults to opening .mht files with IE.

  3. Mitigation by alexo · · Score: 5, Interesting

    Chrome can open MHTML files, Firefox used to (with an add-on) but not anymore, and there are free viewers available. All one has to do is to set the association of .MHT files to another program.

    1. Re:Mitigation by ISoldat53 · · Score: 2

      If you associate to another browser, won't that also expose the exploit? Wouldn't it be better not to associate anything to an .mhtml file?

    2. Re:Mitigation by Anonymous Coward · · Score: 1

      Till the next build resets the file association.

    3. Re:Mitigation by coastwalker · · Score: 1

      If you do not use IE then renaming the directory containing Internet Explorer will bring up a "name.mht" file choose application to open this file dialogue. As a temporary defense this works for me.

      --
      Facts are history now plebs have politics for religion on social media.
    4. Re:Mitigation by squiggleslash · · Score: 1

      Only if that browser has the same bug.

      The issue here is not .MHT, it's bugs in Internet Explorer. .MHT is just being used as a way to get the payload to IE. Send it somewhere else, be it /dev/null or Chrome, and you've solved the problem.

      --
      You are not alone. This is not normal. None of this is normal.
  4. Re:[H]ackers? by SlayerOfKings · · Score: 1

    Tribute to the now sadly defunct [H]ardOCP?

  5. You cannot escape IE by xack · · Score: 4, Insightful

    Over 20 years since IE started coming bundled with Windows in a deeply integrated manner. There will be outbreaks of IE malware for years due to the fact so many buisnesnesses only supported IE as their web browser. The same thing will happen with the widespread adoption of chromium instead of developing multiple independant browsers to ensure web diversity. Now Mo$Illa had been bribed to downgrade their browser we are now in the era of adverbrowsers and will contain more ways to attack your browser due to the constant bloat being added to them. Prepare for the Wannacry decade powered by ChromIE.

  6. To disclose that capitalization was changed by tepples · · Score: 2

    I think it was supposed to mean that the "h" was lowercase in the featured article but uppercase in the quotation. The corresponding sentence in TFA begins as follows: "Basically, what this means is that hackers are taking advantage of a vulnerability..."

    But in this sense, the word was was used in the sense of electronic intruders, not people who enjoy playful cleverness. I personally would have marked the entire first word as rephrased: "[Intruders] are taking advantage of a vulnerability..."

    1. Re:To disclose that capitalization was changed by nukenerd · · Score: 1

      I personally would have marked the entire first word as rephrased: "[Intruders] are taking advantage of a vulnerability..."

      Why change a word? That's worse. I always indicate that I have removed parts of sentenses by ellipses : "... hackers are taking advantage of a vulnerability ..."

    2. Re:To disclose that capitalization was changed by tepples · · Score: 1

      Why change a word? That's worse.

      In this particular case, I recommended disambiguating "hackers" to "intruders" to distinguish it from other senses of the word. Using a more specific term avoids the fallacy of equivocation.

  7. MHT is a good format by aberglas · · Score: 1

    It is a natural use of Mime. And it allows HTML to be used as a document format,in one document.

    It is really annoying that the other browsers refused to support it just because it was Microsoft's idea.

  8. not much to see here by gravewax · · Score: 1

    on the list of possible risks this ranks low to non-existent for most users as you have to get the fucking exploit file onto the machine in the first place and it is a file type that is basically universally blocked by any sane system and is even the default in MS's own mail products. So no it doesn't just require the user to have IE installed, it requires them to have no file filtering and be a fucking moron (admittedly many meet that bar, but not both).

  9. Good thing by Berkyjay · · Score: 1

    This is the first app I uninstall when I first use a Windows machine.

  10. Easy to fix by Anonymous Coward · · Score: 1

    The average person can't fix this, but it's not hard. I've never even seen an MHT file. I'm not worried about missing them.
    So? Go into HKEY_CLASSES_ROOT\.mht and HKEY_CLASSES_ROOT\.mhtml. Change the default value to "txtfile". Delete the content type entry. Now it's just a text file, opened in Notepad.

  11. You have always used explorer.exe by SYSS+Mouse · · Score: 1

    So here "never used internet explorer" need some context - on whether the exploit is based on files related to opening web files or was it related to the executable.

  12. Why contact IE? by 140Mandak262Jamuna · · Score: 1

    Contact Chrome, Safari and other browser makers and ask them to prompt the user and get assigned as the default handler for these extensions?

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  13. "Zero day".... by mark-t · · Score: 1

    What the fuck is the point of calling an exploit "zero day" when the relevant software hasn't been updated in years anyways?

    Zero day used to mean that it came out *before* the main release of whatever it applied to, but if there is no otherwise upcoming release, then it isn't really "before" anything... it's just a previously unknown exploit.

    --
    File under 'M' for 'Manic ranting'
    1. Re:"Zero day".... by gravewax · · Score: 1

      LOL NO. Zero day means the information released to the wild prior to a fix or knowledge of the problem being available to the authors of the software. It has nothing to do with upcoming releases.

    2. Re:"Zero day".... by mark-t · · Score: 1

      Zero day means the information released to the wild prior to a fix or knowledge of the problem being available to the authors of the software

      Exactly.... "prior to".

      This software is not being actively updated anymore. There is no notion of being before *anything* here.

      --
      File under 'M' for 'Manic ranting'
  14. Amazing! by hcs_$reboot · · Score: 1

    A program that works even when no one use it!

    --
    Slashdot, fix the reply notifications... You won't get away with it...
  15. "Security researcher" mad he didn't get paid by NicknameUnavailable · · Score: 1

    Not even close to a shocking/unknown exploit. Next up: opening .exe files in email attachments may be risky - where do I submit this for MS to pay me?

    1. Re:"Security researcher" mad he didn't get paid by Brett+Buck · · Score: 1

      But they said my computer had a virus and this executable would clean it up!

  16. Move along... by DrStrangluv · · Score: 1
    ... nothing to see here.

    > To initiate the exploit, a user simply needs to open an attachment received by email, messenger, or other file transfer service.

    When you can convince a user to open a malicious attachment, there are many many options open to you. This is nothing new.

    1. Re:Move along... by ledow · · Score: 1

      Yep... especially MHT which is just HTML, in effect.

      If you're aren't already blocking that file format at your email server, you're in trouble anyway.

      Though it would be nice occasionally to get a 2019 email client that doesn't just open attachments and execute them in the general user context.

    2. Re:Move along... by vandamme · · Score: 1

      You'd also have to convince me to stop using Linux and go back to Windows.

  17. Re:Now obsolete? by nukenerd · · Score: 1

    There are plenty of corporations that still force their employees to use IE.

    Microsoft told us that it was "part of the operating system", so they must be using it if they use Windows.

  18. Re:[H]ackers? by parkinglot777 · · Score: 1

    What's with that bracket?

    Normally, you would put [sic] right behind the misspelled word, but in this case it is not. Here is the original quote from TFA...

    Basically, what this means is that hackers are taking advantage of a vulnerability using .MHT files, which is the file format used by Internet Explorer for its web archives. Current web browsers do not use the .MHT format, so when a PC user attempts to access this file Windows opens IE by default.

    Basically, the summary took a portion of the whole paragraph starting from 'hackers' and later on. As a result, the summary wants to start a sentence with a lower case without quotations and it seems to be grammatically incorrect. Normally, a pair of square brackets is used to correct certain incorrect word in-place for readers. As a result, the word 'hacker' becomes '[H]acker' because it is the starting word of a sentence.

    To me, they should simply quote the whole paragraph and stop being smart to just take a portion from TFA. Besides, it is only a small portion that they took out.

  19. To Disable The Association in Windows... by Keramos · · Score: 5, Informative
    Find Command Prompt in whatever start menu you have (it's probably under Accessories), and right-click on it, then select Run as administrator.
    You should get a User Account Control prompt, select yes.
    To see what the current association is, enter

    assoc .mht

    and press Enter/Return. It'll likely return

    .mht=mhmtlfile

    and if you wish to check if IE is the handler for that file type enter

    ftype mhtmlfile

    and press Enter. If the result mentions iexplore.exe, that's IE.
    Enter the following two lines (pressing Enter after each) to break the association for IE archives (there are two extensions associated):

    assoc .mht=

    assoc .mhmtl=

    Close the prompt (type exit and press Enter, or click the "X" close window control).
    A somewhat safer way (in terms of other possible exploits, not in mucking up your PC) is to use ftype to list any file types opened by IE ( ftype | find "iexplore" ) and then delete those filetypes ( ftype filetype= ), but if you're not confident with what you're doing, skip that.