Are you still surfing the web with Internet Explorer? If so, you’re not alone. Four years after Microsoft announced Edge as its successor, the company’s old browser still has a few stubborn holdouts who continue to use it for various reasons.
Unfortunately, security experts keep finding critical security flaws in the code that make it something of a ticking time bomb.
The most recent of these was unearthed by an independent researcher named John Page. He published a proof of concept that demonstrates a flaw in the way the old browser handles MHT files, which are used by Internet Explorer for archival purposes.
If any computer running Windows 7, Windows 10, or Windows Server 2012 encounters an MHT file, it will attempt to open it using Internet Explorer. This fact represents a tremendous opportunity for a savvy hacker. All he has to do is present a specially crafted MHT file containing malicious code to a user and use a bit of social engineering to open it. Using history as a guide, convincing users to open files from untrusted sources is not especially difficult to do.
Even if you don’t currently use Internet Explorer, your system is still very much at risk from this type of attack, because IE 11 still ships with every Windows-based PC, including the latest Windows 10 machines. The only potential saving grace here is that on Windows 10 machines, Internet Explorer is not enabled by default and needs to go through a user-initiated setup process before it could be used.
The solution then, at least if you’ve got a Windows 10 machine, is simply to avoid enabling Internet Explorer or, even better, simply uninstall it from the Control Panel altogether.
Mr. Page reported the issue to Microsoft on March 27, and received the following reply:
“We determined that a fix for this issue will be considered in a future version of this product or service. At this time, we will not be providing ongoing updates of the status of the fix for this issue and we have closed the case.”
Unfortunately, that’s a canned response that amounts to a dismissal. So for the foreseeable future, you should operate under the assumption that no help will be forthcoming from Microsoft on this issue. Make sure your IT staff is aware.