author: Conrad Hazi
Critical Vulnerability Detected in Windows 7 and 10
As it turns out, Internet Explorer 11 still has some security gaps left to surprize us.
Cyber Security researcher John Page warns that Internet Explorer has a critical vulnerability that allows spying on and stealing data from computers. These reports may seem a bit out of date. After all, Internet Explorer was replaced by Microsoft Edge in 2015, but the obsolete browser is still used by about 7% of Internet users. If you look at the market share of Windows 7 and Windows 10, it turns out that the app is still present on more than a billion machines. This is important because the newly-discovered vulnerability can be exploited, even if the user has never run IE.
It's not good
Page explains that the vulnerability allows the .mht extension files, which Internet Explorer uses to store local copies of web pages, to be used in an unorthodox way. So if a user receives a malicious .mht file (either in an attachment or by clicking on a hotlink), IE will be the default application to launch it.
It might seem like it's not that bad, because if an infected .mht file is launched, the user still has to press a specific keyboard shortcut, such as CTRL K (duplicate bookmark) or CTRL P (print), for the attacker to be able to "output files and perform remote reconnaissance". However, if there is a JavaScript code fragment in a malicious file that triggers a print preview, for example, any interaction from the user is no longer necessary. Thanks to the appropriate file construction, it is also possible to bypass another security feature - the prompt to launch the ActiveX object. John Page demonstrated the attack on his YouTube channel and emphasizes that the problem is with Windows 7, Windows 10 and Windows Server 2012.
Microsoft doesn't seem to care
Page published information on the discovered exploit because Microsoft felt that the problem was not urgent and will address it in the near future. Well, it sounds a little funny just a few weeks after the Redmond giant emphasized on its official blog that the company still makes sure that Internet Explorer is supported and safe.
In the new systems, IE is basically only present to ensure backward compatibility for some outdated websites and browser applications. But if you don't need it, you can uninstall it.