A security researcher has discovered a new vulnerability in Internet Explorer that is allowing hackers to steal your data.
John Page (aka hyp3rlinx), has revealed a new security flaw in V11 of Internet Explorer that potentially allows attackers to access your computer’s local files and spy on you remotely.
The most troubling part of this discovery is that you don’t even need to run the browser in order to expose your computer to this flaw. Simply opening the wrong attachment or message could be enough.
The issue comes from the way Internet Explorer processes certain files as John Page explains:
“Internet Explorer is vulnerable to XML External Entity attack if a user opens a specially crafted .MHT file locally.”
MHT (aka MHTML Web Archive) files open in Internet Explorer by standard, so simply opening such an attachment from an email is enough to start the process even if IE isn’t your default browser.
According to the original report, Microsoft was notified of the vulnerability on 27 March, but has declined to release an urgent fix for the problem stating:
“We determined that a fix for this issue will be considered in a future version of this product or service. At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case.”
In the meantime, potentially millions of users are left vulnerable to the exploit. Although data shows a steady decline in Internet Explorer use, all Windows users are still vulnerable if the browser is installed on their machine.
If you don’t want to wait and rely on Microsoft to roll out a fix, then you can always uninstall Internet Explorer yourself just to be safe.