New Zero-Day Vulnerability In Internet Explorer Would Allow Theft Of Local Files
Internet Explorer is not exactly the most popular search engine, and ultimately this new security incident will not help you. According to specialists in the forensic computer course at the International Institute of Cybersecurity (IICS), a zero-day vulnerability has been discovered in this search engine that makes Windows computers vulnerable to file-breaking attacks.
According to the reports, the vulnerability is found in the use of Internet Explorer's MHT files when a user saves a web page. The vulnerability is in the opening of MHT files. "Internet Explorer is vulnerable to an XML External Entity attack if a user opens a specially crafted .MHT file. This drawback would allow an attacker to extract local files and perform a remote reconnaissance of the version of Program installed on the compromised machine. For example, sending a request c: \ Python27 \ NEWS.txt could return information about the version of that program as a response. "
According to the forensic computer science experts, a computer is still vulnerable to this attack even if it does not use Internet Explorer as its default browser, it only requires that this program be installed on the computer and that the user open an MHT file, because The Windows system uses Internet Explorer to open the MHT files by default.
Researchers in charge of discovering this vulnerability published their findings, including a proof of concept of the exploitation, in recent days. They also state that Microsoft is aware of this security problem. In this regard, Microsoft stated: "A correction for this vulnerability could be launched in the future; at this time, updates for this incident will not be published. The case is closed, "the company concluded.
Although the company has decided not to fix this zero-day vulnerability for the time being, it is necessary to point out that the exploit published by the researchers has proved to be functional in Internet Explorer 11 on Windows 10 and 7 systems, mentioned by the forensic computer science course specialists.