Researcher finds zero-day vulnerability in Internet Explorer 11

A security researcher has found a vulnerability in Internet Explorer 11 that has not yet been patched. The leak concerns IE’s handling of mht files. IE 11 is the default browser that opens these files.

Security researcher John Page developed an exploit for the vulnerability. He successfully tested it on Internet Explorer 11 on currently updated Windows 7, Windows 10, and Windows Server 2012 R2 installations.

This is a so-called XML External Entity attack, which only requires a Windows user to be tricked into opening a specially crafted mht file. Optionally, an attacker can omit the warning from IE when initializing ActiveX objects. Mht files are MHTML Web Archive, a format for archiving web pages. While most browsers now simply save pages as html files, Internet Explorer still does that by default in mht, ZDNet writes.

Also, Internet Explorer is the default browser that opens these types of files. So even if a Windows user has set another browser as default and never uses IE, this Microsoft browser will open in the attack described. This would potentially allow an attacker to steal local files and investigate versions of programs the user has installed. The latter may allow access to the system through other vulnerabilities, if the user is running old vulnerable versions of software.

Microsoft has assessed that the impact is low and the company will consider closing the leak sometime in the future. Page notified Microsoft of the vulnerability on March 27, and after receiving the response decided to publish it.