Internet Explorer Bug Affects All Windows Users

John Lister's picture

A security researcher says an Internet Explorer flaw could affect people who don't even use the outdated browser. It's a reminder of the dangers of opening unexpected email attachments.

John Page has published details of the bug which affects version 11 of Internet Explorer (the latest) on both Windows 7, 8 and 10. The bug involves a file format called MHT.

It's a format that's not used much these days but used to be common back when Internet Explorer was king. It's used to download an entire web page (including images and other media) into a single file. It's not needed today as browsers can now do this using standard HTML format. (Source: slashgear.com)

Security Warning Disabled

Even though Internet Explorer has been replaced by Edge as Microsoft's main web browser, most Windows PCs still have Internet Explorer installed. If a user opens an MHT file (through an email attachment, for example), it will open up Internet Explorer if it's on a computer - even if you don't use IE.

The security flaw not only has nasty effects but bypasses a couple of possible defenses. It means a hacker could remotely access files stored on a computer. They could also gather information on what versions of various programs are on the computer, which could help them figure out other security flaws for further attacks.

Microsoft Response Lukewarm

Normally such an attack would require tricking the computer user into carrying out specific actions such as "Print Preview" to enable the remote access, but the flaw means infection can be automated. The flaw also means the MHT file can be written in a way that avoids triggering a security alert in Internet Explorer that would normally block such an attack.

Mr. Page published the details online, as he says he isn't satisfied with the response he got when he privately contacted Microsoft. He says they replied to him stating that "We determined that a fix for this issue will be considered in a future version of this product or service. At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case." (Source: zdnet.com)

What's Your Opinion?

Have you ever received an MHT file attached to an email or similar message? Would you consider uninstalling Internet Explorer to remove this risk? Should Microsoft take stronger measures such as showing a special warning before opening an MHT file?

Rate this article: 
Average: 4.4 (8 votes)

Comments

Dennis Faas's picture

Uninstalling Internet Explorer permanently is not easily done. I believe IE 11 can be uninstalled from Windows 10 permanently, but not so for Windows 7 and 8 users. For example: uninstalling IE11 via "Windows Features" in Control Panel will only roll it back to IE 10 or 9 and then you will have IE11 updates via Windows Update again unless it is marked hidden. Even so, you cannot remove IE 10 or 9 from the OS as it is permanently embedded.

dbrumley3077's picture

If MHT is the extension used for these files, would changing the file association setting from IE to Firefox or Chrome do any good? What about anti-virus software blocking these files?

graham_a_4374's picture

I changed my default Browser to Chrome. While it is possible to save web pages in Chrome by selecting HTML it is also possible to save them to MHTML by making changes in the Chrome settings. Example: Click on settings in the right hand top corner. When the setting web page populates change the url address in the address bar from chrome:// settings to chrome://flags. In the Search flags box type " Save Page as MHTML " and click on enabled in the drop down box to the right of the commentary. When I click on saved MHTML web pages they automatically open in Chrome.

jamies's picture

Firstly:
EDGE will not process .MHT files
Secondly:
OK it has print to PDF - but that facility is cumbersome to use, and does not seem to be easily set to include all the web page and does not seem to like animated images - as in ..
Select the options page from the windows facility and on that page look at .. and select ...
So where details of actions ant the results as were shown in a small imbedded animated (gif) it now seems to need to have a separately save a video stream - and play that as part of reading how to restore a windows facility to the prior functionality.

Thirdly: .MHT was the better option for saving web pages as the other option put all the images of the page into a folder, and while that folder was associated with the file, and managed by the OS as if it was directly attached to the file it was actually relatively easy to disconnect the folder from the file. - as in home Onedrive use - files could be uploaded but a folder needed to be manually created, and then it's content separately uploaded.

So I now have .MHT files containing details that I have been collecting for years, some of them as 'evidence' pf posted details that have since been amended, or partially retracted, or the page appears to no longer exist as the site is no longer accessible.

Considering the reported MS response:
"We determined that a fix for this issue will be considered in a future version of this product or service. At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case."

I understood there was NOT to be a future version of IE
Possibly the response is because there is NO budget for any staff to work with IE, either improving it, or dealing with security chasms.

Note that the version of the Personal (Home) Onedrive for EDGE will now allow a folder to be selected for upload.
BUT the IE version has not had that feature added.
Also - on my older system (2GB RAM) I find that IE is getting slower by the update, and seems to need more RAM to function, and is becoming more difficult to keep in a good working condition -
Cookies used to be individually accessible checkable and removable.
NOW it seems that if you want to deal with unwanted cookies and ask for a list of cookies and you get to see an extract from the internal cookie store, and deleting from that extract does NOT effect the internal store.
I did try the cleanup facility that is supposed to remove cookies that are no longer associated with entries in the favourites list (as in you remove favourites entries and it will get rid of cookies associate with what you removed
YUP - net result - after funning that MS utility my IE gained 10 more cookies.

You do all remember the Microsoft XP days declaration to address the poor security of their software and fixes, and the intention to have their systems be SECURE.

Looks like there is yet another reason for me to keep VM's of XP, and Win 7.
So that means any new system will have to have 64 bit Win-10 Pro - and 16GB RAM!

Thanks again to Microsoft for their consideration of user needs and their positive responses to user reports -

Err, when will the spacing of Outlook lists of emails and folder be reset to single spacing, and the 'future feature of triple spacing (is it fixed as 36 points for 10 point text?) be undone ?