A security researcher has discovered that Internet Explorer steals data even if the user does not use the browser, found.
The browser is vulnerable to XML External Entity attacks from malicious MHT files, which open by default on Internet Explorer, says security researcher John Page.
The malicious files affect users of Windows 7, Windows 10 and Windows Server 2012, and Page tested the attack on Internet Explorer 11.
The security researcher informed Microsoft about the threat in March, and they said they will fix the issue in a future update of Internet Explorer.
"Internet Explorer is vulnerable to XML External Entity attack if a user opens a specially crafted .MHT file locally," Page told Mashable.
The files can be disguised as download links or e-mail attachments, and the format is not compatible with other browsers, Page added.
Typing CTRL+K for tab duplication and initiating Print commands helps an external attacker get access to local files on the system, Page added.
Usually, Internet Explorer prompts users to block objects like 'Microsoft.XMLHTTP', but the MHT file is designed in a manner that the warning does not appear.
To add to the security threat, Page says that the CTRL+K and Print commands can be initiated automatically, even if a user does not give the command.
The security researcher demonstrated the breach in a YouTube video, where the attack takes place even with anti-malware software Microsoft SmartScreen.
Though the malware affects only 7 percent of Windows users, Internet Explorer is installed on over 1 billion systems, according to a Forbes report.
Internet Explorer was discontinued in 2015 and replaced with Microsoft Edge.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
