Need to Know8 1 - 14 May 2019
What happened?
Asecurityresearcherhas released
detailsofa serious flawinInternet
Explorerthatcould let filesbesnatched
fromcomputers running Windows, even
if users never open Microsoft’s old
browser. The longstanding vulnerability
takes advantage of the fileformatIE
usestostore web pagesyou download:
whereasmodern browserssaveweb
pagesin HTMLformat, IEusesMHT.
IndependentsecurityresearcherJohn
Pagefound aflawinIEthatcan be
triggered if anMHT fileisopened
(bit.ly/ieflaw4 74 ). This isespecially
problematicbecauseMHT filesopen
bydefault inWindows: if one is
downloaded ora userclicks alinkthat
directstoone,it will beopened
automatically bythe operating system,
triggeringanattack.
AlthoughInternetExplorerisnow
usedbyfewer thanone in 10 web users,
andMicrosoftitself nowfavoursits
Edge browser, all Windowsusers could
stillbevulnerable. If you use Chrome,
Firefox orany otherbrowser toclick
a malicious link and accidentally
downloada dodgyMHT file, it will still
automatically openinIE,unlessyou’ve
uninstalled Microsoft’s old browser from
yoursystem.
Microsofthas beentoldof the flaw,
but has opted not toissue animmediate
patch,which promptedthe researcher
topubliclyrelease the detailsof the
vulnerability, tospurthe tech giant
intoaction.
How will it affectyou?
If a hacker successfullyusesthisflaw,
theycould use it tosnoop aroundyour
systemand potentially steallocally
stored files. According toJohnPage,
the flawimpacts anyonerunning
Windows7,Windows 10 or
WindowsServer 2012R2,
whetheror not theyuse
IEastheir browser.
However, for a
dodgyMHT fileto
automatically open
onyourversion of
Windows, you would
needtohaveIEinstalled.
If you never use IE,it’s worth
changingthe default association
for MHT filestoanotherbrowser in
yoursettings, orsimplyuninstallingit- andthat’s truefor any othersoftware
you don’t use thatmay be out ofdateor
unpatched. Leaving old programs on
yourcomputer takes upspace and
leaves you atrisk ofhackersfinding a
flawtheycan exploit.
However, it’s worth notingthatthis
flawwas spotted bya security
researcherandthere’s noevidence of it
being usedbyhackers– yet. Also,
Microsoftapparentlyisn’t convinced of
the threat. It didn’t rush out apatch as
the researcherhoped when henotified
the company,and hasn’t saidif it will
patch the flawinthe future. It might,but
there are noplans inthe pipeline asyet.
Thatsuggests there’s littleimmediate
concern about thisbug,though hackers
will havereadthe samereports about
thisflawasyou nowhave, and may feel
inspiredtouse it totargetWindows
computers.
Tostaysafe, uninstall IEfromany PCs
thatstillhaveit, ensureyou’rerunning
antivirus orothersecuritysoftwarethat
scans any filesdownloaded fromthe
internet, and becautiousofemail
attachmentsorlinksthatyou aren’t
completelycertain are safe.
Suchadviceisworth following
regardlessofwhether Microsoftever
patches thisflaw.
What dowethink?
If you are stillusing InternetExploreras
yourmainbrowser, it’s now timetofind
analternative.There’s noreasontohave
thisout-of-date browser onyour
system, let alone asyourmaingateway
toaccessing the web. Ifyou wantto
stick with Microsoft, use Edge. If you
wantto avoidChrome,considerFirefox.
There are plenty ofoptions out there
thatare uptodate, modernandsecure.
It’s easy tocriticiseMicrosoftfor not
being more attentive andfixingthis bug,
but the company’s response suggests
the flawisn’t serious enoughtonabthe
top spotonits to-do list. Microsofthas
a goodrecordfor issuing patches for
major bugs– evenfor software thatno
longerreceives updates, aswas the case
whenWindowsXPwas given asecurity
patch after the WannaCry attack.
Thatsaid, wehopethisflawgetsfixed
soonerratherthanlater, given how
many peopleare still likelytohaveIE
lurking ontheir computers, evenif
they’ve upgradedtoa more modern
browser.Internet Explorer security flaw
puts all Windows users at risk
Microsoft has encouraged Windows 10
users to ditch InternetExplorer for Edge