Internet Explorer (IE) zero-day lets hackers steal files from the windows system and the detailed report along with proof-of-concept code have been published by a security researcher to prove this.

The vulnerabilities are identified in the manner the MHT files are processed by the Internet Explorer. MHT is short for MHTML Web Archive. It is a default standard through which IE browser can save the web pages by hitting the CTRL+S. Whereas, the latest web browsers save the web pages in standard HTML file format instead of MHT format but some of them still support this format.

Nearly four years after it was replaced by Edge as Microsoft’s preferred Windows browser, researchers keep finding unpleasant security flaws in Internet Explorer (IE).

The latest is a proof of concept (POC) published by researcher John Page (aka hyp3rlinx) that exploits a weakness in the way the browser handles MHTML (MHT) files, IE’s default web page archiving format.

If Windows 7, Windows 10 or Windows Server 2012 R2 encounters one of these, it attempts to open them using IE which means that an attacker simply has to persuade the user to do that. Success would…

Allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed Program version information.

No escape

Does this matter to users who’ve moved on to Windows 10 or simply stopped using IE years ago?

Unfortunately, it does because IE 11 ships with every consumer Windows PC – including Windows 10 – for compatibility reasons (only Enterprise and Education licensees can optionally exclude it).

However, on Windows 10, IE still needs to go through a short setup process when it runs for the first time, something that might draw attention to attacks targeting the flaw discovered by Page.

Our first advice, then, is that if you have no intention of using IE in Windows 10, don’t enable it. Better still, if you’re sure you don’t need it, de-install it completely via the Control Panel after manually turning it off and hitting restart.

When Page reported the issue to Microsoft on 27 March, Microsoft responded with this reply:

We determined that a fix for this issue will be considered in a future version of this product or service. At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case.

Interpreting this as dismissive, on 10 April Page released his proof of concept (POC) and video demonstrating that his exploit works as claimed.

This has prompted some to call it a “zero-day vulnerability” because it is a known weakness for which there is no patch (as opposed to a zero-day attack – a known attack targeting a previously unknown vulnerability for which there is no patch).

Doubtless, Microsoft will fix the flaw in a future update, hopefully in May’s Patch Tuesday on 14 May.

Until that happens, our second piece of advice for anyone still using a computer with IE on it is to be extremely sceptical about MHT attachments.

John Page, a security researcher has found the XML External Entity (XXE) vulnerability, in IE which can easily be exploited whenever an MHT file is opened by a user. According to him through this hackers will be able to extract Local files, can also scan through the information of locally installed program versions. Like version information of the program can be extracted when a request for c:\Python27\NEWS.tx is sent.

It is insignificant to exploit this vulnerability as the MHT files on Windows is by default set to be opened in Internet Explorer whenever a user double-click on the link that he might receive through email, message or any other source.

The real concern is the way the Internet Explorer deals when a duplicate tab is opened, Print Preview or Print commands are given. There is usually a little user interaction here which can be automated, as it is not necessarily required to further activate the vulnerability exploit chain. Rather a JavaScript function window.print() is enough instead of the interaction of the user with the webpage.


Users are normally warned through a security bar in IE, suggested to activate the blocked content whenever an ActiveX Objects as Microsoft.XMLHTTP is instantiated, mentioned the researcher. However, there will be no warning bar or any such prompting when especially crafted.MHT file is opened which has malicious <xml> mark-up tags.

The exploits were tested successfully by the researcher in the latest Internet Explorer browser which has the security patches, using Windows 7, Windows 10, and Windows Server 2012 R2 systems.

Internet Explorer was once dominating the market of the browser but is now limited to only 7.34 percent of the users, reveals the NetMarketShare data. Windows has IE as a default app to open MHT files, but users can change this option. Still, as long as IE is there on the systems, users can be tricked to open MHT files into it.

Microsoft was informed by Page about this vulnerability in response to which the company said this fix is not on the priority list yet. In their message, Microsoft mentioned that this issue will be considered in the next update of the product but the company cannot currently, provide an update on this and that this case is closed.

MHT file exploitations have already been used by cybercriminals for spreading malware and spear-phishing as these files are a common way to send and receive exploits to user’s systems. Thus this vulnerability should not be taken lightly.

MHT files are known for storing codes and should be scanned before opening.