On April 10, researchers published information on a critical vulnerability in Microsoft’s Internet Explorer® (IE) browser. This previously unseen, “zero-day” exploit enables attackers to remotely access locally installed program version information, and potentially to exfiltrate user data.
The vulnerability involves IE’s use of .MHT files to store and open content on user systems. Attackers can create a specially made .MHT file that, when opened, opens IE and allows for the injection of malicious commands via XML external entities. Attackers can create .MHT files that subsequently open automatically, without user intervention, or that bypass security warnings that accompany non-malicious .MHT files.
The vulnerability has been tested and shown to exist in the latest version of IE (v11), as well as on IE versions running on Windows 7, Windows 10, and Windows Server 2012 R2. While IE is not the browser of choice for a majority of users, the ability of this vulnerability to function without active IE use heightens its critical danger.
Microsoft has been notified of this vulnerability and has indicated that they will consider a fix for it in future versions of the product. No current fix is available.
ACA Aponix Guidance
ACA Aponix recommends taking the following actions regarding the IE vulnerability:
- Monitor the Microsoft website for patch updates to this critical issue. Install updates immediately when available.
- Consider blocking ingress and egress of .MHT files on email gateways and firewalls.
- Consider disabling IE if not actively in use in the organization. IE can be disabled in Control Panel – Windows Features, or through PowerShell.
- Inform staff of this vulnerability as relates to personal devices and “bring your own” devices used for work purposes.
How ACA Can Help
ACA Aponix offers the following solutions that can help your firm ensure strong security in light of the IE vulnerability:
- Cybersecurity and technology risk assessments
- Penetration testing and vulnerability assessments
- Policies, procedures, and governance
- Cyber incident response planning
- Threat intelligence
If you have any questions, please contact your ACA Aponix consultant or email us at firstname.lastname@example.org.