Microsoft Corporation

Warning: Internet Explorer Just Became A Silent But Serious Threat To Every Windows User

And if someone were to send you a malicious .MHT file (perhaps disguised as a download link or an email attachment), Internet Explorer would be the default application to open it.

That already sounds scary, but then Page says that a simple javascript call within the file (such as invoking the Print Preview function) can do this automatically and without user interaction.

"Typically, when instantiating ActiveX Objects [...] users will get a security warning bar in IE and be prompted to activate blocked content.

However, when opening a specially crafted .MHT file using malicious < xml > markup tags the user will get no such active content or security bar warnings."

Page says the reason he publicly disclosed this exploit -- and the accompanying code to pull it off -- is because Microsoft acknowledged the threat but refused to treat it as an urgent matter.

Between Windows Updates , supply chain attacks and malware spreading via popular file-sharing websites, you already have enough to worry about.

Powered by Blogger.