Are you still surfing the web with Internet Explorer?

If so, you're not alone.  Four years after Microsoft announced Edge as its successor, the company's old browser still has a few stubborn holdouts who continue to use it for various reasons.

Unfortunately, security experts keep finding critical security flaws in the code that make it something of a ticking time bomb.

The most recent of these was unearthed by an independent researcher named John Page. He published a proof of concept that demonstrates a flaw in the way the old browser handles MHT files, which are used by Internet Explorer for archival purposes.

Windows tries to open MHT files

If any computer running Windows 7, Windows 10, or Windows Server 2012 encounters an MHT file, it will attempt to open it using Internet Explorer.  This fact represents a tremendous opportunity for a savvy hacker.  All he has to do is present a specially crafted MHT file containing malicious code to a user and use a bit of social engineering to open it.  Using history as a guide, convincing users to open files from untrusted sources is not especially difficult to do.

Even if you don't currently use Internet Explorer, your system is still very much at risk from this type of attack, because IE 11 still ships with every Windows-based PC, including the latest Windows 10 machines.  The only potential saving grace here is that on Windows 10 machines, Internet Explorer is not enabled by default and needs to go through a user-initiated setup process before it could be used.

The solution then, at least if you've got a Windows 10 machine, is simply to avoid enabling Internet Explorer or, even better, simply uninstall it from the Control Panel altogether.

The issue was reported to Microsoft and received the following reply

"We determined that a fix for this issue will be considered in a future version of this product or service.  At this time, we will not be providing ongoing updates of the status of the fix for this issue and we have closed the case."

Our perspective

Unfortunately, that's a canned response that amounts to a dismissal. So for the foreseeable future, you should operate under the assumption that no help will be forthcoming from Microsoft on this issue.  Make sure your IT staff is aware.


The author

Thanks for reading this short post. For more tips on thriving with small business technology, check out the other blog posts at DWPia Blogs. I am also available at dwpia on LinkedIn, at dwpia on Facebook, and @dwpia on Twitter.

Cybersecurity Expert, Small Business Technology Consultant, Managed Services Provider, Managed IT Support

Denis S Wilson

I am President and Principal Consultant for DWP Information Architects: specializing in managed IT support for smaller healthcare practices, clinics, insurance companies, and nonprofit companies in Ventura County and San Fernando Valley. And have created cost-effective IT solutions, for over 20 years, specializing in cybersecurity and regulatory compliance.

I am also a published author and speaker, working extensively with organizations that include: the State of California, the Federal Bureau of Investigation (FBI), the Small Business Administration (SBA), SCORE, Women's Business Centers, and Small Business Development Centers. As well as providing small business technology education programs through business and professional associations.

Contact me if you would like me to speak at your meeting.

Meanwhile, check out this report

Executive Report: 10 Hidden IT Risks That Might Threaten Your Business