Zero-Day Internet Explorer Vulnerability

First of all – what does zero-day mean? It is the day a vulnerability was found. If a bug was around for 10 days it would be a 10-day vulnerability. Usually a fix will be developed in the form of a patch or workaround.

A zero-day exploit means an attack takes place the day a vulnerability is discovered.

On March 30, 2019, two zero-day vulnerabilities were discovered in Microsoft EDGE and Internet Explorer. Without getting too technical, the behind the scenes code of the browser can occur when you visit a malicious site and some of the same origin policy code allows other sites to intervene. When working correctly, it would prevent other sites from accessing your information.

Another vulnerability is related to MHT files. Internet Explorer can still read MHT files. If you are using Outlook, you may see this above an email: “If there are problems with how this message is displayed, click here to view it in a web browser.” It will then open in IE even if you are using Windows 10 with Edge. If the MHT file is infected you will have problems.

To prevent programs from opening IE, you can go into “Programs and Features” in Control Panel and then to “Turn Windows features on or off” and uncheck Internet Explorer 11. Restart your computer.

Trend Micro Blog

Gmail

If you have a gmail account, did you know that your email address can also have dots in it and you’ll still get it? For example, if your address johndoe@gmail.com, it won’t matter if you send to john.doe@gmail.com. You can even send it to j.o.h.n.d.o.e@gmail.com and still get it. Most mail systems do not allow this. Apparently this has been like this for some time.

We found out recently when we saw an article from ZDNet about how scammers are exploiting this by registering for different websites under your email but adding the dots. It may be sites like Netflix, Amazon.com, or eBay. They would see the dotted account email as a different one.

One group has used a variation to obtain credit cards. They have filed tax returns, registered for trial accounts, USPS change address requests, collecting Social Security benefits, apply for unemployment benefits, and apply for FEMA disaster relief.

The article brought out two other things that could be exploited. First, Google allows + signs – you can send email to johndoe+someword@gmail.com and johndoe@gmail.com will get it. Second, before gmail.com it was googlemail.com and if you use johndoe@googlemail.com, johndoe@gmail.com will still get it. Yes this has been tested and confirmed.