A ranar Juma'a, 12 ga Afrilu, kwararre kan harkokin tsaro John Page ya buga bayanai game da raunin da ba a daidaita ba a cikin sigar Internet Explorer na yanzu, kuma ya nuna aiwatar da shi. Wannan raunin na iya yuwuwar ƙyale maharin ya sami abubuwan da ke cikin fayilolin gida na masu amfani da Windows, ta ketare tsaron mashigai.
Rashin lahani ya ta'allaka ne ta yadda Internet Explorer ke sarrafa fayilolin MHTML, yawanci waɗanda ke da tsawo na .mht ko .mhtml. Internet Explorer yana amfani da wannan tsari ta tsohuwa don adana shafukan yanar gizo, kuma yana ba ku damar adana duk abun ciki na shafin tare da duk abun cikin mai jarida azaman fayil ɗaya. A halin yanzu, yawancin masu bincike na zamani ba sa adana shafukan yanar gizo a cikin tsarin MHT kuma suna amfani da daidaitaccen tsarin WEB - HTML, amma har yanzu suna goyon bayan sarrafa fayiloli ta wannan tsarin, kuma suna iya amfani da su don adanawa tare da saitunan da suka dace ko amfani da kari.
Lalacewar da John ya gano na cikin nau'in raunin rauni ne na XXE (XML eXternal Entity) kuma ya ƙunshi daidaitaccen mai sarrafa lambar XML a cikin Internet Explorer. "Wannan raunin yana bawa maharin nesa damar samun damar shiga fayilolin gida na mai amfani kuma, alal misali, fitar da bayanai game da sigar software da aka shigar akan tsarin," in ji Page. "Don haka tambayar 'c:Python27NEWS.txt' za ta dawo da sigar wannan shirin (mai fassarar Python a wannan yanayin)."
Tun da a cikin Windows duk fayilolin MHT suna buɗewa a cikin Internet Explorer ta tsohuwa, yin amfani da wannan raunin aiki ne mara nauyi tunda mai amfani kawai yana buƙatar danna sau biyu akan fayil mai haɗari da aka karɓa ta imel, cibiyoyin sadarwar jama'a ko saƙon take.
"Yawanci, lokacin ƙirƙirar misalin wani abu na ActiveX, kamar Microsoft.XMLHTTP, mai amfani zai sami gargadin tsaro a cikin Internet Explorer wanda zai nemi tabbaci don kunna abubuwan da aka katange," in ji mai binciken. "Duk da haka, lokacin buɗe fayil ɗin .mht da aka riga aka shirya ta amfani da alamun saƙo na musamman mai amfani ba zai karɓi gargaɗi game da abun ciki mai lahani ba."
A cewar Page, ya yi nasarar gwada raunin a cikin sigar Internet Explorer 11 na yanzu tare da duk sabbin abubuwan sabunta tsaro akan Windows 7, Windows 10 da Windows Server 2012 R2.
Watakila kawai labari mai daɗi a cikin bayyanawa jama'a na wannan raunin shine gaskiyar cewa Internet Explorer ta taɓa mamaye kasuwar yanzu ta ragu zuwa 7,34% kawai, a cewar NetMarketShare. Amma tunda Windows tana amfani da Internet Explorer azaman aikace-aikacen tsoho don buɗe fayilolin MHT, masu amfani ba lallai ne su saita IE azaman tsoho browser ba, kuma har yanzu suna da rauni muddin IE yana nan akan tsarin su kuma ba sa biya. hankali ga fayilolin tsarin zazzagewa akan Intanet.
Komawa a ranar 27 ga Maris, John ya sanar da Microsoft game da wannan rauni a cikin burauzar su, amma a ranar 10 ga Afrilu, mai binciken ya sami amsa daga kamfanin, inda ya nuna cewa bai ɗauki wannan matsala da mahimmanci ba.
"Za a fitar da gyara kawai tare da sigar samfurin na gaba," in ji Microsoft a cikin wasikar. "A halin yanzu ba mu da wani shiri na fitar da mafita kan wannan batu."
Bayan bayyananniyar amsa daga Microsoft, mai binciken ya buga cikakkun bayanai game da raunin ranar sifili akan gidan yanar gizon sa, da lambar demo da bidiyo akan YouTube.
Ko da yake aiwatar da wannan raunin ba mai sauƙi ba ne kuma yana buƙatar ko ta yaya tilasta mai amfani don gudanar da fayil ɗin MHT wanda ba a san shi ba, bai kamata a ɗauki wannan raunin da sauƙi ba duk da rashin amsawa daga Microsoft. Ƙungiyoyin Hacker sun yi amfani da fayilolin MHT don lalata da rarraba malware a baya, kuma babu abin da zai hana su yin haka a yanzu.
Duk da haka, don guje wa wannan da yawancin lahani masu kama da juna, kawai kuna buƙatar kula da tsawo na fayilolin da kuke karɓa daga Intanet kuma ku duba su da riga-kafi ko a kan gidan yanar gizon VirusTotal. Kuma don ƙarin tsaro, kawai saita burauzar da kuka fi so banda Internet Explorer azaman tsohuwar aikace-aikacen fayilolin .mht ko .mhtml. Misali, a cikin Windows 10 ana yin hakan cikin sauƙi a cikin menu "Zaɓi daidaitattun aikace-aikace don nau'ikan fayil".
source: 3dnews.ru