News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • That Internet Explorer XXE zero day poking through to Edge

    Posted on April 18th, 2019 at 07:51 woody Comment on the AskWoody Lounge

    I’ve been slammed for the past few days, and haven’t kept you folks apprised of the latest Internet Explorer 0day.

    It depends on you opening an infect MHT file. MHT is an old file format that’s almost always opened by IE — no matter which browser you’re using, no matter which version of Windows. Catalin Cimpanu has a good overview of this XXE vulnerability on ZDNet.

    It’s a doozy of security hole as it affects every recent version of IE, and it infects whether you’re actively browsing with IE or not.

    When you download files from the internet, they’re marked — the “Mark-Of-The-Web” — to tell programs that special care is required when opening the files. Thus, if you download an infected MHT file, IE will know that it needs to open the MHT file with caution (at “low integrity,” in a sandbox). That severely limits this exploit’s reach.

    There’s a lot of controversy about how bad this XXE hole really is. There have been lots of XXE holes discovered in the past. They’re used to pull files off your machine and send them to the bad guys. Microsoft figured this one isn’t all that bad, in part because of the MOTW mechanism. The folks who discovered this particular hole aren’t so sanguine. They responded to Microsoft’s snub last week by releasing details, proof of concept code, and even a video.

    Yesterday, Mitja Kolsek at 0patch revealed something disconcerting. If you use Edge to download an infected MHT file, Internet Explorer will open it like any other file. Says Kolsek:

    Does Edge not put the mark-of-the-web on downloaded files, or does it do it differently and somehow confuses Internet Explorer? That would be a serious flaw.

    He goes on to explain how Edge changes the permissions on downloaded files and, thus, why IE will open the infected MHT file as if it had no Mark-Of-The-Web.

    All fascinating stuff if you’re into this kind of thing. Ionut Ilascu has a synopsis on BleepingComputer.

    The 0patch company has a quick patch that you can apply, free, if you’re concerned about getting burned. I’m not going to link to it — I don’t want to take responsibility for 3rd-party patches to Windows — but you can find it quite easily if you’re really interested. That said, 0patch is highly regarded, and has made many useful hotfixes for Windows.

    What to do? That’s easy. Don’t open MHT files. And don’t use IE.

    Thx to @Alex5723 and others who have been posting about this problem while I’m off doing other things…..

    Let’s see if I get a definitive answer from this:

    UPDATE: @mkolsek, who published the report yesterday, confirms that reassigning the default handler for MHT files breaks the attack. He tested it. I’ll write this up.

    If that helped, take a second to support AskWoody on Patreon