News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • That Internet Explorer XXE zero day poking through to Edge

    Home Forums AskWoody blog That Internet Explorer XXE zero day poking through to Edge

    Viewing 6 reply threads
    • Author
      Posts
      • #540577 Reply
        woody
        Da Boss

        I’ve been slammed for the past few days, and haven’t kept you folks apprised of the latest Internet Explorer 0day. It depends on you opening an infect
        [See the full post at: That Internet Explorer XXE zero day poking through to Edge]

        5 users thanked author for this post.
      • #540724 Reply
        anonymous
        Guest

        Any chance this will be fixed on the next Patch Tuesday?

        • #541658 Reply
          Paul T
          AskWoody MVP

          We’d like to be prescient, but even if we were MS would probably be too bizarre to be able to predict.

          The easiest patch is to NOT use IE or Edge and make sure your browser is up to date.

          cheers, Paul

          3 users thanked author for this post.
      • #541656 Reply
        MikeMc
        AskWoody Lounger

        Until this is fixed, I created a text file and then changed the extension to .mht . I then associated the file type with notepad. Not sure how good this is, but it should be better than having the extension being associated with IE.

        1 user thanked author for this post.
      • #542988 Reply
        GoneToPlaid
        AskWoody Plus

        I just did something similar. I set both .MHT and .MHTML files to open in Editpad Lite by default. I chose Editpad Lite since the maximum file size which it can open is 2GB. Thus I figure there is no chance of a buffer overflow.

        1 user thanked author for this post.
        • #543162 Reply
          GoneToPlaid
          AskWoody Plus

          I just changed the file associations back to IE since I don’t have Edge. The exploit only works on computers which have Edge.

          1 user thanked author for this post.
        • #545970 Reply
          warrenrumak
          AskWoody Plus

          I guess this is a fine fix, if you don’t trust yourself to not download, then double-click on an MHT files from an unknown source.

          Have you ever done that before?  I sure haven’t.

           

          • #546381 Reply
            b
            AskWoody Plus

            No, but with extensions hidden by default a file could be named reader.txt.mht and appear as only reader.txt.

            (I’ve always thought that’s the craziest default ever, and I unhide extensions on any computer I touch.)

            2 users thanked author for this post.
            • #549782 Reply
              warrenrumak
              AskWoody Plus

              You still had to choose to download the file from an unknown source, and you had to choose to open it.

              If an attacker can convince you to do that, they probably could convince you to download and run an executable.  Or a Powershell script.  Or a batch file.  Or a vbs file.  Or a malicious RAR file that targets WinRAR.

              Also, one would presume that most of the major AV vendors already have a heuristics check in place that’ll detect this particular attack.  Inspecting and flagging dodgy MHT files something they’ve been doing for almost 20 years…. it’s hardly new ground.

               

      • #544292 Reply
        b
        AskWoody Plus

        A few observations:

        1. Not using IE doesn’t help, as long as it’s enabled and associated with .mht and/or .mhtml files.

        Fred Langa says today; “Even if you never use IE, never click on it, or never call it up in any way, it’s there, and this new exploit can make use of it. In fact, if you use any version of Windows, you almost surely have IE on your PC.” Microsoft Windows users take note

        2. The exploit can only read and transmit a named file from a known location. The proof of concept used c:\windows\system.ini which is probably identical on billions of computers. Which file on my computer would you like to read which could subject me to some form of future danger or even privacy invasion?

        3. The original author said the exploit proof of concept had also been tested on Windows 7 and Server 2012 R2, but perhaps that was with an HTM file previously downloaded via Edge on Windows 10?

        1 user thanked author for this post.
        • #545241 Reply
          woody
          Da Boss

          I believe you’re right on all three points.

          1 user thanked author for this post.
          b
        • #545362 Reply
          GoneToPlaid
          AskWoody Plus

          Oops! I get it now. It doesn’t matter whether or not your computer has Edge. A hacker merely needs to push a similar Edge modified .HTM file to any Windows PC which has recent versions of IE.

          I am changing the .MHT and .MHTML associations from IE to EditPad Lite.

           

      • #547642 Reply
        Microfix
        AskWoody MVP

        Are these file associations safe to use in a different browser as defaults?

        i.e. Chrome, Chromium, Palemoon, Waterfox, Firefox, Opera etc.. have the facility to change these associations to the aforementioned browser.
        As it only mentions IE and Edge, no others.

        | Win8.1 Pro x64 | Linux Hybrids x86/x64 | Win7 Pro x86/x64 Offline |
        • #549892 Reply
          b
          AskWoody Plus

          My understanding is that Firefox, Palemoon, Waterfox may be less than ideal because Firefox can’t actually open .mht/.mhtml files (as Mozilla Archive Format extension went away), so will offer to open them in IE (defeating the purpose).

          I believe Chrome, Chromium, Opera would be fine. (I’ve associated Chromium Edge Dev, which can open .mht/.mhtml files.)

          Others have associated with Word, which can open .mht/.mhtml files (Word 2003 or later).

          But for anyone without a special use for MHT files, Notepad.exe is probably good enough.

          1 user thanked author for this post.
          • #888281 Reply
            mn–
            AskWoody Lounger

            I note that Chrome doesn’t seem to register itself as a handler for these normally but some other Chromium-derived browsers do.

            However… it’d seem that if you happen to have preview pane on, it’ll render these with IE for that anyway regardless of the association? Not sure about thumbnail generation, didn’t get a thumbnail for my quick test .mhtml but…

      • #552178 Reply
        anonymous
        Guest

        ? says:

        thank you for letting us know about this one. i found this list of programs on nirsoft that shows where the .mht extension can be opened:

        http://extension.nirsoft.net/mht

         

        2 users thanked author for this post.
    Viewing 6 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: That Internet Explorer XXE zero day poking through to Edge

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.