News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • That Internet Explorer XXE zero day poking through to Edge

    Home Forums AskWoody blog That Internet Explorer XXE zero day poking through to Edge

    Viewing 6 reply threads
    • Author
      Posts
      • #540577
        woody
        Manager

        I’ve been slammed for the past few days, and haven’t kept you folks apprised of the latest Internet Explorer 0day. It depends on you opening an infect
        [See the full post at: That Internet Explorer XXE zero day poking through to Edge]

        5 users thanked author for this post.
      • #540724
        anonymous
        Guest

        Any chance this will be fixed on the next Patch Tuesday?

        • #541658
          Paul T
          AskWoody MVP

          We’d like to be prescient, but even if we were MS would probably be too bizarre to be able to predict.

          The easiest patch is to NOT use IE or Edge and make sure your browser is up to date.

          cheers, Paul

          3 users thanked author for this post.
      • #541656
        MikeMc
        AskWoody Lounger

        Until this is fixed, I created a text file and then changed the extension to .mht . I then associated the file type with notepad. Not sure how good this is, but it should be better than having the extension being associated with IE.

        1 user thanked author for this post.
      • #542988
        GoneToPlaid
        AskWoody Plus

        I just did something similar. I set both .MHT and .MHTML files to open in Editpad Lite by default. I chose Editpad Lite since the maximum file size which it can open is 2GB. Thus I figure there is no chance of a buffer overflow.

        1 user thanked author for this post.
        • #543162
          GoneToPlaid
          AskWoody Plus

          I just changed the file associations back to IE since I don’t have Edge. The exploit only works on computers which have Edge.

          1 user thanked author for this post.
        • #545970
          warrenrumak
          AskWoody Lounger

          I guess this is a fine fix, if you don’t trust yourself to not download, then double-click on an MHT files from an unknown source.

          Have you ever done that before?  I sure haven’t.

           

          • #546381
            b
            AskWoody MVP

            No, but with extensions hidden by default a file could be named reader.txt.mht and appear as only reader.txt.

            (I’ve always thought that’s the craziest default ever, and I unhide extensions on any computer I touch.)

            Windows 10 Pro version 21H1 build 19043.1081 + Microsoft 365 (group ASAP)

            2 users thanked author for this post.
            • #549782
              warrenrumak
              AskWoody Lounger

              You still had to choose to download the file from an unknown source, and you had to choose to open it.

              If an attacker can convince you to do that, they probably could convince you to download and run an executable.  Or a Powershell script.  Or a batch file.  Or a vbs file.  Or a malicious RAR file that targets WinRAR.

              Also, one would presume that most of the major AV vendors already have a heuristics check in place that’ll detect this particular attack.  Inspecting and flagging dodgy MHT files something they’ve been doing for almost 20 years…. it’s hardly new ground.

               

      • #544292
        b
        AskWoody MVP

        A few observations:

        1. Not using IE doesn’t help, as long as it’s enabled and associated with .mht and/or .mhtml files.

        Fred Langa says today; “Even if you never use IE, never click on it, or never call it up in any way, it’s there, and this new exploit can make use of it. In fact, if you use any version of Windows, you almost surely have IE on your PC.” Microsoft Windows users take note

        2. The exploit can only read and transmit a named file from a known location. The proof of concept used c:\windows\system.ini which is probably identical on billions of computers. Which file on my computer would you like to read which could subject me to some form of future danger or even privacy invasion?

        3. The original author said the exploit proof of concept had also been tested on Windows 7 and Server 2012 R2, but perhaps that was with an HTM file previously downloaded via Edge on Windows 10?

        Windows 10 Pro version 21H1 build 19043.1081 + Microsoft 365 (group ASAP)

        1 user thanked author for this post.
        • #545241
          woody
          Manager

          I believe you’re right on all three points.

          1 user thanked author for this post.
          b
        • #545362
          GoneToPlaid
          AskWoody Plus

          Oops! I get it now. It doesn’t matter whether or not your computer has Edge. A hacker merely needs to push a similar Edge modified .HTM file to any Windows PC which has recent versions of IE.

          I am changing the .MHT and .MHTML associations from IE to EditPad Lite.

           

      • #547642
        Microfix
        AskWoody MVP

        Are these file associations safe to use in a different browser as defaults?

        i.e. Chrome, Chromium, Palemoon, Waterfox, Firefox, Opera etc.. have the facility to change these associations to the aforementioned browser.
        As it only mentions IE and Edge, no others.

        | Quality over Quantity |
        • #549892
          b
          AskWoody MVP

          My understanding is that Firefox, Palemoon, Waterfox may be less than ideal because Firefox can’t actually open .mht/.mhtml files (as Mozilla Archive Format extension went away), so will offer to open them in IE (defeating the purpose).

          I believe Chrome, Chromium, Opera would be fine. (I’ve associated Chromium Edge Dev, which can open .mht/.mhtml files.)

          Others have associated with Word, which can open .mht/.mhtml files (Word 2003 or later).

          But for anyone without a special use for MHT files, Notepad.exe is probably good enough.

          Windows 10 Pro version 21H1 build 19043.1081 + Microsoft 365 (group ASAP)

          1 user thanked author for this post.
          • #888281
            mn–
            AskWoody Lounger

            I note that Chrome doesn’t seem to register itself as a handler for these normally but some other Chromium-derived browsers do.

            However… it’d seem that if you happen to have preview pane on, it’ll render these with IE for that anyway regardless of the association? Not sure about thumbnail generation, didn’t get a thumbnail for my quick test .mhtml but…

      • #552178
        anonymous
        Guest

        ? says:

        thank you for letting us know about this one. i found this list of programs on nirsoft that shows where the .mht extension can be opened:

        http://extension.nirsoft.net/mht

         

        2 users thanked author for this post.
    Viewing 6 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, no politics or religion.

    Reply To: That Internet Explorer XXE zero day poking through to Edge

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.