News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • That Internet Explorer XXE zero day poking through to Edge

    Home Forums AskWoody blog That Internet Explorer XXE zero day poking through to Edge

    This topic contains 16 replies, has 9 voices, and was last updated by

     mn– 2 months, 3 weeks ago.

    • Author
      Posts
    • #540577 Reply

      woody
      Da Boss

      I’ve been slammed for the past few days, and haven’t kept you folks apprised of the latest Internet Explorer 0day. It depends on you opening an infect
      [See the full post at: That Internet Explorer XXE zero day poking through to Edge]

      5 users thanked author for this post.
    • #540724 Reply

      anonymous

      Any chance this will be fixed on the next Patch Tuesday?

      • #541658 Reply

        Paul T
        AskWoody MVP

        We’d like to be prescient, but even if we were MS would probably be too bizarre to be able to predict.

        The easiest patch is to NOT use IE or Edge and make sure your browser is up to date.

        cheers, Paul

        3 users thanked author for this post.
    • #541656 Reply

      MikeMc
      AskWoody Lounger

      Until this is fixed, I created a text file and then changed the extension to .mht . I then associated the file type with notepad. Not sure how good this is, but it should be better than having the extension being associated with IE.

      1 user thanked author for this post.
    • #542988 Reply

      GoneToPlaid
      AskWoody Plus

      I just did something similar. I set both .MHT and .MHTML files to open in Editpad Lite by default. I chose Editpad Lite since the maximum file size which it can open is 2GB. Thus I figure there is no chance of a buffer overflow.

      1 user thanked author for this post.
      • #543162 Reply

        GoneToPlaid
        AskWoody Plus

        I just changed the file associations back to IE since I don’t have Edge. The exploit only works on computers which have Edge.

        1 user thanked author for this post.
      • #545970 Reply

        warrenrumak
        AskWoody Plus

        I guess this is a fine fix, if you don’t trust yourself to not download, then double-click on an MHT files from an unknown source.

        Have you ever done that before?  I sure haven’t.

         

        • #546381 Reply

          b
          AskWoody Plus

          No, but with extensions hidden by default a file could be named reader.txt.mht and appear as only reader.txt.

          (I’ve always thought that’s the craziest default ever, and I unhide extensions on any computer I touch.)

          Knuckle dragger Cannon fodder Chump Daft glutton Idiot Crazy/Ignorant Toxic drinker Blockhead Unwashed mass Seeker/Sucker "Ancient/Obsolete" (Group ASAP) Win10 v.1903

          2 users thanked author for this post.
          • #549782 Reply

            warrenrumak
            AskWoody Plus

            You still had to choose to download the file from an unknown source, and you had to choose to open it.

            If an attacker can convince you to do that, they probably could convince you to download and run an executable.  Or a Powershell script.  Or a batch file.  Or a vbs file.  Or a malicious RAR file that targets WinRAR.

            Also, one would presume that most of the major AV vendors already have a heuristics check in place that’ll detect this particular attack.  Inspecting and flagging dodgy MHT files something they’ve been doing for almost 20 years…. it’s hardly new ground.

             

    • #544292 Reply

      b
      AskWoody Plus

      A few observations:

      1. Not using IE doesn’t help, as long as it’s enabled and associated with .mht and/or .mhtml files.

      Fred Langa says today; “Even if you never use IE, never click on it, or never call it up in any way, it’s there, and this new exploit can make use of it. In fact, if you use any version of Windows, you almost surely have IE on your PC.” Microsoft Windows users take note

      2. The exploit can only read and transmit a named file from a known location. The proof of concept used c:\windows\system.ini which is probably identical on billions of computers. Which file on my computer would you like to read which could subject me to some form of future danger or even privacy invasion?

      3. The original author said the exploit proof of concept had also been tested on Windows 7 and Server 2012 R2, but perhaps that was with an HTM file previously downloaded via Edge on Windows 10?

      Knuckle dragger Cannon fodder Chump Daft glutton Idiot Crazy/Ignorant Toxic drinker Blockhead Unwashed mass Seeker/Sucker "Ancient/Obsolete" (Group ASAP) Win10 v.1903

      1 user thanked author for this post.
      • #545241 Reply

        woody
        Da Boss

        I believe you’re right on all three points.

        1 user thanked author for this post.
        b
      • #545362 Reply

        GoneToPlaid
        AskWoody Plus

        Oops! I get it now. It doesn’t matter whether or not your computer has Edge. A hacker merely needs to push a similar Edge modified .HTM file to any Windows PC which has recent versions of IE.

        I am changing the .MHT and .MHTML associations from IE to EditPad Lite.

         

    • #547642 Reply

      Microfix
      Da Boss

      Are these file associations safe to use in a different browser as defaults?

      i.e. Chrome, Chromium, Palemoon, Waterfox, Firefox, Opera etc.. have the facility to change these associations to the aforementioned browser.
      As it only mentions IE and Edge, no others.

      ********** Win7 x64/x86 | Win8.1 x64 | Linux Hybrids x64 **********

      • #549892 Reply

        b
        AskWoody Plus

        My understanding is that Firefox, Palemoon, Waterfox may be less than ideal because Firefox can’t actually open .mht/.mhtml files (as Mozilla Archive Format extension went away), so will offer to open them in IE (defeating the purpose).

        I believe Chrome, Chromium, Opera would be fine. (I’ve associated Chromium Edge Dev, which can open .mht/.mhtml files.)

        Others have associated with Word, which can open .mht/.mhtml files (Word 2003 or later).

        But for anyone without a special use for MHT files, Notepad.exe is probably good enough.

        Knuckle dragger Cannon fodder Chump Daft glutton Idiot Crazy/Ignorant Toxic drinker Blockhead Unwashed mass Seeker/Sucker "Ancient/Obsolete" (Group ASAP) Win10 v.1903

        1 user thanked author for this post.
        • #888281 Reply

          mn–
          AskWoody Lounger

          I note that Chrome doesn’t seem to register itself as a handler for these normally but some other Chromium-derived browsers do.

          However… it’d seem that if you happen to have preview pane on, it’ll render these with IE for that anyway regardless of the association? Not sure about thumbnail generation, didn’t get a thumbnail for my quick test .mhtml but…

    • #552178 Reply

      anonymous

      ? says:

      thank you for letting us know about this one. i found this list of programs on nirsoft that shows where the .mht extension can be opened:

      http://extension.nirsoft.net/mht

       

      2 users thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: That Internet Explorer XXE zero day poking through to Edge

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.