That Internet Explorer XXE zero day poking through to Edge

Topic

New Reply

I’ve been slammed for the past few days, and haven’t kept you folks apprised of the latest Internet Explorer 0day. It depends on you opening an infect
[See the full post at: That Internet Explorer XXE zero day poking through to Edge]

5 users thanked author for this post.

Lori, Elly, GreatAndPowerfulTech, Microfix, Myst

Reply | Quote

Replies

Any chance this will be fixed on the next Patch Tuesday?

Reply | Quote

We’d like to be prescient, but even if we were MS would probably be too bizarre to be able to predict.

The easiest patch is to NOT use IE or Edge and make sure your browser is up to date.

cheers, Paul

3 users thanked author for this post.

Elly, woody, Myst

Reply | Quote

Until this is fixed, I created a text file and then changed the extension to .mht . I then associated the file type with notepad. Not sure how good this is, but it should be better than having the extension being associated with IE.

1 user thanked author for this post.

Paul T

Reply | Quote

I’m seeing a lot of advice to disable IE, but I bet your fix works just as well.

https://twitter.com/AskWoody/status/1118864901139783680

Reply | Quote

I just did something similar. I set both .MHT and .MHTML files to open in Editpad Lite by default. I chose Editpad Lite since the maximum file size which it can open is 2GB. Thus I figure there is no chance of a buffer overflow.

1 user thanked author for this post.

woody

Reply | Quote

I just changed the file associations back to IE since I don’t have Edge. The exploit only works on computers which have Edge.

1 user thanked author for this post.

Myst

Reply | Quote

I guess this is a fine fix, if you don’t trust yourself to not download, then double-click on an MHT files from an unknown source.

Have you ever done that before?  I sure haven’t.

 

Reply | Quote

No, but with extensions hidden by default a file could be named reader.txt.mht and appear as only reader.txt.

(I’ve always thought that’s the craziest default ever, and I unhide extensions on any computer I touch.)

2 users thanked author for this post.

Lori, Elly

Reply | Quote

You still had to choose to download the file from an unknown source, and you had to choose to open it.

If an attacker can convince you to do that, they probably could convince you to download and run an executable.  Or a Powershell script.  Or a batch file.  Or a vbs file.  Or a malicious RAR file that targets WinRAR.

Also, one would presume that most of the major AV vendors already have a heuristics check in place that’ll detect this particular attack.  Inspecting and flagging dodgy MHT files something they’ve been doing for almost 20 years…. it’s hardly new ground.

 

Reply | Quote

A few observations:

1. Not using IE doesn’t help, as long as it’s enabled and associated with .mht and/or .mhtml files.

Fred Langa says today; “Even if you never use IE, never click on it, or never call it up in any way, it’s there, and this new exploit can make use of it. In fact, if you use any version of Windows, you almost surely have IE on your PC.” Microsoft Windows users take note

2. The exploit can only read and transmit a named file from a known location. The proof of concept used c:\windows\system.ini which is probably identical on billions of computers. Which file on my computer would you like to read which could subject me to some form of future danger or even privacy invasion?

3. The original author said the exploit proof of concept had also been tested on Windows 7 and Server 2012 R2, but perhaps that was with an HTM file previously downloaded via Edge on Windows 10?

1 user thanked author for this post.

woody

Reply | Quote

I believe you’re right on all three points.

1 user thanked author for this post.

b

Reply | Quote

Oops! I get it now. It doesn’t matter whether or not your computer has Edge. A hacker merely needs to push a similar Edge modified .HTM file to any Windows PC which has recent versions of IE.

I am changing the .MHT and .MHTML associations from IE to EditPad Lite.

 

Reply | Quote

Are these file associations safe to use in a different browser as defaults?

i.e. Chrome, Chromium, Palemoon, Waterfox, Firefox, Opera etc.. have the facility to change these associations to the aforementioned browser.
As it only mentions IE and Edge, no others.

Windows - commercial by definition and now function...

Reply | Quote

My understanding is that Firefox, Palemoon, Waterfox may be less than ideal because Firefox can’t actually open .mht/.mhtml files (as Mozilla Archive Format extension went away), so will offer to open them in IE (defeating the purpose).

I believe Chrome, Chromium, Opera would be fine. (I’ve associated Chromium Edge Dev, which can open .mht/.mhtml files.)

Others have associated with Word, which can open .mht/.mhtml files (Word 2003 or later).

But for anyone without a special use for MHT files, Notepad.exe is probably good enough.

1 user thanked author for this post.

Lori

Reply | Quote

I note that Chrome doesn’t seem to register itself as a handler for these normally but some other Chromium-derived browsers do.

However… it’d seem that if you happen to have preview pane on, it’ll render these with IE for that anyway regardless of the association? Not sure about thumbnail generation, didn’t get a thumbnail for my quick test .mhtml but…

Reply | Quote

? says:

thank you for letting us know about this one. i found this list of programs on nirsoft that shows where the .mht extension can be opened:

http://extension.nirsoft.net/mht

 

2 users thanked author for this post.

Sandman, PKCano

Reply | Quote