News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • To block the latest zero day, instead of removing Internet Explorer, just short-circuit access to MHT files

    Home Forums AskWoody blog To block the latest zero day, instead of removing Internet Explorer, just short-circuit access to MHT files

    Viewing 28 reply threads
    • Author
      Posts
      • #545287 Reply
        woody
        Da Boss

        It’s pretty easy, if you know the tricks. Step-by-step details coming in Computerworld.
        [See the full post at: To block the latest zero day, instead of removing Internet Explorer, just short-circuit access to MHT files]

      • #546232 Reply
        anonymous
        Guest

        You could be smart and just 0-Patch it. It’s already been patched for 3 days now:

        https://blog.0patch.com/2019/04/microsoft-edge-uses-secret-trick-and.html

        • #548556 Reply
          woody
          Da Boss

          0patch is great but I just can’t bring myself to recommend (or support) a 3rd-party fix to Windows binaries. See this:

          The 0patch company has a quick patch that you can apply, free, if you’re concerned about getting burned. I’m not going to link to it — I don’t want to take responsibility for 3rd-party patches to Windows — but you can find it quite easily if you’re really interested. That said, 0patch is highly regarded, and has made many useful hotfixes for Windows.

        • #565285 Reply
          anonymous
          Guest

          The 0patch blog states that the patch is only available for fully updated windows versions. Since we are still at MS-DEFCON 2, most of us won’t be fully updated yet.

          I am on 1809 and am still waiting for the go-ahead. I have 0patch installed, the patches are shown as available in the installed patch list, but not amongst the patchable modules. So I would need to update to the latest Quality Update for it to work.

          • #569305 Reply
            anonymous
            Guest

            Just to confirm, having just updated to the latest 1809 (I use ESET AV which is apparently unaffected by this update’s issue), the 0patch fix has now cut in and is now appearing in the “patchable modules” list.

      • #546857 Reply
        anonymous
        Guest

        On my Win7 machine, the steps were slightly different from the Computerworld article.
        Start-Default Programs-Associate a file type or protocol with a program, then click on mht and change it.

        What about mhtml extension – is it also vulnerable, should it also be changed?

        • #555978 Reply
          anonymous
          Guest

          Thanks for confirming what seemed like a simple and logical block.

           

      • #547539 Reply
        davinci953
        AskWoody Plus

        <snip>

        What about mhtml extension – is it also vulnerable, should it also be changed?

        I was curious about that extension as well.  For now I just associated the file type with my default browser instead of IE on my Windows 7 system. In reading the article on 0patch, it appears that the exploit works on Windows 10 when using Edge but not Windows 7 with IE only. YMMV.

      • #547864 Reply
        EstherD
        AskWoody Plus

        So this “workaround” for Win7 is fine for a single user machine. But what about machines configured with multiple users? I don’t want to, and in some cases cannot, log in and do the workaround for each user individually. Is there some way to configure these file associations system-wide in one fell swoop?

      • #547842 Reply
        anonymous
        Guest

        and how to put it back on Windows 10 when MS gets around to fixing it?

      • #548196 Reply
        KarenS
        AskWoody Lounger

        I don’t seem to have Notepad.exe on my Windows 7 home premium 32 bit laptop but I do see Microsoft Word at the top next to Internet Explorer when I click on “change program” is it okay to use that instead??

        WAIT……when I click on the little arrow next to “other programs” I see Notepad……IS that what I am looking for??

        Thanks!

        2 users thanked author for this post.
        • #548445 Reply
          PKCano
          Da Boss

          Notepad is under Start>All Programs>Accessories

          1 user thanked author for this post.
        • #548819 Reply
          woody
          Da Boss

          Yep. That works, too. I shoulda caught that one!

          1 user thanked author for this post.
        • #552405 Reply
          EstherD
          AskWoody Plus

          Was doing this on a per-user basis by clicking “Browse” and then following the Yellow Brick Road to C:\Windows\Notepad. Clicking the disclosure triangle in “Other Programs” definitely speeds up the process considerably. Thanks, Karen!

      • #548055 Reply
        anonymous
        Guest

        I’ve delinked the MHT & MHTML file associations & handling from Internet Explorer on my Win 7 SP1. So when such files are clicked, there is a popup asking which program I wish to use to open the file.

        That being said, if Windows Explorer’s preview pane is enabled, selecting a MHT/MHTML will result in its contents being displayed in the preview pane.

        I assume Windows Explorer & its preview pane are intimately powered by (or entangled with) Internet Explorer — or at least that’s my impression from countless warnings to keep Internet Explorer patched, whether one explicitly uses it or not.

        As such, can the zero-day MHT/MHTML security vulnerability be exploited via Windows Explorer’s preview pane — or even when a malicious MHT/MHTML file is merely selected in Windows Explorer with the preview pane disabled ? If yes, what is the remedy ?

      • #548269 Reply
        anonymous
        Guest

        I also changed mhtml to notepad. Not sure if that will cause any problems but I wanted to be safe.

        I had a LOL moment following your directions so closely. Your sequence seemed off until I remembered my computer defaults to control panel> all control panel items.

      • #549301 Reply
        Charlie
        AskWoody Plus

        We are all assuming that MHT/MHTML files cannot do any damage when directed to be run with Notepad.  Are we absolutely sure about that?  I’d rather direct them to the Recycle Bin if that was possible.

        Win 7 Still Alive, x64, Intel i3-2120 3.3GHz, Linux Mint 19.1

        • #556357 Reply
          anonymous
          Guest

          Happy to be corrected but my logic is htm with Notepad does not ‘execute’ the file via a browser but only reads the content.

          1 user thanked author for this post.
      • #549640 Reply
        seamonkey420
        AskWoody Lounger

        i’ve tracked down a way to possibly programmatically set notepad.exe to open mht and mhtml files. outlined the assoc and ftype commands w/registry keys here:

        https://seamonkey420x.blogspot.com/2019/04/programmatically-associating-mht-and.html

        IE still shows in list of apps to open with the first time you open a mht or mhtml file but notepad is set as the default. 🙂

        hope that helps others that need a fix for a fleet of workstations.

      • #552303 Reply
        EstherD
        AskWoody Plus

        Still looking for a method to apply this workaround system-wide, rather than just per-user. Anyone?

         

      • #552879 Reply
        OscarCP
        AskWoody Plus

        According to davinci953: ”  In reading the article on 0patch, it appears that the exploit works on Windows 10 when using Edge but not Windows 7 with IE only. YMMV.  ”

        Could this be true about Windows 7 with IE11? Reading other comments here, this does not seem to be the case, but I rather ask a question that looks to have an obvious answer, when something important, such as a 0-day vulnerability, is the relevant issue and I want to double-check the information I have about it.

        You would be surprised how often I’ve had useful and not at all obvious answers this way.

        Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

      • #552608 Reply
        anonymous
        Guest

        Thanks! Worked just as advertised. A question though.

        I have a Microsoft account. Will this “fix” carry over for all of my computers using the account, or does this work only on the one computer on which I set it up?

        = Ax Kramer

      • #553299 Reply
        anonymous
        Guest

        In an elevated command window:

        assoc .mht=txtfile

        if set as admin seems to carry over to a newly created account on both win7 and win10.

        Anyone want to confirm?

        Cheers.

      • #555261 Reply
        MyAussie
        AskWoody Plus

        Having followed the instructions my “MHT File” is now directed to notepad, etc.

        Instructions were spot on!     THANKS

        Should this fix also be done for MHTML Document to be directed to Notepad?

         

        Win 7 Home, X64, SP1, Group B

         

        Edited for HTML. Please use Text tab for copy/paste.

        1 user thanked author for this post.
      • #555764 Reply
        KarenS
        AskWoody Lounger

        A question was asked earlier by someone but it has not been answered…..Is it advised that we follow the same procedure for mhtml files as we do for mht files?

        3 users thanked author for this post.
      • #556238 Reply
        davinci953
        AskWoody Plus

        According to davinci953: ” In reading the article on 0patch, it appears that the exploit works on Windows 10 when using Edge but not Windows 7 with IE only. YMMV. ” Could this be true about Windows 7 with IE11? Reading other comments here, this does not seem to be the case, but I rather ask a question that looks to have an obvious answer, when something important, such as a 0-day vulnerability, is the relevant issue and I want to double-check the information I have about it. You would be surprised how often I’ve had useful and not at all obvious answers this way.

        Read the 0patch article that ‘anonymous’ links to above. That was my interpretation from the article. I guess the validity of the findings depends on how accurate their analysis is about the exploit. I still changed the file associations. Better safe than sorry until MS gets it sorted out.

        • #557377 Reply
          OscarCP
          AskWoody Plus

          davinci953:

          I have found a link in one of the several “anonymous” entries above ours, which might be the one you were referring to, and in the article there the interaction of Edge and IE11 was discussed, the bottom line, as I understand it, being that one might have a vulnerability if has both Edge and IE11 installed:

          See the irony here? An undocumented security feature used by Edge neutralized an existing, undoubtedly much more important feature (mark-of-the-web) in Internet Explorer.

          This is clearly a significant security issue, especially since the attack can be further improved from what was originally demonstrated. We have found that:

          1. the malicious MHT file doesn’t have to be downloaded and manually opened by the user – just opening it directly from Edge can be made to work as well;
          2. the exploit can be enhanced so that it works more silently, and extracts many local files using a single MHT file.

          On the upside, only Edge users are at risk. No other leading web browsers and email clients we’ve tested are using the undocumented security flag on the downloaded files, which effectively blocks the exploit. ”

          I have Windows 7 Pro, x64 SP1, and these browsers: IE11, Chrome, FireFox and Waterfox. No Edge anywhere to be found, and that is how I intend to keep it until I breathe my last.

          So I am thinking that the problem, if I understand correctly the excerpt of the article I’ve copied above, is for people that, for whatever arcane reason of theirs, have Edge in Windows 7. So: not for me.

          Anybody here knows otherwise?

          Also, davinci953 has had what might be a good idea: to associate MHT (and MHTML?) to the default browser, rather than to Notepad, assuming this default is not IE11 (if yours is, then make another browser your default one ASAP!.

          Anybody here thinks that is not such a good idea?

           

          Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

      • #559332 Reply
        gkarasik
        AskWoody Plus

        I ran into a wrinkle: After changing the .MHT file association to Notepad, the next time I opened IE11 (Win7 Ent 32-bit), IE asked if I wanted to make IE my default browser. When I said Yes, the .MHT association was changed back to Internet Explorer. I then went to IE Options, Programs, and unchecked “Tell me if Internet Explorer is not the default option” and then reset the .MHT association to Notepad, after which starting IE no longer changed the association back to IE.

        GaryK

        2 users thanked author for this post.
      • #564165 Reply
        anonymous
        Guest

        The difference (and why I would recommend it), is that you can apply it temporarily if need be until Microsoft patches it.

        If you feel you can wait that long, then how important was it to you in the first place?

      • #565453 Reply
        anonymous
        Guest

        If a malicious .mht file is renamed to .htm and opened in Internet Explorer, would it still be treated as a .mht file? If so then wouldn’t that break/defeat the fix presented here?

        1 user thanked author for this post.
        • #566719 Reply
          gkarasik
          AskWoody Plus

          “If a malicious .mht file is renamed to .htm and opened in Internet Explorer, would it still be treated as a .mht file? If so then wouldn’t that break/defeat the fix presented here?”

          Oops.

          GaryK

      • #573005 Reply
        honx
        AskWoody Lounger

        thx for advice. on windows 7 i linked both .mht and .mhtml to notepad.exe, to be on the safe side. windows 8.1 notebook i won’t power on anymore until next defcon 3 or greater state here on askwoody. so i did nothing on 8.1 as i assume this 0day will be fixed once april ie patch is clear to install…

        PC: Windows 7 Ultimate, 64bit, Group B
        Notebook: Windows 8.1, 64bit, Group B

      • #574070 Reply
        davews
        AskWoody Plus

        I use MHT extensively here for local archive purposes. I open them from PaleMoon with the MozArchiver extension which also works with Firefox. The original version of Opera opened them natively. It is not exclusively an IE format. I do not use IE, full stop, and the default on my machines to open MHT is PaleMoon.

        Again we have Woody coming up with rash suggestions without knowing the full facts, just as he did with the WinRar ACE issue. I would normally support what he says but now I am not so sure.

         

        • #586640 Reply
          Paul T
          AskWoody MVP

          From the headline of Woody’s CW article. The bolding is mine.

          It turns out there’s a much simpler way to fix the problem, as long as you don’t rely on MHT files

          cheers, Paul

          1 user thanked author for this post.
          b
        • #609487 Reply
          davews
          AskWoody Plus

          Woody, see https://www.wilderssecurity.com/threads/internet-explorer-zero-day-lets-hackers-steal-files-from-windows-pcs.415558/

          It is a bit more involved than you suggest. Vulnerable files have to be downloaded via Edge and then opened in IE. It is actually an Edge vulnerability rather than MHT or IE. And rather bizzarely it seems if you have any other AV than Defender it will block it. I have not read the Wilders article in depth but maybe you could update your coverage on it.

      • #581139 Reply
        CraigS26
        AskWoody Plus

        W10-1809 Up-To-Date …. Hoping Woody-PKC confirms need to do MHTML w/Notepad, too (I did), after the “New RTF files” exercises I found in Control Panel / Choose Default Apps by File Type that MHT showed Notepad BUT MHTML did NOT. …. I [ 1-Left Clk’d ] and Changed it to Notepad that was shown as an alt app.

        The question on Bad Guys getting access thru Explorer Preview Pane needs an answer, too.

        And, IF/When an MSoft – MHT/MHTML – FIX is offered, do we simply reverse the Open With and Re-Associate with IE?

        W10-64 1909 Home / Hm-Stdnt Ofce '16 C2R / HP Envy i5-8400/ 12 GB / 256G SSD + 1 TB HDD / InSpectre #8 = GREEN

        • #617438 Reply
          GoneToPlaid
          AskWoody Plus

          I too associated both .MHT and .MHTML files with EditPad (alternative to Notepad), since both file types basically are the same thing. I will reverse it and set back to IE if MS ever fixes this vulnerability.

          3 users thanked author for this post.
          • #900212 Reply
            mn–
            AskWoody Lounger

            Hm. Is there a reason to set the association back to IE even if this does get fixed?

            And if so, for everyone or just some? I mean, we have those who associate it with a non-network-capable tool, then some who use other browsers, … (and I wouldn’t be very suprised if it turns out that other browsers may also have flaws regarding active content in there, but at least they might be different flaws so malware would have to be rebuilt to a different target… or maybe not as the languages involved are pretty standardized…)

            I mean, we can still use manual file open, can’t we?

          • #926979 Reply
            MyAussie
            AskWoody Plus

            Gone ToPlaid –  Thanks

            I’ve been waiting for someone to answer my question of also doing the .MHTML document! Both of my .MHT and .MHTML are now associated with Notepad. Should you or anyone ever see MS doing a fix please advise. Again THANKS

      • #596077 Reply
        Northwest Rick
        AskWoody Plus

        Simple, highly targeted & slicker’n’snot (as they say in some parts of the country!)  Gracias!

      • #627273 Reply
        Noel Carboni
        AskWoody_MVP

        I see this again and again… How does releasing “Proof Of Concept” code help anyone?

        I don’t know about you but doing the leg work to be the basis of a malware attack seems kind of malicious to me in itself.

        -Noel

        2 users thanked author for this post.
        • #685816 Reply
          Noel Carboni
          AskWoody_MVP

          (I’m speaking of the actions taken by the original discoverers of the exploit… Articles always make it sound like they choose to “up the ante” against the OS maker when they perceive the OS maker isn’t doing enough, quickly enough)

          -Noel

        • #688727 Reply
          DrBonzo
          AskWoody Plus

          It seems to me that most discoverers of security holes are 1) trying to show off how smart they are and/or 2) trying to show how dumb the other software writers are. When the discoverer isn’t given what they consider proper recognition for their discovery they get offended and their retribution is to publish a proof of concept (or similar).

          I’m no fan of Microsoft, but I suspect that they might know more about their software and potential security threats than independent discoverers of security holes.

          1 user thanked author for this post.
      • #690346 Reply
        OscarCP
        AskWoody Plus

        Not only I agree with Neil Carboni and DrBonzo, I am also very glad to see that someone here shares my long-held opinion that releasing publicly, for all to see, information on how one could exploit an OS vulnerability, whatever the excuse for doing it, is an appalling thing to do.

        Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

      • #726284 Reply
        Paul T
        AskWoody MVP

        The only way companies change their ways is in response to commercial pressure. Public disclosure of anything you think warrants change is an acceptable form of applying said pressure. In this case, notifying the company in advance is ethical behaviour, public disclosure is the next step.

        cheers, Paul

        1 user thanked author for this post.
        b
        • #846645 Reply
          OscarCP
          AskWoody Plus

          Public disclosure that “there is this serious problem with this product that puts its users at risk of  attacks by criminals, but the company that makes and sells it says they won’t do anything about it”, if true, it is a “public service”.

          But saying the above and then adding, also in public: “and these are the details of how bad actors can exploit this problem” is not. That should be discussed communications between security experts, not splashed out for all to see, as it seems to have happened here.

          Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

      • #841603 Reply
        anonymous
        Guest

        Don’t forget to cripple access to .js and .vbs files & many others as well. Just have them opened by default with notepad.

        https://community.webroot.com/webroot-business-endpoint-protection-20/disable-execution-of-script-files-303074

        1 user thanked author for this post.
        • #847426 Reply
          OscarCP
          AskWoody Plus

          Anonymous: Thanks for the heads up!

          I have Webroot SecureAnywhere in a Windows 7 Pro PC and a macOS Mojave Mac, respectively. Unfortunately the article does not seem to apply to either. Perhaps it is relevant only to Windows 10. Or, if to Windows 7, to a different version from Professional, perhaps Enterprise?

          If anyone here knows about how to implement this protection with  SecureAnywhere for Win 7 or macOS (ex OS X), I would sincerely appreciate their giving some relevant details.

          Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

          • #898051 Reply
            phaolo
            AskWoody Lounger

            Hi, for Win7 Pro I found the associations here:
            Control Panel\All Control Panel Items\Default Programs\Set Associations

            1 user thanked author for this post.
          • #899212 Reply
            The Surfing Pensioner
            AskWoody Plus

            In Win 7 Home, it is Start>Control Panel>Default Programs>Set Associations, then follow Steps 2 & 3 in Woody’s advisory. Just a slightly different route.

            1 user thanked author for this post.
    Viewing 28 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: To block the latest zero day, instead of removing Internet Explorer, just short-circuit access to MHT files

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Cancel