News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • To block the latest zero day, instead of removing Internet Explorer, just short-circuit access to MHT files

    Home Forums AskWoody blog To block the latest zero day, instead of removing Internet Explorer, just short-circuit access to MHT files

    This topic contains 50 replies, has 23 voices, and was last updated by  MyAussie 3 months, 4 weeks ago.

    • Author
      Posts
    • #545287 Reply

      woody
      Da Boss

      It’s pretty easy, if you know the tricks. Step-by-step details coming in Computerworld.
      [See the full post at: To block the latest zero day, instead of removing Internet Explorer, just short-circuit access to MHT files]

    • #546232 Reply

      anonymous

      You could be smart and just 0-Patch it. It’s already been patched for 3 days now:

      https://blog.0patch.com/2019/04/microsoft-edge-uses-secret-trick-and.html

      • #548556 Reply

        woody
        Da Boss

        0patch is great but I just can’t bring myself to recommend (or support) a 3rd-party fix to Windows binaries. See this:

        The 0patch company has a quick patch that you can apply, free, if you’re concerned about getting burned. I’m not going to link to it — I don’t want to take responsibility for 3rd-party patches to Windows — but you can find it quite easily if you’re really interested. That said, 0patch is highly regarded, and has made many useful hotfixes for Windows.

      • #565285 Reply

        anonymous

        The 0patch blog states that the patch is only available for fully updated windows versions. Since we are still at MS-DEFCON 2, most of us won’t be fully updated yet.

        I am on 1809 and am still waiting for the go-ahead. I have 0patch installed, the patches are shown as available in the installed patch list, but not amongst the patchable modules. So I would need to update to the latest Quality Update for it to work.

        • #569305 Reply

          anonymous

          Just to confirm, having just updated to the latest 1809 (I use ESET AV which is apparently unaffected by this update’s issue), the 0patch fix has now cut in and is now appearing in the “patchable modules” list.

    • #546857 Reply

      anonymous

      On my Win7 machine, the steps were slightly different from the Computerworld article.
      Start-Default Programs-Associate a file type or protocol with a program, then click on mht and change it.

      What about mhtml extension – is it also vulnerable, should it also be changed?

      • #555978 Reply

        anonymous

        Thanks for confirming what seemed like a simple and logical block.

         

    • #547539 Reply

      davinci953
      AskWoody Plus

      <snip>

      What about mhtml extension – is it also vulnerable, should it also be changed?

      I was curious about that extension as well.  For now I just associated the file type with my default browser instead of IE on my Windows 7 system. In reading the article on 0patch, it appears that the exploit works on Windows 10 when using Edge but not Windows 7 with IE only. YMMV.

    • #547864 Reply

      EstherD
      AskWoody Plus

      So this “workaround” for Win7 is fine for a single user machine. But what about machines configured with multiple users? I don’t want to, and in some cases cannot, log in and do the workaround for each user individually. Is there some way to configure these file associations system-wide in one fell swoop?

    • #547842 Reply

      anonymous

      and how to put it back on Windows 10 when MS gets around to fixing it?

    • #548196 Reply

      KarenS
      AskWoody Lounger

      I don’t seem to have Notepad.exe on my Windows 7 home premium 32 bit laptop but I do see Microsoft Word at the top next to Internet Explorer when I click on “change program” is it okay to use that instead??

      WAIT……when I click on the little arrow next to “other programs” I see Notepad……IS that what I am looking for??

      Thanks!

      2 users thanked author for this post.
      • #548445 Reply

        PKCano
        Da Boss

        Notepad is under Start>All Programs>Accessories

        1 user thanked author for this post.
      • #548819 Reply

        woody
        Da Boss

        Yep. That works, too. I shoulda caught that one!

        1 user thanked author for this post.
      • #552405 Reply

        EstherD
        AskWoody Plus

        Was doing this on a per-user basis by clicking “Browse” and then following the Yellow Brick Road to C:\Windows\Notepad. Clicking the disclosure triangle in “Other Programs” definitely speeds up the process considerably. Thanks, Karen!

    • #548055 Reply

      anonymous

      I’ve delinked the MHT & MHTML file associations & handling from Internet Explorer on my Win 7 SP1. So when such files are clicked, there is a popup asking which program I wish to use to open the file.

      That being said, if Windows Explorer’s preview pane is enabled, selecting a MHT/MHTML will result in its contents being displayed in the preview pane.

      I assume Windows Explorer & its preview pane are intimately powered by (or entangled with) Internet Explorer — or at least that’s my impression from countless warnings to keep Internet Explorer patched, whether one explicitly uses it or not.

      As such, can the zero-day MHT/MHTML security vulnerability be exploited via Windows Explorer’s preview pane — or even when a malicious MHT/MHTML file is merely selected in Windows Explorer with the preview pane disabled ? If yes, what is the remedy ?

    • #548269 Reply

      anonymous

      I also changed mhtml to notepad. Not sure if that will cause any problems but I wanted to be safe.

      I had a LOL moment following your directions so closely. Your sequence seemed off until I remembered my computer defaults to control panel> all control panel items.

    • #549301 Reply

      Charlie
      AskWoody Plus

      We are all assuming that MHT/MHTML files cannot do any damage when directed to be run with Notepad.  Are we absolutely sure about that?  I’d rather direct them to the Recycle Bin if that was possible.

      Win 7 Home Premium, x64, Intel i3-2120 3.3GHz, Groups B & L

      • #556357 Reply

        anonymous

        Happy to be corrected but my logic is htm with Notepad does not ‘execute’ the file via a browser but only reads the content.

        1 user thanked author for this post.
    • #549640 Reply

      seamonkey420
      AskWoody Lounger

      i’ve tracked down a way to possibly programmatically set notepad.exe to open mht and mhtml files. outlined the assoc and ftype commands w/registry keys here:

      https://seamonkey420x.blogspot.com/2019/04/programmatically-associating-mht-and.html

      IE still shows in list of apps to open with the first time you open a mht or mhtml file but notepad is set as the default. 🙂

      hope that helps others that need a fix for a fleet of workstations.

    • #552303 Reply

      EstherD
      AskWoody Plus

      Still looking for a method to apply this workaround system-wide, rather than just per-user. Anyone?

       

    • #552879 Reply

      OscarCP
      AskWoody Plus

      According to davinci953: ”  In reading the article on 0patch, it appears that the exploit works on Windows 10 when using Edge but not Windows 7 with IE only. YMMV.  ”

      Could this be true about Windows 7 with IE11? Reading other comments here, this does not seem to be the case, but I rather ask a question that looks to have an obvious answer, when something important, such as a 0-day vulnerability, is the relevant issue and I want to double-check the information I have about it.

      You would be surprised how often I’ve had useful and not at all obvious answers this way.

    • #552608 Reply

      anonymous

      Thanks! Worked just as advertised. A question though.

      I have a Microsoft account. Will this “fix” carry over for all of my computers using the account, or does this work only on the one computer on which I set it up?

      = Ax Kramer

    • #553299 Reply

      anonymous

      In an elevated command window:

      assoc .mht=txtfile

      if set as admin seems to carry over to a newly created account on both win7 and win10.

      Anyone want to confirm?

      Cheers.

    • #555261 Reply

      MyAussie
      AskWoody Plus

      Having followed the instructions my “MHT File” is now directed to notepad, etc.

      Instructions were spot on!     THANKS

      Should this fix also be done for MHTML Document to be directed to Notepad?

       

      Win 7 Home, X64, SP1, Group B

       

      Edited for HTML. Please use Text tab for copy/paste.

      1 user thanked author for this post.
    • #555764 Reply

      KarenS
      AskWoody Lounger

      A question was asked earlier by someone but it has not been answered…..Is it advised that we follow the same procedure for mhtml files as we do for mht files?

      3 users thanked author for this post.
    • #556238 Reply

      davinci953
      AskWoody Plus

      According to davinci953: ” In reading the article on 0patch, it appears that the exploit works on Windows 10 when using Edge but not Windows 7 with IE only. YMMV. ” Could this be true about Windows 7 with IE11? Reading other comments here, this does not seem to be the case, but I rather ask a question that looks to have an obvious answer, when something important, such as a 0-day vulnerability, is the relevant issue and I want to double-check the information I have about it. You would be surprised how often I’ve had useful and not at all obvious answers this way.

      Read the 0patch article that ‘anonymous’ links to above. That was my interpretation from the article. I guess the validity of the findings depends on how accurate their analysis is about the exploit. I still changed the file associations. Better safe than sorry until MS gets it sorted out.

      • #557377 Reply

        OscarCP
        AskWoody Plus

        davinci953:

        I have found a link in one of the several “anonymous” entries above ours, which might be the one you were referring to, and in the article there the interaction of Edge and IE11 was discussed, the bottom line, as I understand it, being that one might have a vulnerability if has both Edge and IE11 installed:

        See the irony here? An undocumented security feature used by Edge neutralized an existing, undoubtedly much more important feature (mark-of-the-web) in Internet Explorer.

        This is clearly a significant security issue, especially since the attack can be further improved from what was originally demonstrated. We have found that:

        1. the malicious MHT file doesn’t have to be downloaded and manually opened by the user – just opening it directly from Edge can be made to work as well;
        2. the exploit can be enhanced so that it works more silently, and extracts many local files using a single MHT file.

        On the upside, only Edge users are at risk. No other leading web browsers and email clients we’ve tested are using the undocumented security flag on the downloaded files, which effectively blocks the exploit. ”

        I have Windows 7 Pro, x64 SP1, and these browsers: IE11, Chrome, FireFox and Waterfox. No Edge anywhere to be found, and that is how I intend to keep it until I breathe my last.

        So I am thinking that the problem, if I understand correctly the excerpt of the article I’ve copied above, is for people that, for whatever arcane reason of theirs, have Edge in Windows 7. So: not for me.

        Anybody here knows otherwise?

        Also, davinci953 has had what might be a good idea: to associate MHT (and MHTML?) to the default browser, rather than to Notepad, assuming this default is not IE11 (if yours is, then make another browser your default one ASAP!.

        Anybody here thinks that is not such a good idea?

         

    • #559332 Reply

      gkarasik
      AskWoody Lounger

      I ran into a wrinkle: After changing the .MHT file association to Notepad, the next time I opened IE11 (Win7 Ent 32-bit), IE asked if I wanted to make IE my default browser. When I said Yes, the .MHT association was changed back to Internet Explorer. I then went to IE Options, Programs, and unchecked “Tell me if Internet Explorer is not the default option” and then reset the .MHT association to Notepad, after which starting IE no longer changed the association back to IE.

      GaryK

      2 users thanked author for this post.
    • #564165 Reply

      anonymous

      The difference (and why I would recommend it), is that you can apply it temporarily if need be until Microsoft patches it.

      If you feel you can wait that long, then how important was it to you in the first place?

    • #565453 Reply

      anonymous

      If a malicious .mht file is renamed to .htm and opened in Internet Explorer, would it still be treated as a .mht file? If so then wouldn’t that break/defeat the fix presented here?

      1 user thanked author for this post.
      • #566719 Reply

        gkarasik
        AskWoody Lounger

        “If a malicious .mht file is renamed to .htm and opened in Internet Explorer, would it still be treated as a .mht file? If so then wouldn’t that break/defeat the fix presented here?”

        Oops.

        GaryK

    • #573005 Reply

      honx
      AskWoody Lounger

      thx for advice. on windows 7 i linked both .mht and .mhtml to notepad.exe, to be on the safe side. windows 8.1 notebook i won’t power on anymore until next defcon 3 or greater state here on askwoody. so i did nothing on 8.1 as i assume this 0day will be fixed once april ie patch is clear to install…

      PC: Windows 7 Ultimate, 64bit, Group B
      Notebook: Windows 8.1, 64bit, Group B

    • #574070 Reply

      davews
      AskWoody Plus

      I use MHT extensively here for local archive purposes. I open them from PaleMoon with the MozArchiver extension which also works with Firefox. The original version of Opera opened them natively. It is not exclusively an IE format. I do not use IE, full stop, and the default on my machines to open MHT is PaleMoon.

      Again we have Woody coming up with rash suggestions without knowing the full facts, just as he did with the WinRar ACE issue. I would normally support what he says but now I am not so sure.

       

      • #586640 Reply

        Paul T
        AskWoody MVP

        From the headline of Woody’s CW article. The bolding is mine.

        It turns out there’s a much simpler way to fix the problem, as long as you don’t rely on MHT files

        cheers, Paul

        1 user thanked author for this post.
        b
      • #609487 Reply

        davews
        AskWoody Plus

        Woody, see https://www.wilderssecurity.com/threads/internet-explorer-zero-day-lets-hackers-steal-files-from-windows-pcs.415558/

        It is a bit more involved than you suggest. Vulnerable files have to be downloaded via Edge and then opened in IE. It is actually an Edge vulnerability rather than MHT or IE. And rather bizzarely it seems if you have any other AV than Defender it will block it. I have not read the Wilders article in depth but maybe you could update your coverage on it.

    • #581139 Reply

      CraigS26
      AskWoody Plus

      W10-1809 Up-To-Date …. Hoping Woody-PKC confirms need to do MHTML w/Notepad, too (I did), after the “New RTF files” exercises I found in Control Panel / Choose Default Apps by File Type that MHT showed Notepad BUT MHTML did NOT. …. I [ 1-Left Clk’d ] and Changed it to Notepad that was shown as an alt app.

      The question on Bad Guys getting access thru Explorer Preview Pane needs an answer, too.

      And, IF/When an MSoft – MHT/MHTML – FIX is offered, do we simply reverse the Open With and Re-Associate with IE?

      W10 1903-18362.267 Home / Hm-Stdnt Ofce '16 C2R / i5-8400/ 12 GB / 256 SSD + 1 TB HDD / InSpectre = GREEN

      • #617438 Reply

        GoneToPlaid
        AskWoody Plus

        I too associated both .MHT and .MHTML files with EditPad (alternative to Notepad), since both file types basically are the same thing. I will reverse it and set back to IE if MS ever fixes this vulnerability.

        3 users thanked author for this post.
        • #900212 Reply

          mn–
          AskWoody Lounger

          Hm. Is there a reason to set the association back to IE even if this does get fixed?

          And if so, for everyone or just some? I mean, we have those who associate it with a non-network-capable tool, then some who use other browsers, … (and I wouldn’t be very suprised if it turns out that other browsers may also have flaws regarding active content in there, but at least they might be different flaws so malware would have to be rebuilt to a different target… or maybe not as the languages involved are pretty standardized…)

          I mean, we can still use manual file open, can’t we?

        • #926979 Reply

          MyAussie
          AskWoody Plus

          Gone ToPlaid –  Thanks

          I’ve been waiting for someone to answer my question of also doing the .MHTML document! Both of my .MHT and .MHTML are now associated with Notepad. Should you or anyone ever see MS doing a fix please advise. Again THANKS

    • #596077 Reply

      Northwest Rick
      AskWoody Lounger

      Simple, highly targeted & slicker’n’snot (as they say in some parts of the country!)  Gracias!

    • #627273 Reply

      Noel Carboni
      AskWoody_MVP

      I see this again and again… How does releasing “Proof Of Concept” code help anyone?

      I don’t know about you but doing the leg work to be the basis of a malware attack seems kind of malicious to me in itself.

      -Noel

      2 users thanked author for this post.
      • #685816 Reply

        Noel Carboni
        AskWoody_MVP

        (I’m speaking of the actions taken by the original discoverers of the exploit… Articles always make it sound like they choose to “up the ante” against the OS maker when they perceive the OS maker isn’t doing enough, quickly enough)

        -Noel

      • #688727 Reply

        DrBonzo
        AskWoody Lounger

        It seems to me that most discoverers of security holes are 1) trying to show off how smart they are and/or 2) trying to show how dumb the other software writers are. When the discoverer isn’t given what they consider proper recognition for their discovery they get offended and their retribution is to publish a proof of concept (or similar).

        I’m no fan of Microsoft, but I suspect that they might know more about their software and potential security threats than independent discoverers of security holes.

        1 user thanked author for this post.
    • #690346 Reply

      OscarCP
      AskWoody Plus

      Not only I agree with Neil Carboni and DrBonzo, I am also very glad to see that someone here shares my long-held opinion that releasing publicly, for all to see, information on how one could exploit an OS vulnerability, whatever the excuse for doing it, is an appalling thing to do.

    • #726284 Reply

      Paul T
      AskWoody MVP

      The only way companies change their ways is in response to commercial pressure. Public disclosure of anything you think warrants change is an acceptable form of applying said pressure. In this case, notifying the company in advance is ethical behaviour, public disclosure is the next step.

      cheers, Paul

      1 user thanked author for this post.
      b
      • #846645 Reply

        OscarCP
        AskWoody Plus

        Public disclosure that “there is this serious problem with this product that puts its users at risk of  attacks by criminals, but the company that makes and sells it says they won’t do anything about it”, if true, it is a “public service”.

        But saying the above and then adding, also in public: “and these are the details of how bad actors can exploit this problem” is not. That should be discussed communications between security experts, not splashed out for all to see, as it seems to have happened here.

    • #841603 Reply

      anonymous

      Don’t forget to cripple access to .js and .vbs files & many others as well. Just have them opened by default with notepad.

      https://community.webroot.com/webroot-business-endpoint-protection-20/disable-execution-of-script-files-303074

      1 user thanked author for this post.
      • #847426 Reply

        OscarCP
        AskWoody Plus

        Anonymous: Thanks for the heads up!

        I have Webroot SecureAnywhere in a Windows 7 Pro PC and a macOS Mojave Mac, respectively. Unfortunately the article does not seem to apply to either. Perhaps it is relevant only to Windows 10. Or, if to Windows 7, to a different version from Professional, perhaps Enterprise?

        If anyone here knows about how to implement this protection with  SecureAnywhere for Win 7 or macOS (ex OS X), I would sincerely appreciate their giving some relevant details.

        • #898051 Reply

          phaolo
          AskWoody Lounger

          Hi, for Win7 Pro I found the associations here:
          Control Panel\All Control Panel Items\Default Programs\Set Associations

          1 user thanked author for this post.
        • #899212 Reply

          The Surfing Pensioner
          AskWoody Plus

          In Win 7 Home, it is Start>Control Panel>Default Programs>Set Associations, then follow Steps 2 & 3 in Woody’s advisory. Just a slightly different route.

          1 user thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: To block the latest zero day, instead of removing Internet Explorer, just short-circuit access to MHT files

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Cancel