News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon

Blog Archives

  • That Internet Explorer XXE zero day poking through to Edge

    Posted on April 18th, 2019 at 07:51 woody Comment on the AskWoody Lounge

    I’ve been slammed for the past few days, and haven’t kept you folks apprised of the latest Internet Explorer 0day.

    It depends on you opening an infect MHT file. MHT is an old file format that’s almost always opened by IE — no matter which browser you’re using, no matter which version of Windows. Catalin Cimpanu has a good overview of this XXE vulnerability on ZDNet.

    It’s a doozy of security hole as it affects every recent version of IE, and it infects whether you’re actively browsing with IE or not.

    When you download files from the internet, they’re marked — the “Mark-Of-The-Web” — to tell programs that special care is required when opening the files. Thus, if you download an infected MHT file, IE will know that it needs to open the MHT file with caution (at “low integrity,” in a sandbox). That severely limits this exploit’s reach.

    There’s a lot of controversy about how bad this XXE hole really is. There have been lots of XXE holes discovered in the past. They’re used to pull files off your machine and send them to the bad guys. Microsoft figured this one isn’t all that bad, in part because of the MOTW mechanism. The folks who discovered this particular hole aren’t so sanguine. They responded to Microsoft’s snub last week by releasing details, proof of concept code, and even a video.

    Yesterday, Mitja Kolsek at 0patch revealed something disconcerting. If you use Edge to download an infected MHT file, Internet Explorer will open it like any other file. Says Kolsek:

    Does Edge not put the mark-of-the-web on downloaded files, or does it do it differently and somehow confuses Internet Explorer? That would be a serious flaw.

    He goes on to explain how Edge changes the permissions on downloaded files and, thus, why IE will open the infected MHT file as if it had no Mark-Of-The-Web.

    All fascinating stuff if you’re into this kind of thing. Ionut Ilascu has a synopsis on BleepingComputer.

    The 0patch company has a quick patch that you can apply, free, if you’re concerned about getting burned. I’m not going to link to it — I don’t want to take responsibility for 3rd-party patches to Windows — but you can find it quite easily if you’re really interested. That said, 0patch is highly regarded, and has made many useful hotfixes for Windows.

    What to do? That’s easy. Don’t open MHT files. And don’t use IE.

    Thx to @Alex5723 and others who have been posting about this problem while I’m off doing other things…..

    Let’s see if I get a definitive answer from this:

    UPDATE: @mkolsek, who published the report yesterday, confirms that reassigning the default handler for MHT files breaks the attack. He tested it. I’ll write this up.

  • A beta version of the new Chromium-based Edge is available for testers

    Posted on April 8th, 2019 at 11:05 woody Comment on the AskWoody Lounge

    But only for testers.

    Mehedi Hassan has a good overview on Thurrott.com.

    I think it’s great that the world’s moving to a “standard” browser rendering engine. But it’s hard to imagine this move will make much of a dent in Edge’s adoption rate.

  • Woody’s Windows Watch: Dispatches from the browser-war’s front lines

    Posted on February 18th, 2019 at 05:38 woody Comment on the AskWoody Lounge

    Internet Explorer isn’t a web browser. According to Microsoft, it’s been demoted to a “compatibility solution.”

    Edge has some big fans, very few users — and it’s about to get a heart transplant.

    Chrome’s the crowd pleaser, but one hare-brained idea (recently rescinded) has to give you pause.

    Firefox keeps on foxing, but in terms of usage numbers, it can’t get a break.

    What should you do?

    Out this morning in AskWoody Plus Newsletter 16.6.0. Now available – yes, for free — on AskWoody.

  • Newly acknowledge bug in Edge keeps you from accessing some local pages – if you’ve installed this month’s cumulative updates

    Posted on January 18th, 2019 at 05:36 woody Comment on the AskWoody Lounge

    Ah, the joys of installing the latest patches as soon as they’re available.

    Microsoft has officially acknowledged that this month’s cumulative updates for all versions of Win10 (starting with 1703) have hobbled Edge so it can’t access some fixed-address pages like 192.168.x.x. The pages that seem to be hit most commonly are router admin pages.

    The bug was identified shortly after Patch Tuesday, but it took this long to acknowledge it.

    Details in Computerworld Woody on Windows.

    Thx @gborn

  • Microsoft adopting Chromium for Edge rendering is a big deal — let me count the ways

    Posted on December 8th, 2018 at 13:50 woody Comment on the AskWoody Lounge

    If you’ve been following the “Edge is dead (but it isn’t)” story, you know that Microsoft announced a couple of days ago that they’ll stop developing the EdgeHTML rendering engine, and switch the Edge browser over to using Google’s open-source Chromium under the covers.

    There have been many knowledgeable folks tossing out ideas and opinions, but some of them seem completely unfounded. As you know, I’m more of a “I’m from Missouri show me” kind of guy.

    I come from a state that raises corn and cotton, cockleburs and Democrats, and frothy eloquence neither convinces nor satisfies me. I’m from Missouri, and you have got to show me.

    — Willard Vandiver, 1899

    I’m not really from Missouri, but you get the idea.

    Yesterday there was an interesting “Ask me anything” session on Reddit where Edge Project Manager Kyle Alden makes some startling commitments:

    Existing UWP apps (including PWAs in the Store) will continue to use EdgeHTML/Chakra without interruption. We don’t plan to shim under those with a different engine. We do expect to offer a new WebView that apps can choose to use based on the new rendering engine.

    We expect to provide support for PWAs to be installed directly from the browser (much like with Chrome) in addition to the current Store approach. We’re not ready to go into all the details yet but PWAs behaving like native apps is still an important principle for us so we’ll be looking into the right system integrations to get that right.

    It’s our intention to support existing Chrome extensions.

    To me, that says two important things, which Windows users of every stripe need to understand:

    • UWP apps (formerly “Metro,” and many other names) aren’t going to last much longer. If you had visions of UWP-based Edge, or Office, or just about any app, you need to re-think. Put a fork in Windows anything “in S Mode.” [UPDATE: I’m overstating things here. See @warrenrumak’s comment. We just learned that Edge will become a standard Win32 desktop app, not a UWP app. Microsoft has already said that Office won’t become a UWP app any time soon. You can draw your own line from there.]
    • Even Microsoft now openly believes that Progressive Web Apps — a concept originally developed and pioneered by Google — are the way of the future.

    ‘Tis a brave new world.

  • Edge isn’t dead, it’s just morphing

    Posted on December 6th, 2018 at 13:21 woody Comment on the AskWoody Lounge

    The sky isn’t falling. Although I wish it would.

    Joe Belfiore just posted on the future of Edge:

    Over the next year or so, we’ll be making a technology change that happens “under the hood” for Microsoft Edge, gradually over time, and developed in the open so those of you who are interested can follow along. The key aspects of this evolution in direction are:

    1. We will move to a Chromium-compatible web platform for Microsoft Edge on the desktop. Our intent is to align the Microsoft Edge web platform simultaneously (a) with web standards and (b) with other Chromium-based browsers…

    2. Microsoft Edge will now be delivered and updated for all supported versions of Windows and on a more frequent cadence. We also expect this work to enable us to bring Microsoft Edge to other platforms like macOS…  we will evolve the browser code more broadly, so that our distribution model offers an updated Microsoft Edge experience + platform across all supported versions of Windows, while still maintaining the benefits of the browser’s close integration with Windows.

    No explicit promise to unhook Edge updates from Windows — so it becomes independently updatable, like a UWP app. But it’s hard to imagine Windows being delivered “on a more frequent cadence.”

  • Zac Bowden: Microsoft is throwing in the towel on Edge, replacing it with a new browser based on Chromium

    Posted on December 3rd, 2018 at 20:00 woody Comment on the AskWoody Lounge

    If true, this is amazing news.

    Zac Bowden, Windows Central:

    Microsoft is throwing in the towel with EdgeHTML and is instead building a new web browser powered by Chromium, a rendering engine first popularized by Google’s Chrome browser. Codenamed Anaheim, this new web browser for Windows 10 will replace Edge as the default browser on the platform.

    Edge has never been anything more than a pimple on the butt of Windows 10. Now, maybe, MS will go with an industry standard web rendering engine and add some worthwhile bells and whistles.

  • Keizer: IE and Firefox catch a break last month

    Posted on December 3rd, 2018 at 08:18 woody Comment on the AskWoody Lounge

    Gregg Keizer has his usual excellent analysis of the monthly browser statistics:

    For the first time since June, Microsoft’s two browsers managed to hold onto their share of the browser market; the same could not be said of Firefox.

    Edge usage share was flat last month, but IE bumped up a little bit. Astounding.

    It’s a dog-eat-dog world. Surprisingly, Firefox is doing very well financially. But Chrome continues to swallow the earth.