![](\"https:\/\/images.idgesg.net\/images\/article\/2018\/02\/rescue_diagnose_fix_patch_update_laptop_thinkstock_185931513-100749650-large.3x2.jpg\"\/)
<\/p>\n
Credit to Author: Woody Leonhard| Date: Thu, 18 Apr 2019 09:57:00 -0700<\/strong><\/p>\n The latest Internet Explorer XXE zero-day depends on you opening an infected MHT file. MHT is an old file format that\u2019s almost always opened by IE \u2014 no matter which browser you\u2019re using, no matter which version of Windows. Catalin Cimpanu has a good overview of this XXE vulnerability<\/span> on ZDNet<\/span><\/a>.<\/span><\/p>\n It\u2019s a doozy of a security hole as it affects every recent version of IE, and it infects whether you\u2019re actively browsing with IE or not.<\/span><\/p>\n When you download files from the internet, they\u2019re marked \u2014 the \u201cMark-Of-The-Web\u201d \u2014 to tell programs that special care is required when opening them. Thus, if you download an infected MHT file, IE will know that it needs to open the MHT file with caution (at \u201clow integrity,\u201d in a sandbox). That severely limits this exploit\u2019s reach.<\/span><\/p>\n There\u2019s a lot of controversy about how bad this XXE hole really is. There have been numerous XXE holes discovered in the past; they\u2019re used to pull files off your machine and send them to the bad guys. Microsoft figured this one isn\u2019t all that bad, in part because of the MOTW mechanism and in part because the creep has to know the name and location of the file they want to purloin. The folks who discovered this particular hole aren\u2019t so sanguine. They responded to Microsoft\u2019s snub last week by releasing details,<\/span> proof of concept code<\/span><\/a>, and even a video.<\/span><\/p>\n Yesterday, Mitja Kolsek at 0patch<\/span> revealed something disconcerting<\/span><\/a>. If you use Edge to download an infected MHT file, Internet Explorer will open it like any other file. Says Kolsek:<\/span><\/p>\n Does Edge not put the mark-of-the-web on downloaded files, or does it do it differently and somehow confuses Internet Explorer? That would be a serious flaw.<\/span><\/p>\n He goes on to explain how Edge changes the permissions on downloaded files and, thus, why IE will open the infected MHT file as if it had no Mark-Of-The-Web.<\/span><\/p>\n It’s fascinating stuff if you\u2019re into this kind of thing. Ionut Ilascu has a<\/span> synopsis on BleepingComputer<\/span><\/a>.<\/span><\/p>\n Because of this XXE zero-day, many people recommend that you disable Internet Explorer entirely. While I\u2019m very much in favor of avoiding IE at all costs, disabling it is <\/span>a rather painful procedure<\/span><\/a> that could have unintended consequences. It’s far better, in my opinion, to re-wire Windows so it doesn\u2019t use IE to handle MHT files.<\/span><\/p>\n Warning: If you need to use MHT files, don\u2019t do this. <\/span><\/em><\/p>\n Here\u2019s an easy way to disassociate Internet Explorer from MHT in Win10 (thx, <\/span>MikeMc<\/span><\/a>):<\/span><\/p>\n Step 1: Make sure filename extensions are showing. Click on File Explorer (the icon at the bottom that looks like a file folder), then at the top click View. Make sure the box marked File name extensions is checked.<\/span><\/p>\n Step 2: Right-click an empty spot on your desktop and choose File > New > Rich Text Format (actually, any kind of file will work). Windows puts a new file of that type on your desktop, with the name already highlighted so you can change it.<\/span><\/p>\n Step 3: Rename the file to wow.mht or anythingelse.mht. Make sure you\u2019ve deleted all of the old filename, including the part to the right of the period. Hit enter. Windows will nag you about changing file name extensions. Click Yes, thank you, Mother Microsoft.<\/span><\/p>\n Step 4: Right-click on the newly created mht file and click Open with\u2026. (see screenshot below).<\/span><\/p>\n Changing file name extensions is part of the solution to fending off the IE XXE zero-day hole in Windows.<\/span><\/p>\n Step 5: Click More apps, then Notepad (or some equally innocuous program), check the box marked Always use the app to open .mht files, and click OK.<\/span><\/p>\n Step 6: Test to make sure you\u2019ve subverted MHT files by double-clicking on your desktop MHT file.<\/span><\/p>\n Don\u2019t even bother trying to confirm if the change was made in the Windows Apps Settings file types pane (Start > Settings > Apps > Choose default apps by file type > mht). It\u2019s broken, and has been for years.<\/span><\/p>\n As usual, a simple change that\u2019s painfully obtuse and buggy in Windows 10 is very straightforward in Win7 and 8.1. Here\u2019s how:<\/span><\/p>\n Step 1: Click Start > Control Panel > Programs and under Default Programs click Make a file type always open in a specific program.<\/span><\/p>\n Step 2: On the left, scroll down to .mht. See how it\u2019s associated with Internet Explorer? Click on mht and click Change program\u2026 Windows shows you a pane that\u2019s marked Open with.<\/span><\/p>\n Step 3. On the lower right, click Browse, navigate to c:WindowsSystem32, scroll way down, click on Notepad.exe and click Open.\u00a0<\/span>Click OK.<\/span><\/p>\n From that point on, any MHT file will open in Notepad – and the infection cycle has been broken.<\/span><\/p>\n Questions about the method? Hit us on the <\/span><\/i>AskWoody Lounge<\/span><\/i><\/a>.<\/span><\/i><\/p>\n http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" Credit to Author: Woody Leonhard| Date: Thu, 18 Apr 2019 09:57:00 -0700<\/strong><\/p>\n The latest Internet Explorer XXE zero-day depends on you opening an infected MHT file. MHT is an old file format that\u2019s almost always opened by IE \u2014 no matter which browser you\u2019re using, no matter which version of Windows. Catalin Cimpanu has a good overview of this XXE vulnerability<\/span> on ZDNet<\/span><\/a>.<\/span><\/p>\n<\/p>\n