To block the latest zero day, instead of removing Internet Explorer, just short-circuit access to MHT files

Topic

New Reply

It’s pretty easy, if you know the tricks. Step-by-step details coming in Computerworld.
[See the full post at: To block the latest zero day, instead of removing Internet Explorer, just short-circuit access to MHT files]

13 users thanked author for this post.

Lori, SueW, phaolo, Northwest Rick, MyAussie, lurks about, The Surfing Pensioner, KarenS, samak, abbodi86, Laptop Boy, Elly, GreatAndPowerfulTech

Reply | Quote

Replies

You could be smart and just 0-Patch it. It’s already been patched for 3 days now:

https://blog.0patch.com/2019/04/microsoft-edge-uses-secret-trick-and.html

Reply | Quote

0patch is great but I just can’t bring myself to recommend (or support) a 3rd-party fix to Windows binaries. See this:

The 0patch company has a quick patch that you can apply, free, if you’re concerned about getting burned. I’m not going to link to it — I don’t want to take responsibility for 3rd-party patches to Windows — but you can find it quite easily if you’re really interested. That said, 0patch is highly regarded, and has made many useful hotfixes for Windows.

Reply | Quote

The 0patch blog states that the patch is only available for fully updated windows versions. Since we are still at MS-DEFCON 2, most of us won’t be fully updated yet.

I am on 1809 and am still waiting for the go-ahead. I have 0patch installed, the patches are shown as available in the installed patch list, but not amongst the patchable modules. So I would need to update to the latest Quality Update for it to work.

Reply | Quote

Just to confirm, having just updated to the latest 1809 (I use ESET AV which is apparently unaffected by this update’s issue), the 0patch fix has now cut in and is now appearing in the “patchable modules” list.

Reply | Quote

On my Win7 machine, the steps were slightly different from the Computerworld article.
Start-Default Programs-Associate a file type or protocol with a program, then click on mht and change it.

What about mhtml extension – is it also vulnerable, should it also be changed?

Reply | Quote

Thanks for confirming what seemed like a simple and logical block.

 

Reply | Quote

anonymous wrote:

<snip>

What about mhtml extension – is it also vulnerable, should it also be changed?

I was curious about that extension as well.  For now I just associated the file type with my default browser instead of IE on my Windows 7 system. In reading the article on 0patch, it appears that the exploit works on Windows 10 when using Edge but not Windows 7 with IE only. YMMV.

Reply | Quote

So this “workaround” for Win7 is fine for a single user machine. But what about machines configured with multiple users? I don’t want to, and in some cases cannot, log in and do the workaround for each user individually. Is there some way to configure these file associations system-wide in one fell swoop?

Reply | Quote

and how to put it back on Windows 10 when MS gets around to fixing it?

Reply | Quote

I don’t seem to have Notepad.exe on my Windows 7 home premium 32 bit laptop but I do see Microsoft Word at the top next to Internet Explorer when I click on “change program” is it okay to use that instead??

WAIT……when I click on the little arrow next to “other programs” I see Notepad……IS that what I am looking for??

Thanks!

2 users thanked author for this post.

EstherD, woody

Reply | Quote

Notepad is under Start>All Programs>Accessories

1 user thanked author for this post.

woody

Reply | Quote

Yep. That works, too. I shoulda caught that one!

1 user thanked author for this post.

KarenS

Reply | Quote

Was doing this on a per-user basis by clicking “Browse” and then following the Yellow Brick Road to C:\Windows\Notepad. Clicking the disclosure triangle in “Other Programs” definitely speeds up the process considerably. Thanks, Karen!

Reply | Quote

I’ve delinked the MHT & MHTML file associations & handling from Internet Explorer on my Win 7 SP1. So when such files are clicked, there is a popup asking which program I wish to use to open the file.

That being said, if Windows Explorer’s preview pane is enabled, selecting a MHT/MHTML will result in its contents being displayed in the preview pane.

I assume Windows Explorer & its preview pane are intimately powered by (or entangled with) Internet Explorer — or at least that’s my impression from countless warnings to keep Internet Explorer patched, whether one explicitly uses it or not.

As such, can the zero-day MHT/MHTML security vulnerability be exploited via Windows Explorer’s preview pane — or even when a malicious MHT/MHTML file is merely selected in Windows Explorer with the preview pane disabled ? If yes, what is the remedy ?

Reply | Quote

I also changed mhtml to notepad. Not sure if that will cause any problems but I wanted to be safe.

I had a LOL moment following your directions so closely. Your sequence seemed off until I remembered my computer defaults to control panel> all control panel items.

Reply | Quote

We are all assuming that MHT/MHTML files cannot do any damage when directed to be run with Notepad.  Are we absolutely sure about that?  I’d rather direct them to the Recycle Bin if that was possible.

Being 20 something in the 70's was far more fun than being 70 something in the insane 20's

Reply | Quote

Happy to be corrected but my logic is htm with Notepad does not ‘execute’ the file via a browser but only reads the content.

1 user thanked author for this post.

Lori

Reply | Quote

i’ve tracked down a way to possibly programmatically set notepad.exe to open mht and mhtml files. outlined the assoc and ftype commands w/registry keys here:

https://seamonkey420x.blogspot.com/2019/04/programmatically-associating-mht-and.html

IE still shows in list of apps to open with the first time you open a mht or mhtml file but notepad is set as the default. 🙂

hope that helps others that need a fix for a fleet of workstations.

Reply | Quote

Still looking for a method to apply this workaround system-wide, rather than just per-user. Anyone?

 

Reply | Quote

You can disable or lockdown the MHTML protocol in Windows system-wide, using the workarounds in security bulletin MS11-026.   MHT/MHTML has been a problem for years.

Disabling it requires deleting a registry key.  Locking it down also requires the registry and prevents the launch of script in all zones within an MHTML document.

Microsoft Security Bulletin MS11-026 – Important Vulnerability in MHTML Could Allow Information Disclosure (2503658)

Reply | Quote

According to davinci953: ”  In reading the article on 0patch, it appears that the exploit works on Windows 10 when using Edge but not Windows 7 with IE only. YMMV.  ”

Could this be true about Windows 7 with IE11? Reading other comments here, this does not seem to be the case, but I rather ask a question that looks to have an obvious answer, when something important, such as a 0-day vulnerability, is the relevant issue and I want to double-check the information I have about it.

You would be surprised how often I’ve had useful and not at all obvious answers this way.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Thanks! Worked just as advertised. A question though.

I have a Microsoft account. Will this “fix” carry over for all of my computers using the account, or does this work only on the one computer on which I set it up?

= Ax Kramer

Reply | Quote

In an elevated command window:

assoc .mht=txtfile

if set as admin seems to carry over to a newly created account on both win7 and win10.

Anyone want to confirm?

Cheers.

Reply | Quote

Having followed the instructions my “MHT File” is now directed to notepad, etc.

Instructions were spot on!     THANKS

Should this fix also be done for MHTML Document to be directed to Notepad?

 

Win 7 Home, X64, SP1, Group B

 

Edited for HTML. Please use Text tab for copy/paste.

1 user thanked author for this post.

KarenS

Reply | Quote

A question was asked earlier by someone but it has not been answered…..Is it advised that we follow the same procedure for mhtml files as we do for mht files?

3 users thanked author for this post.

Lori, OscarCP, MyAussie

Reply | Quote

OscarCP wrote:

According to davinci953: ” In reading the article on 0patch, it appears that the exploit works on Windows 10 when using Edge but not Windows 7 with IE only. YMMV. ” Could this be true about Windows 7 with IE11? Reading other comments here, this does not seem to be the case, but I rather ask a question that looks to have an obvious answer, when something important, such as a 0-day vulnerability, is the relevant issue and I want to double-check the information I have about it. You would be surprised how often I’ve had useful and not at all obvious answers this way.

Read the 0patch article that ‘anonymous’ links to above. That was my interpretation from the article. I guess the validity of the findings depends on how accurate their analysis is about the exploit. I still changed the file associations. Better safe than sorry until MS gets it sorted out.

Reply | Quote

davinci953:

I have found a link in one of the several “anonymous” entries above ours, which might be the one you were referring to, and in the article there the interaction of Edge and IE11 was discussed, the bottom line, as I understand it, being that one might have a vulnerability if has both Edge and IE11 installed:

“See the irony here? An undocumented security feature used by Edge neutralized an existing, undoubtedly much more important feature (mark-of-the-web) in Internet Explorer.

This is clearly a significant security issue, especially since the attack can be further improved from what was originally demonstrated. We have found that:

1. the malicious MHT file doesn’t have to be downloaded and manually opened by the user – just opening it directly from Edge can be made to work as well;
2. the exploit can be enhanced so that it works more silently, and extracts many local files using a single MHT file.

On the upside, only Edge users are at risk. No other leading web browsers and email clients we’ve tested are using the undocumented security flag on the downloaded files, which effectively blocks the exploit. ”

I have Windows 7 Pro, x64 SP1, and these browsers: IE11, Chrome, FireFox and Waterfox. No Edge anywhere to be found, and that is how I intend to keep it until I breathe my last.

So I am thinking that the problem, if I understand correctly the excerpt of the article I’ve copied above, is for people that, for whatever arcane reason of theirs, have Edge in Windows 7. So: not for me.

Anybody here knows otherwise?

Also, davinci953 has had what might be a good idea: to associate MHT (and MHTML?) to the default browser, rather than to Notepad, assuming this default is not IE11 (if yours is, then make another browser your default one ASAP!.

Anybody here thinks that is not such a good idea?

 

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

I ran into a wrinkle: After changing the .MHT file association to Notepad, the next time I opened IE11 (Win7 Ent 32-bit), IE asked if I wanted to make IE my default browser. When I said Yes, the .MHT association was changed back to Internet Explorer. I then went to IE Options, Programs, and unchecked “Tell me if Internet Explorer is not the default option” and then reset the .MHT association to Notepad, after which starting IE no longer changed the association back to IE.

GaryK

2 users thanked author for this post.

Lori, OscarCP

Reply | Quote

The difference (and why I would recommend it), is that you can apply it temporarily if need be until Microsoft patches it.

If you feel you can wait that long, then how important was it to you in the first place?

Reply | Quote

If a malicious .mht file is renamed to .htm and opened in Internet Explorer, would it still be treated as a .mht file? If so then wouldn’t that break/defeat the fix presented here?

1 user thanked author for this post.

gkarasik

Reply | Quote

“If a malicious .mht file is renamed to .htm and opened in Internet Explorer, would it still be treated as a .mht file? If so then wouldn’t that break/defeat the fix presented here?”

Oops.

GaryK

Reply | Quote

thx for advice. on windows 7 i linked both .mht and .mhtml to notepad.exe, to be on the safe side. windows 8.1 notebook i won’t power on anymore until next defcon 3 or greater state here on askwoody. so i did nothing on 8.1 as i assume this 0day will be fixed once april ie patch is clear to install…

PC: Windows 7 Ultimate, 64bit, Group B
Notebook: Windows 8.1, 64bit, Group B

Reply | Quote

I use MHT extensively here for local archive purposes. I open them from PaleMoon with the MozArchiver extension which also works with Firefox. The original version of Opera opened them natively. It is not exclusively an IE format. I do not use IE, full stop, and the default on my machines to open MHT is PaleMoon.

Again we have Woody coming up with rash suggestions without knowing the full facts, just as he did with the WinRar ACE issue. I would normally support what he says but now I am not so sure.

 

Reply | Quote

From the headline of Woody’s CW article. The bolding is mine.

It turns out there’s a much simpler way to fix the problem, as long as you don’t rely on MHT files

cheers, Paul

1 user thanked author for this post.

b

Reply | Quote

Woody, see https://www.wilderssecurity.com/threads/internet-explorer-zero-day-lets-hackers-steal-files-from-windows-pcs.415558/

It is a bit more involved than you suggest. Vulnerable files have to be downloaded via Edge and then opened in IE. It is actually an Edge vulnerability rather than MHT or IE. And rather bizzarely it seems if you have any other AV than Defender it will block it. I have not read the Wilders article in depth but maybe you could update your coverage on it.

Reply | Quote

W10-1809 Up-To-Date …. Hoping Woody-PKC confirms need to do MHTML w/Notepad, too (I did), after the “New RTF files” exercises I found in Control Panel / Choose Default Apps by File Type that MHT showed Notepad BUT MHTML did NOT. …. I [ 1-Left Clk’d ] and Changed it to Notepad that was shown as an alt app.

The question on Bad Guys getting access thru Explorer Preview Pane needs an answer, too.

And, IF/When an MSoft – MHT/MHTML – FIX is offered, do we simply reverse the Open With and Re-Associate with IE?

W10 Pro 22H2 / Hm-Stdnt Ofce '16 C2R / Macrium Pd vX / GP=2 + FtrU=Semi-Annual + Feature Defer = 1 + QU = 0

Reply | Quote

I too associated both .MHT and .MHTML files with EditPad (alternative to Notepad), since both file types basically are the same thing. I will reverse it and set back to IE if MS ever fixes this vulnerability.

3 users thanked author for this post.

Lori, MyAussie, CraigS26

Reply | Quote

Hm. Is there a reason to set the association back to IE even if this does get fixed?

And if so, for everyone or just some? I mean, we have those who associate it with a non-network-capable tool, then some who use other browsers, … (and I wouldn’t be very suprised if it turns out that other browsers may also have flaws regarding active content in there, but at least they might be different flaws so malware would have to be rebuilt to a different target… or maybe not as the languages involved are pretty standardized…)

I mean, we can still use manual file open, can’t we?

Reply | Quote

Gone ToPlaid –  Thanks

I’ve been waiting for someone to answer my question of also doing the .MHTML document! Both of my .MHT and .MHTML are now associated with Notepad. Should you or anyone ever see MS doing a fix please advise. Again THANKS

Reply | Quote

Simple, highly targeted & slicker’n’snot (as they say in some parts of the country!)  Gracias!

Reply | Quote

I see this again and again… How does releasing “Proof Of Concept” code help anyone?

I don’t know about you but doing the leg work to be the basis of a malware attack seems kind of malicious to me in itself.

-Noel

2 users thanked author for this post.

OscarCP, DrBonzo

Reply | Quote

(I’m speaking of the actions taken by the original discoverers of the exploit… Articles always make it sound like they choose to “up the ante” against the OS maker when they perceive the OS maker isn’t doing enough, quickly enough)

-Noel

Reply | Quote

It seems to me that most discoverers of security holes are 1) trying to show off how smart they are and/or 2) trying to show how dumb the other software writers are. When the discoverer isn’t given what they consider proper recognition for their discovery they get offended and their retribution is to publish a proof of concept (or similar).

I’m no fan of Microsoft, but I suspect that they might know more about their software and potential security threats than independent discoverers of security holes.

1 user thanked author for this post.

OscarCP

Reply | Quote

Not only I agree with Neil Carboni and DrBonzo, I am also very glad to see that someone here shares my long-held opinion that releasing publicly, for all to see, information on how one could exploit an OS vulnerability, whatever the excuse for doing it, is an appalling thing to do.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

The only way companies change their ways is in response to commercial pressure. Public disclosure of anything you think warrants change is an acceptable form of applying said pressure. In this case, notifying the company in advance is ethical behaviour, public disclosure is the next step.

cheers, Paul

1 user thanked author for this post.

b

Reply | Quote

Public disclosure that “there is this serious problem with this product that puts its users at risk of  attacks by criminals, but the company that makes and sells it says they won’t do anything about it”, if true, it is a “public service”.

But saying the above and then adding, also in public: “and these are the details of how bad actors can exploit this problem” is not. That should be discussed communications between security experts, not splashed out for all to see, as it seems to have happened here.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Don’t forget to cripple access to .js and .vbs files & many others as well. Just have them opened by default with notepad.

https://community.webroot.com/webroot-business-endpoint-protection-20/disable-execution-of-script-files-303074

1 user thanked author for this post.

phaolo

Reply | Quote

Anonymous: Thanks for the heads up!

I have Webroot SecureAnywhere in a Windows 7 Pro PC and a macOS Mojave Mac, respectively. Unfortunately the article does not seem to apply to either. Perhaps it is relevant only to Windows 10. Or, if to Windows 7, to a different version from Professional, perhaps Enterprise?

If anyone here knows about how to implement this protection with  SecureAnywhere for Win 7 or macOS (ex OS X), I would sincerely appreciate their giving some relevant details.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Hi, for Win7 Pro I found the associations here:
Control Panel\All Control Panel Items\Default Programs\Set Associations

1 user thanked author for this post.

OscarCP

Reply | Quote

In Win 7 Home, it is Start>Control Panel>Default Programs>Set Associations, then follow Steps 2 & 3 in Woody’s advisory. Just a slightly different route.

1 user thanked author for this post.

OscarCP

Reply | Quote