The latest Internet Explorer XXE zero-day depends on you opening an infected MHT file. MHT is an old file format that’s almost always opened by IE — no matter which browser you’re using, no matter which version of Windows. Catalin Cimpanu has a good overview of this XXE vulnerability on ZDNet.
It’s a doozy of a security hole as it affects every recent version of IE, and it infects whether you’re actively browsing with IE or not.
When you download files from the internet, they’re marked — the “Mark-Of-The-Web” — to tell programs that special care is required when opening them. Thus, if you download an infected MHT file, IE will know that it needs to open the MHT file with caution (at “low integrity,” in a sandbox). That severely limits this exploit’s reach.
There’s a lot of controversy about how bad this XXE hole really is. There have been numerous XXE holes discovered in the past; they’re used to pull files off your machine and send them to the bad guys. Microsoft figured this one isn’t all that bad, in part because of the MOTW mechanism and in part because the creep has to know the name and location of the file they want to purloin. The folks who discovered this particular hole aren’t so sanguine. They responded to Microsoft’s snub last week by releasing details, proof of concept code, and even a video.
Yesterday, Mitja Kolsek at 0patch revealed something disconcerting. If you use Edge to download an infected MHT file, Internet Explorer will open it like any other file. Says Kolsek:
Does Edge not put the mark-of-the-web on downloaded files, or does it do it differently and somehow confuses Internet Explorer? That would be a serious flaw.
He goes on to explain how Edge changes the permissions on downloaded files and, thus, why IE will open the infected MHT file as if it had no Mark-Of-The-Web.
It’s fascinating stuff if you’re into this kind of thing. Ionut Ilascu has a synopsis on BleepingComputer.
Because of this XXE zero-day, many people recommend that you disable Internet Explorer entirely. While I’m very much in favor of avoiding IE at all costs, disabling it is a rather painful procedure that could have unintended consequences. It’s far better, in my opinion, to re-wire Windows so it doesn’t use IE to handle MHT files.
Warning: If you need to use MHT files, don’t do this.
Windows 10, IE and MHT files
Here’s an easy way to disassociate Internet Explorer from MHT in Win10 (thx, MikeMc):
Step 1: Make sure filename extensions are showing. Click on File Explorer (the icon at the bottom that looks like a file folder), then at the top click View. Make sure the box marked File name extensions is checked.
Step 2: Right-click an empty spot on your desktop and choose File > New > Rich Text Format (actually, any kind of file will work). Windows puts a new file of that type on your desktop, with the name already highlighted so you can change it.
Step 3: Rename the file to wow.mht or anythingelse.mht. Make sure you’ve deleted all of the old filename, including the part to the right of the period. Hit enter. Windows will nag you about changing file name extensions. Click Yes, thank you, Mother Microsoft.
Step 4: Right-click on the newly created mht file and click Open with…. (see screenshot below).
Changing file name extensions is part of the solution to fending off the IE XXE zero-day hole in Windows.
Step 5: Click More apps, then Notepad (or some equally innocuous program), check the box marked Always use the app to open .mht files, and click OK.
Step 6: Test to make sure you’ve subverted MHT files by double-clicking on your desktop MHT file.
Don’t even bother trying to confirm if the change was made in the Windows Apps Settings file types pane (Start > Settings > Apps > Choose default apps by file type > mht). It’s broken, and has been for years.
Protection for Windows 7 and 8.1
As usual, a simple change that’s painfully obtuse and buggy in Windows 10 is very straightforward in Win7 and 8.1. Here’s how:
Step 1: Click Start > Control Panel > Programs and under Default Programs click Make a file type always open in a specific program.
Step 2: On the left, scroll down to .mht. See how it’s associated with Internet Explorer? Click on mht and click Change program… Windows shows you a pane that’s marked Open with.
Step 3. On the lower right, click Browse, navigate to c:WindowsSystem32, scroll way down, click on Notepad.exe and click Open. Click OK.
From that point on, any MHT file will open in Notepad – and the infection cycle has been broken.
Questions about the method? Hit us on the AskWoody Lounge.