XPost: alt.comp.os.windows-11, alt.comp.microsoft.windows
On 7/10/2024 10:34 PM, Isaac Montara wrote:
Microsoft fixed a Windows zero-day vulnerability that has been actively exploited in attacks for eighteen months to launch malicious scripts while bypassing built-in security features.
https://www.bleepingcomputer.com/news/security/windows-mshtml-zero-day-used-in-malware-attacks-for-over-a-year/
The flaw, tracked as CVE-2024-38112, is a high-severity MHTML spoofing
issue fixed during the July 2024 Patch Tuesday security updates.
Thanks. Interesting bug. I removed Edge, so this sample would show no
icon for me. I also took the following steps in the Registry, since I
don't expect
to have any use for MHTML files. (And the MS fix would disable them for
me anyway, as MS switches the association to Edge.)
Delete HKCR\.mht and .mhtml
Delete HKCR\mhtmlfile (requires taking ownership)
Delete HKCR\protocols\mhtml (requires taking ownership)
One could also export these keys first, just in case some unseen
dependency
shows up. But I opened the Metro version of system settings, which likes
to break more than anything else on Win10, and it works fine... So I'm not worried. :)
I don't see the point of an MHTML file these days. Supposedly it
puts all webpage files into a single package. But script and CSS can
already go into an HTML file.
For those who may not know or may have forgotten: HTA files are
HTML applications. They're run by mshta.exe, but they're essentially
a webpage with no security aside from a requirement that it must be
opened locally. And in all recent browsers, any number of images can
be encoded as base-64 and embedded via "data uri". I use that
technique myself. For example, I have an HTML file showing the signs
of various nutrient deficiencies in plant leaves. I encoded the images,
so that a single HTML file can display 8 or 10 pictures when it's opened.
Very useful.
HTAs: MS came up with HTAs in the IE5 era. ActiveX was being scorned. Security was an increasing issue. But corporate IT people were using
HTAs to write all sorts of utilities. An HTA allows a webpage to be
software, limited only by whatever dispatch COM libraries are registered locally. The only restriction is that it must be run on the local computer.
I've written and use HTAs to edit MSI files, show a folder full of thumbnail images, display Windows SDK help without an MSDN subscription,
as a frontend to a custom email storage database, and many other things.
It's basically the same idea as "apps" -- an HTML graphical UI backed by script. But super-charged by the ability to use COM objects AKA ActiveX.
WMI, WIA, MSI, FileSystemObject, SAPI... nearly anything can be done
via COM object scripting.
If you have no use for HTAs you can change the .hta extension handler
to something like Notepad for better safety. Though some MS utilities may
use HTAs.
It's true that IE is completely there in Win10.
HTAs are IE. IE can be instantiated by script. If ieframe.dll is replaced
with an older version then IE itself can still be run directly. I've
done that
myself. I replaced both versions of the file with a copy from Win10 20H2.
The reason is because I like IE11 as default browser. Then I also block it
from going online via firewall. The result is a zippy browser for opening
local webpages while thwarting things like fake help links in software
that don't actually open a help file but rather try to jump online. With
this
arrangement, I can't be tricked into opening a webpage.... Now if I
could just
remove the idiotic, yellow smiley face from the IE11 window handle then
I'd be happy. :)
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)