Ngaphambili thina malunga nomngcipheko womhla we-zero ofunyenweyo kwi-Internet Explorer, evumela ukusebenzisa ifayile ye-MHT elungiselelwe ngokukodwa ukukhuphela ulwazi kwikhompyutheni yomsebenzisi kwi-server ekude. Kutshanje, lo mngcipheko, ofunyenwe yingcali yezokhuseleko uJohn Page, wagqiba kwelokuba ajonge kwaye afunde enye ingcali eyaziwayo kweli candelo - uMitya Kolsek, umlawuli we-ACROS Security, inkampani yophicotho lwezokhuseleko, kunye nomseki wenkonzo ye-micropatch 0patch. Yena Imbali epheleleyo yophando lwayo, ebonisa ukuba uMicrosoft wabujongela phantsi kakhulu ubuzaza bengxaki.
Okumangalisayo kukuba, u-Kolsek ekuqaleni akazange akwazi ukuvelisa uhlaselo oluchazwe kwaye lwaboniswa nguJohn, apho wasebenzisa i-Internet Explorer isebenza Windows 7 ukukhuphela kwaye emva koko uvule ifayile ye-MHT eyingozi. Nangona umphathi wenkqubo yakhe wabonisa ukuba inkqubo.ini, eyayicetywe ukuba ibiwe kuye, yafundwa ngeskripthi esifihliweyo kwifayile ye-MHT, kodwa ayizange ithunyelwe kwiseva ekude.
"Oku kwakubonakala ngathi yimeko ye-Classic-of-the-Web," ubhala uKolsek. “Xa ifayile ifunyenwe kwi-Intanethi, isebenza ngokufanelekileyo usetyenziso lweWindows olunje ngeziphequluli zewebhu kunye nabathengi be-imeyile bongeza ileyibhile kwifayile enjalo kwifomu. ebizwa ngokuba yiZone.Identifier equlethe umtya ZoneId = 3. Oku kwenza ezinye izicelo zazi ukuba ifayile ivele kumthombo ongathenjwanga kwaye ke kufuneka ivulwe kwibhokisi yesanti okanye enye imeko-bume enothintelo."
Umphandi uqinisekise ukuba i-IE ngenene isete ileyibhile yefayile ye-MHT ekhutshelweyo. U-Kolsek emva koko wazama ukukhuphela ifayile efanayo usebenzisa i-Edge kwaye uyivule kwi-IE, ehlala iyisicelo esingagqibekanga kwiifayile ze-MHT. Ngokungalindelekanga, oko kuxhaphaza kwasebenza.
Okokuqala, umphandi ujonge "uphawu lweWebhu", kwavela ukuba i-Edge ikwagcina umthombo wemvelaphi yefayile kwenye indlela yokuhambisa idatha ukongeza kwisichongi sokhuseleko, esinokuthi siphakamise imibuzo malunga nokuba yimfihlo kwale nto. indlela. U-Kolsek uqikelele ukuba imigca eyongezelelweyo inokuthi idideke i-IE kwaye iyithintele ekufundeni i-SID, kodwa njengoko kuvela, ingxaki yayikwenye indawo. Emva kohlalutyo olude, ingcali yezokhuseleko ifumene isizathu kwiingeniso ezimbini kuluhlu lolawulo lokufikelela olongeze ilungelo lokufunda ifayile ye-MHT kwinkonzo ethile yenkqubo, leyo i-Edge yongezelela apho emva kokuyilayisha.
UJames Foreshaw ovela kwiqela elizinikeleyo leentsuku zero-sesichengeni-iProjekthi kaGoogle Zero - ibhale kuTwitter ukuba amangeno ongezwe nguEdge abhekisa kwizichongi zokhuseleko zeqela zephakheji Microsoft.MicrosoftEdge_8wekyb3d8bbwe. Emva kokususa umgca wesibini we-SID S-1-15-2 - * kuluhlu lolawulo lokufikelela kwifayile ekhohlakeleyo, ukuxhaphaza akusayi kusebenza. Ngenxa yoko, ngandlela thile imvume eyongezwe ngu-Edge ivumele ifayile ukuba idlule kwibhokisi yesanti kwi-IE. Njengoko u-Kolsek kunye noogxa bakhe bacetyisayo, i-Edge isebenzisa ezi mvume zokukhusela iifayile ezikhutshelweyo ekufikeleleni kwiinkqubo ze-low-trust ngokusebenzisa ifayile kwindawo esecaleni.
Okulandelayo, umphandi wayefuna ukuqonda ngcono ukuba yintoni ebangela ukuba inkqubo yokhuseleko ye-IE isilele. Uhlalutyo olunzulu olusebenzisa iNkqubo yeMonitor usetyenziso kunye ne-IDA disassembler ekugqibeleni ibonise ukuba isisombululo se-Edge sithintele umsebenzi we-Win Api GetZoneFromAlternateDataStreamEx ekufundeni umlambo wefayile ye-Zone.Identifier kwaye wabuyisela impazamo. Kwi-Internet Explorer, impazamo enjalo xa icela ileyibhile yokhuseleko yefayile yayingalindelekanga ngokupheleleyo, kwaye, ngokucacileyo, isikhangeli sithathele ingqalelo ukuba impazamo yayilingana nento yokuba ifayile ayinalo uphawu “lwewebhu”, eyenza ngokuzenzekelayo ukuba ithenjwe, emva kokuba kutheni i-IE ivumele iskripthi esifihliweyo kwifayile ye-MHT ukuba siphumeze kwaye sithumele ifayile ekujoliswe kuyo yasekhaya kumncedisi okude.
"Uyayibona impoxo apha?" ubuza uKolsek. "Inqaku lokhuseleko elingabhalwanga elisetyenziswe ngu-Edge lithintele into ekhoyo, ngokungathandabuzekiyo ibaluleke kakhulu (uphawu lwewebhu) kwi-Internet Explorer."
Ngaphandle kokubaluleka kokubaluleka komngcipheko, ovumela ukuba iskripthi esikhohlakeleyo siqhutywe njengeskripthi esithembekileyo, akukho nto ibonisa ukuba iMicrosoft inenjongo yokuyilungisa i-bug nanini na, ukuba ikhe yalungiswa. Ke ngoko, sisacebisa ukuba, njengakwinqaku elidlulileyo, utshintshe inkqubo engagqibekanga yokuvula iifayile zeMHT nakwesiphi na isikhangeli sanamhlanje.
Ngokuqinisekileyo, uphando lukaKolsek aluzange luhambe ngaphandle kwe-self-PR encinane. Ekupheleni kwenqaku, ubonise isiqwenga esincinci esibhalwe ngolwimi lwendibano enokusebenzisa inkonzo ye-0patch ephuhliswe yinkampani yakhe. 0patch ibona ngokuzenzekelayo isoftware esesichengeni kwikhompyuter yomsebenzisi kwaye ifake amabala amancinci kuyo ngokoqobo xa ibhabha. Ngokomzekelo, kwimeko esiyichazile, i-0patch iya kuthatha indawo yomyalezo wemposiso kumsebenzi we-GetZoneFromAlternateDataStreamEx ngexabiso elihambelana nefayile engathembekanga efunyenwe kwinethiwekhi, ukuze i-IE ingavumeli naziphi na izikripthi ezifihliweyo ukuba ziqhutywe ngokuhambelana ne-built- kumgaqo-nkqubo wokhuseleko.
umthombo: 3dnews.ru