mhtml: Protocol Loads Local Zip Files Without Warnings

Loading a local zip file twice in an iFrame using the mhtml: protocol caused IE to render the zip’s contents as browsable files — and if the zip contained executables placed inside a subfolder, clicking them launched the executables without any security warnings.

var filePath = "file:///c:/test/zip.zip";
var mhtmlPath = "mhtml:" + filePath;

window.onload = function()
{
	window[0].location = mhtmlPath;
	setTimeout('window[0].location = mhtmlPath', 100);
}

The first navigation to mhtml:file:///.../zip.zip didn’t render the zip. The second navigation (fired via setTimeout) did. Once rendered, IE displayed the zip’s contents as a file listing. Executables at the root of the zip triggered a security warning; executables nested inside a folder did not — they ran directly when clicked. The attack required the attacker to know the target file path on disk, which limits the surface considerably, but the no-warning execution was still notable.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [UXSS: htmlFile ActiveX + about:blank Meta-Refresh + Link Click] :: [Persistent Browser Zoom-Out via ExecWB OLECMDID_OPTICAL_ZOOM] >