FileFix – Leveraging Windows Browser Vulnerabilities to Circumvent Mark-of-the-Web Defense

A new blog post by a security researcher has introduced a troubling variant of the notorious FileFix attack, posing fresh challenges for defenders on the Windows platform.

This new technique exploits subtle behaviors in Chromium-based browsers, Google Chrome and Microsoft Edge, to bypass the critical “Mark-of-the-Web” (MOTW) protection, allowing attackers to execute risky HTML Applications (.hta files) directly on victims’ machines.

The Flaw in Webpage Saving

The technique hinges on how browsers handle saving web pages as files. When users save any HTML page (MIME type text/html or application/xhtml+xml) using Chrome or Edge (Ctrl+S or “Save as”), the resulting file is not tagged with MOTW.

This is a crucial oversight, since files without MOTW are not subject to many security warnings and restrictions, a key defense mechanism against unsolicited code execution.

Conversely, other file types (like image/png or image/svg+xml) do receive MOTW when saved.

The method isn’t without hurdles: browsers add boilerplate markers and structure to saved files, such as headers in MHTML (“Webpage, Single File”) or specific HTML comments and meta tags (“Webpage, Complete”).

This prevents attackers from fully controlling the content of the saved file. However, HTML Applications (.hta) remain an exception; these applications can directly interpret and execute embedded scripts from an HTML document.

Weaponizing User Behavior

The attack utilizes clever social engineering. A malicious site prompts users to save a page styled to look like backup codes or other sensitive data, urging them to save with a .hta extension.

Due to browser behavior, if users merely accept the suggested filename in the title tag, it defaults to .hta.html (safe).

But if a user, as instructed, manually changes or retypes the filename, the .html extension is no longer automatically appended, resulting in a true .hta file.

Since this file was saved from a web page with a text/HTML MIME type, it lacks MOTW. When opened, Windows launches it with mshta.exeExecuting the attacker’s embedded script without any warning prompt.

The demonstration showcased a simple script leveraging ActiveXObject("WScript.Shell") system commands, but the payload could be anything.

The Broader Impact and Mitigations

This technique, which can also be applied via data URIs, highlights a persistent risk in user-driven file handling and Windows’ trust model for MOTW.

The recommended mitigation is to block or remove mshta.exe, which prevents .hta files from executing.

Organizations are encouraged to educate users about the risks of modifying file extensions and verifying prompts to save files with potentially malicious extensions.

Security teams should remain vigilant, as this FileFix variant underscores the ongoing cat-and-mouse game between browser behavior, user experience, and security defenses.

The community anticipates further evolutions of this technique in forthcoming offensive security courses.