Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Serious Microsoft File Association Bug
From: Jaanus Kase <j.kase () PRIVADOR COM>
Date: Fri, 1 Sep 2000 12:12:16 +0200

-----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of
jandrews () SQA-EXTERNAL DTTUS COM
Sent: 01. jaanuar 1601. A. 2:00
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Serious Microsoft File Association Bug

does not prove true for Microsoft Office documents.  If you
rename an Office document to an unknown extension, Windows will
still use the Office application to open the file.  It seems that
Windows uses the header information contained in a file to
determine if it is an Office document before offering a list of
applications.

I cannot fully confirm this. Interesting enough, this seems to depend on how
the document is opened. I decided to look into the matter and here's what I
came up with. I took a legitimate Word document file "something.doc" and
renamed it to "something.rew" (random unknown extension). As we know, there
are many ways to open/launch a document in Windows. I tried various methods
with these results:

"start something.rew" from command prompt - NO
Double-click on "something.rew" in Windows Explorer - YES
Use "Start/Run/Browse" to locate the document and click OK - NO
E-mail myself "something.rew" as an e-mail attachment and Open it - NO

Where:
NO means that the "Open with..." dialog is popped up just as in case of any
unknown file
YES means that the document is opened in Word just as the original DOC file
(i.e. security problem as indicated in the original post).

Since the only way to exploit this seems to doubleclick on the application
in Explorer, it limits the scope of this and is questionable whether we can
call this "serious". As shown above, it DOES NOT work with e-mail
attachments, at least in my case.

I am using Windows 2000 Professional SR-1 and Office 2000 with most of the
recent security patches (including all sorts of patches for Outlook)
installed.

Regards,
Jaanus Kase
Privador AS
http://www.privador.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]