From: Michael R. Batchelor [mailto:michaelb () IND-INFO COM]
Sent: Thursday, August 31, 2000 7:57 PM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Re: Serious Microsoft File Association Bug
Normally, when you open a file of an unknown type, it will
prompt you for an application to use to open the file.
This does not prove true for Microsoft Office documents.
If you rename an Office document to an unknown extension,
Windows will still use the Office application to open the file.
Someone with malicious intent could create a macro virus
embedded in an Office document, then rename the file with
a .VIR extension. Since most anti-virus software have an
exclusion of .VI* this file would never be scanned by Norton.
I was able to duplicate this on NT 4.0 SP4, Office 97 SR-2,
NAV 5.0 definitions 7/17/00 and another system W98 4.10.2222A,
Word 2000 9.0.2720, NAV 4.0 definitions 7/17/00 so long as
the extension was *NOT* .vir.
It worked with .viq and .via, but .vir is recognized as
a Norton extension and prompts for a program to open it.
Still, the ordinary exclusion is .vi?, so the macro would