
Full Disclosure mailing list archives
Defense in depth -- the Microsoft way (part 91): yet another 30 year old bug of the "Properties" shell extension
From: Stefan Kanthak via Fulldisclosure <fulldisclosure () seclists org>
Date: Sun, 3 Aug 2025 19:47:08 +0200
Hi @ll, this extends the previous post titled Defense in depth -- the Microsoft way (part 90): "Digital Signature" property sheet missing without "Read Extended Attributes" access permission <https://seclists.org/fulldisclosure/2025/Jul/39>, to document another facette of this 30 year old bug in the "Properties" shell extension. About 35 years ago Microsoft began to implement their "New Technology File System" (NTFS) for their upcoming Windows NT operating system. NTFS supports the extended attributes of the HPFS file system which Microsoft and IBM had developed for their OS/2 operating system before. NTFS' initial version, released with Windows NT 3.1 in 1993, had no access control and did not support named (alternate) data streams; both were added for Windows NT 3.5, released one year later, with separate access permissions for reading or writing data streams, attributes and extended attributes (<https://msdn.microsoft.com/en-us/library/aa364404.aspx> and <https://technet.microsoft.com/en-us/library/cc783530.aspx>). Internet Explorer 4.0, introduced about 30 years ago, began to add the "mark of the web" to files downloaded from the Internet -- an alternate data stream named "Zone.Identifier" (<https://msdn.microsoft.com/en-us/library/ms537628.aspx>). At the same time Microsoft replaced the file manager as well as the program manager shipped with their Windows operating systems by "Windows Explorer", the graphical shell of Windows since then. For files with a "mark of the web", its "Properties" shell extension is supposed to show the message | Security This file came from another [ Unblock ] | computer and might be blocked to ¯ | help protect this computer. on its "General" property sheet, including the button [Unblock] to remove the "mark of the web". This message is but not displayed if the "Read Extended Attributes" permission is not granted, despite that it is NOT required to read the files' data streams! stay tuned, and far away from bug-riddled software Stefan Kanthak _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- Defense in depth -- the Microsoft way (part 91): yet another 30 year old bug of the "Properties" shell extension Stefan Kanthak via Fulldisclosure (Aug 04)