Full Disclosure mailing list archives

Defense in depth -- the Microsoft way (part 91): yet another 30 year old bug of the "Properties" shell extension

From: Stefan Kanthak via Fulldisclosure <fulldisclosure () seclists org>
Date: Sun, 3 Aug 2025 19:47:08 +0200

Hi @ll,

this extends the previous post titled Defense in depth -- the
Microsoft way (part 90): "Digital Signature" property sheet
missing without "Read Extended Attributes" access permission
<https://seclists.org/fulldisclosure/2025/Jul/39>, to document
another facette of this 30 year old bug in the "Properties" shell
extension.

About 35 years ago Microsoft began to implement their "New Technology
File System" (NTFS) for their upcoming Windows NT operating system.
NTFS supports the extended attributes of the HPFS file system which
Microsoft and IBM had developed for their OS/2 operating system before.
NTFS' initial version, released with Windows NT 3.1 in 1993, had no
access control and did not support named (alternate) data streams;
both were added for Windows NT 3.5, released one year later, with
separate access permissions for reading or writing data streams,
attributes and extended attributes
(<https://msdn.microsoft.com/en-us/library/aa364404.aspx> and
<https://technet.microsoft.com/en-us/library/cc783530.aspx>).

Internet Explorer 4.0, introduced about 30 years ago, began to add
the "mark of the web" to files downloaded from the Internet -- an
alternate data stream named "Zone.Identifier"
(<https://msdn.microsoft.com/en-us/library/ms537628.aspx>).

At the same time Microsoft replaced the file manager as well as the
program manager shipped with their Windows operating systems by
"Windows Explorer", the graphical shell of Windows since then.

For files with a "mark of the web", its "Properties" shell extension
is supposed to show the message

| Security    This file came from another            [ Unblock ]
|             computer and might be blocked to               ¯
|             help protect this computer.

on its "General" property sheet, including the button [Unblock] to
remove the "mark of the web".

This message is but not displayed if the "Read Extended Attributes"
permission is not granted, despite that it is NOT required to read
the files' data streams!

stay tuned, and far away from bug-riddled software
Stefan Kanthak

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

Defense in depth -- the Microsoft way (part 91): yet another 30 year old bug of the "Properties" shell extension Stefan Kanthak via Fulldisclosure (Aug 04)