Full Disclosure mailing list archives

Defense in depth -- the Microsoft way (part 92): more stupid blunders of Windows' File Explorer

From: Stefan Kanthak via Fulldisclosure <fulldisclosure () seclists org>
Date: Fri, 29 Aug 2025 16:36:30 +0200

Hi @ll,

this extends the two previous posts titled Defense in depth --
the Microsoft way (part 90): "Digital Signature" property sheet
missing without "Read Extended Attributes" access permission
<https://seclists.org/fulldisclosure/2025/Jul/39> and Defense
in depth -- the Microsoft way (part 91): yet another 30 year
old bug of the "Properties" shell extension
<https://seclists.org/fulldisclosure/2025/Aug/2>

About 35 years ago Microsoft began to implement their "New Technology
File System" (NTFS) for their upcoming Windows NT operating system.
NTFS supports the extended attributes of the HPFS file system which
Microsoft and IBM had developed for their OS/2 operating system before.
NTFS' initial version, released with Windows NT 3.1 in 1993, had no
access control and did not support named (alternate) data streams;
both were added for Windows NT 3.5, released one year later, with
separate access permissions for reading or writing data streams,
attributes and extended attributes
(<https://msdn.microsoft.com/en-us/library/aa364404.aspx> and
<https://technet.microsoft.com/en-us/library/cc783530.aspx>).

About 30 years ago Microsoft replaced the file manager as well as
the program manager shipped with their Windows operating systems
by "Windows Explorer", the graphical shell of Windows since then.
"Windows Explorer" (later renamed to "File Explorer") supports
so-called shortcuts, files with .LNK file extension which carry
their payload in the (unnamed) primary data stream.

Blunder #1: for .LNK files, the "Properties" shell extension fails to
display the "Shortcuts", "Options", "Fonts", "Layout", "Colors" and
"Compatibility" property sheets, i.e. 6 out of the total 10 property
sheets, unless the "Read Extended Attributes" permission is granted,
despite this permission is NOT required to read the files' (unnamed)
primary data stream!

Blunder #2: for .LNK files, the context menu handler invoked with a
right mouse-click on the file, fails to display MULTIPLE context menu
entries, for example "Open" and "Open as Administrator", unless the
"Read Extended Attributes" permission is granted, despite this is NOT
required to read the files' (unnamed) primary data stream!

stay tuned, and far away from bug-riddled software oozing out of Redmond
Stefan Kanthak
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

Defense in depth -- the Microsoft way (part 92): more stupid blunders of Windows' File Explorer Stefan Kanthak via Fulldisclosure (Sep 08)