[Esa-l] Re: Serious Microsoft File Association Bug (fwd)

John D. Hardin jhardin at wolfenet.com
Fri Sep 1 22:17:15 PDT 2000 

Outlook and Explorer do indeed seem to use different methods to open
files. Mangling of Office document extensions is effective.

---------- Forwarded message ----------
Date: Fri, 1 Sep 2000 12:12:16 +0200
From: Jaanus Kase <j.kase at PRIVADOR.COM>
To: BUGTRAQ at SECURITYFOCUS.COM
Subject: Re: Serious Microsoft File Association Bug

> -----Original Message-----
> From: Bugtraq List [mailto:BUGTRAQ at SECURITYFOCUS.COM]On Behalf Of
> jandrews at SQA-EXTERNAL.DTTUS.COM
> Sent: 01. jaanuar 1601. A. 2:00
> To: BUGTRAQ at SECURITYFOCUS.COM
> Subject: Serious Microsoft File Association Bug
>
> does not prove true for Microsoft Office documents.  If you
> rename an Office document to an unknown extension, Windows will
> still use the Office application to open the file.  It seems that
> Windows uses the header information contained in a file to
> determine if it is an Office document before offering a list of
> applications.

I cannot fully confirm this. Interesting enough, this seems to depend on how
the document is opened. I decided to look into the matter and here's what I
came up with. I took a legitimate Word document file "something.doc" and
renamed it to "something.rew" (random unknown extension). As we know, there
are many ways to open/launch a document in Windows. I tried various methods
with these results:

"start something.rew" from command prompt - NO
Double-click on "something.rew" in Windows Explorer - YES
Use "Start/Run/Browse" to locate the document and click OK - NO
E-mail myself "something.rew" as an e-mail attachment and Open it - NO

Where:
NO means that the "Open with..." dialog is popped up just as in case of any
unknown file
YES means that the document is opened in Word just as the original DOC file
(i.e. security problem as indicated in the original post).

Since the only way to exploit this seems to doubleclick on the application
in Explorer, it limits the scope of this and is questionable whether we can
call this "serious". As shown above, it DOES NOT work with e-mail
attachments, at least in my case.

I am using Windows 2000 Professional SR-1 and Office 2000 with most of the
recent security patches (including all sorts of patches for Outlook)
installed.

Regards,
Jaanus Kase
Privador AS
http://www.privador.com/

More information about the esd-l mailing list