Re: Serious Microsoft File Association Bug

[Jaanus Kase <j.kase () PRIVADOR COM>]

> -----Original Message-----
> From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of
> jandrews () SQA-EXTERNAL DTTUS COM
> Sent: 01. jaanuar 1601. A. 2:00
> To: BUGTRAQ () SECURITYFOCUS COM
> Subject: Serious Microsoft File Association Bug
>
> does not prove true for Microsoft Office documents.  If you
> rename an Office document to an unknown extension, Windows will
> still use the Office application to open the file.  It seems that
> Windows uses the header information contained in a file to
> determine if it is an Office document before offering a list of
> applications.

I cannot fully confirm this. Interesting enough, this seems to depend on how
the document is opened. I decided to look into the matter and here's what I
came up with. I took a legitimate Word document file "something.doc" and
renamed it to "something.rew" (random unknown extension). As we know, there
are many ways to open/launch a document in Windows. I tried various methods
with these results:

"start something.rew" from command prompt - NO
Double-click on "something.rew" in Windows Explorer - YES
Use "Start/Run/Browse" to locate the document and click OK - NO
E-mail myself "something.rew" as an e-mail attachment and Open it - NO

Where:
NO means that the "Open with..." dialog is popped up just as in case of any
unknown file
YES means that the document is opened in Word just as the original DOC file
(i.e. security problem as indicated in the original post).

Since the only way to exploit this seems to doubleclick on the application
in Explorer, it limits the scope of this and is questionable whether we can
call this "serious". As shown above, it DOES NOT work with e-mail
attachments, at least in my case.

I am using Windows 2000 Professional SR-1 and Office 2000 with most of the
recent security patches (including all sorts of patches for Outlook)
installed.

Regards,
Jaanus Kase
Privador AS
http://www.privador.com/