Bugtraq mailing list archives
Warning: File association bug via web site
From: SteveC <steve () FRACTALUS COM>
Date: Thu, 31 Aug 2000 18:11:31 -0400
Background: while working on the previous bug submitted: http://www.securityfocus.com/archive/1/79603 Fault: A malicious website could run arbitrary code on a Windows computer with MS office providing the office security setting is set to "low" or the user accepts MS Offices' warning dialog. This happens without the user seeing MS office at all. If the same html file is clicked once while in Windows Explorer with "web page view" set to "on". Then while generating a preview the same situation can occur. If the office file is renamed to a ".zip" file and if a user chooses "run from location" in the download dialog box the same situation can occur. details: By creating a MS Excel file and renaming it to an unknown extension with the following code: Private Sub Workbook_Activate() MsgBox ("Hello world") End Sub and then linking to this as an invisible frame in a html file the code can be run without the user seeing any Office windows if the security setting is "low" and just the virus warning dialog if "medium" (default). Systems tested: Windows 95 / Office 97 / IE 5 Windows 98 / Office 2k / IE 5.5 IE 5.5 differs from 5.0. 5.0 will accept office files renamed as ".jpg" and ".gif" but 5.5 would not accept these. pub 1024D/A9D75E73 2000-05-30 Stephen Coast (SteveC) <steve () fractalus com> [expires:2001-05-30] www.fractalus.com/fracsaver/ <stevecoast () hushmail com>
Current thread:
- Warning: File association bug via web site SteveC (Sep 01)