[21959] in bugtraq
Re: TXT or HTML -- IE NEW BUG: not that new, but...
daemon@ATHENA.MIT.EDU (eric@CoLi.Uni-SB.DE)
Sat Jul 28 22:29:52 2001
Date: Sat, 28 Jul 2001 07:25:41 +0200 (MET DST)
Message-Id: <200107280525.HAA01293@head.coli.uni-sb.de>
From: eric@CoLi.Uni-SB.DE
To: cr4zybird@hotmail.com
Cc: bugtraq@securityfocus.com
Hi, I believe this has been discussed months ago (opening files from
the web using magic content instead of mime type and extension or
something), could anybody dig up the thread?
I think this was about some MSIE or Outlook module, and of course,
it was intended to be a feature ;-)
But C Bird is right, we might be underestimating the thread, consider
recent revival of ".." and c:\con\con issues, worms exploiting that and
weak (unpatched, only 1 char relevant) network neighbourhood passwords,
and lots of other "classic" bugs. I guess most users have not patched
any of them, not even stuff like Outlook file name overflows and similar.
Looking at Sircam and the like fooling lots of users with file.jpg.exe
due to the default never show ext behaviour, the MSIE automanic (hu?
Did anybody say automatic?) file type detection "re-exploited" by C Bird
is yet another bad move in trying to add ease of use while in fact
adding security holes.
A similar problem occurs with Word and other Office applications, as
described WAY back in spring 2000:
> Date: Wed, 8 Mar 2000 10:50:54 +0100
> From: Eric Chien <ecchien@YAHOO.COM>
> Subject: Re: NAI/McAfee Viruscan Engine does not scan .VBS files by
> default
...
> While this is a good timely reminder, this is nothing new and only
> addresses a small point of the overall problem. One should always scan ALL
> files. This is more because of Microsoft Word documents (Excel, etc. too)
> which can have ANY extension and automagically spawn Word instead of
> prompting you with a 'open this with?' dialog. (The technical fine detail
> is this is the case if the extension is not already associated with some
> other program).
...
Cheers, Eric Auer
