[16487] in bugtraq
Re: Serious Microsoft File Association Bug
daemon@ATHENA.MIT.EDU (Michael R. Batchelor)
Fri Sep 1 16:10:11 2000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-ID: <003601c013a7$34302310$1400a8c0@i3_portable_1.100_aker_wood>
Date: Thu, 31 Aug 2000 19:57:19 -0400
Reply-To: "Michael R. Batchelor" <michaelb@ind-info.com>
From: "Michael R. Batchelor" <michaelb@ind-info.com>
X-To: joandrews@dttus.com
To: BUGTRAQ@SECURITYFOCUS.COM
>Normally, when you open a file of an unknown type, it will
>prompt you for an application to use to open the file.
>This does not prove true for Microsoft Office documents.
>If you rename an Office document to an unknown extension,
>Windows will still use the Office application to open the file.
[...]
>Someone with malicious intent could create a macro virus
>embedded in an Office document, then rename the file with
>a .VIR extension. Since most anti-virus software have an
>exclusion of .VI* this file would never be scanned by Norton.
I was able to duplicate this on NT 4.0 SP4, Office 97 SR-2,
NAV 5.0 definitions 7/17/00 and another system W98 4.10.2222A,
Word 2000 9.0.2720, NAV 4.0 definitions 7/17/00 so long as
the extension was *NOT* .vir.
It worked with .viq and .via, but .vir is recognized as
a Norton extension and prompts for a program to open it.
Still, the ordinary exclusion is .vi?, so the macro would
have executed.
MB
