BugTraq: Subject: Serious Microsoft File Association Bug Date: Thu Aug 31 2000 09:03:43 Author: < jandrews@sqa-external.dttus.com > Message-ID: <200008311403.JAA14798@sqa-external.dttus.com> Background: While working on a virus issue that we have come across, we have discovered a serious issue with Microsoft's association of file types. Normally, when you open a file of an unknown type, it will prompt you for an application to use to open the file. This does not prove true for Microsoft Office documents. If you rename an Office document to an unknown extension, Windows will still use the Office application to open the file. It seems that Windows uses the header information contained in a file to determine if it is an Office document before offering a list of applications. Potential Risk: Someone with malicious intent could create a macro virus embedded in an Office document, then rename the file with a .VIR extension. Since most anti-virus software have an exclusion of .VI* this file would never be scanned by Norton. If a user opens the file, Windows will detect that this .VIR file has MS Office header information and open it in the cooresponding application. Given the correct circumstances, this would infect the machine and replicate to other users. Systems Affected: These scenarios have been tested on the following systems: Windows NT 4 SP5 running Office 97 Windows 2000 running Office 2000 Windows 2000 SP1 running Office 2000 Windows 98 SE running Office 97 I have not tested all variations, but you can draw your own conclusions as to the extent of the problem. Potential Solutions: In the case of virus defense, make sure that your anti-virus software does NOT include .VI* in its exclusion list. This is a short-term solution until a fix can be created. Jonathan Andrews, CISSP Network Security Group Deloitte & Touche joandrews@dttus.com **Please Note*** The opinions expressed above are my own and have no relation to those of Deloitte & Touche. No warranties, expressed or implied, are given about the solutions provided. ------------------------------------------------------------------------------------------------------------------------------------------------------------------- Help Net Security: Warning: File association bug via web site Posted on 2.9.2000 Fault: A malicious website could run arbitrary code on a Windows computer with MS office providing the office security setting is set to "low" or the user accepts MS Offices' warning dialog. This happens without the user seeing MS office at all. If the same html file is clicked once while in Windows Explorer with "web page view" set to "on". Then while generating a preview the same situation can occur. If the office file is renamed to a ".zip" file and if a user chooses "run from location" in the download dialog box the same situation can occur. details: By creating a MS Excel file and renaming it to an unknown extension with the following code: Private Sub Workbook_Activate() MsgBox ("Hello world") End Sub and then linking to this as an invisible frame in a html file the code can be run without the user seeing any Office windows if the security setting is "low" and just the virus warning dialog if "medium" (default). Systems tested: Windows 95 / Office 97 / IE 5 Windows 98 / Office 2k / IE 5.5 IE 5.5 differs from 5.0. 5.0 will accept office files renamed as ".jpg" and ".gif" but 5.5 would not accept these.