Georgi Guninski security advisory #42, 2001 - By double clicking from Window Explorer or Internet Explorer on filenames with innocent extensions the user may be tricked to execute arbitrary programs. If the file extension has a certain CLSID, then Windows explorer and IE do not show the CLSID and only the harmless looking extension. Demonstration available here.
4343d6e471cf14bde5baebc0d0bf30f0bf01a8f1220ae414f85aef130a942a42
guninski@guninski.com Georgi Guninski security advisory #42, 2001
Double clicking on innocent looking files may be dangerous
Systems affected:
Windows Explorer, Internet Explorer - Windows 98, 2000 - when browsing directories or shares
Risk: High
Date: 16 April 2001
Legal Notice:
This Advisory is Copyright (c) 2001 Georgi Guninski. You may distribute it unmodified.
You may not modify it and distribute it or distribute parts of it without the author's
written permission.
Disclaimer:
The information in this advisory is believed to be true based on experiments though it may be
false.
The opinions expressed in this advisory and program are my own and not of any company.
The usual standard disclaimer applies, especially the fact that Georgi Guninski
is not liable for any damages caused by direct or indirect use of the information
or functionality provided by this advisory or program.
Georgi Guninski bears no responsibility for content or misuse of this advisory or program or
any derivatives thereof.
Description:
By double clicking from Window Explorer or Internet Explorer on filenames with innocent
extensions the user may be tricked to execute arbitrary programs.
Details:
If the file extension is certain CLSID e.g.:
testhta.txt.{3050F4D8-98B5-11CF-BB82-00AA00BDCE0B}
then Windows explorer and IE do not show the CLSID and only the .txt extension,
while the above file is in fact .hta file.
Some exploit scenarios include leaving such malicous files on shared resources or
sending them in archive by email.
Workaround: Do not doubleclick from Windows Explorer or Internet Explorer
Demonstration:
http://www.guninski.com/testhta1.zip
Vendor status:
Microsoft was informed on 11 April 2001
Regards,
Georgi Guninski
http://www.guninski.com