Re: [Exim] Fwd: Serious Microsoft File Association Bug

Top Page
Delete this message
Reply to this message
Author: Brian K. West
Date:  
To: Phil Pennock
CC: Exim Users
Subject: Re: [Exim] Fwd: Serious Microsoft File Association Bug
This is not an issue if you have a real virus scanning such as Mcafee for
Linux. It looks at all files reguardless of content or file extension. I
have also written a few perl scripts to keep my datfiles updated. I use
Amavis and uvscan for linux in conjunction with exim to scan email. So
far it does great, So far we have stoped 419 viruses/worms from being
delivered to customers mailboxes.

Later,
Brian



On Fri, 1 Sep 2000, Phil Pennock wrote:

> The system_filter tricky-regexp-based content-type filtering turns out
> to be useless, thanks to Microsoft. :^(
>
> Pick a random unused extension. ".FOO" perhaps. Rename MS Office
> document "wibble.doc" to "wibble.foo". Email it. Association mechanism
> doesn't have a mapping, but looks and sees that it's an MS Office
> document so starts Office anyway, and gives it the document.
>
> And who says that MS haven't abused their monopoly position to leverage
> preferential application support into their OS? To the distinct
> detriment of their customers.
>
> (Date: header is not when BugTraq moderation approved it - I received
> this yesterday evening)
> ----- Forwarded message from jandrews@??? -----
>
> From: jandrews@???
> Subject:      Serious Microsoft File Association Bug
> To: BUGTRAQ@???
> Date:         Tue, 31 Aug 0100 09:03:43 -0500
> Message-ID:  <200008311403.JAA14798@???>
> Reply-To: joandrews@???
> Approved-By: aleph1@???

>
> Background:
>
> While working on a virus issue that we have come across, we have discovered a serious issue with Microsoft's association of file types. Normally, when you open a file of an unknown type, it will prompt you for an application to use to open the file. This does not prove true for Microsoft Office documents. If you rename an Office document to an unknown extension, Windows will still use the Office application to open the file. It seems that Windows uses the header information contained in a file to determine if it is an Office document before offering a list of applications.
>
>
> Potential Risk:
>
> Someone with malicious intent could create a macro virus embedded in an Office document, then rename the file with a .VIR extension. Since most anti-virus software have an exclusion of .VI* this file would never be scanned by Norton. If a user opens the file, Windows will detect that this .VIR file has MS Office header information and open it in the cooresponding application. Given the correct circumstances, this would infect the machine and replicate to other users.
>
>
> Systems Affected:
>
> These scenarios have been tested on the following systems:
>     Windows NT 4 SP5 running Office 97
>     Windows 2000 running Office 2000
>     Windows 2000 SP1 running Office 2000
>     Windows 98 SE running Office 97

>
> I have not tested all variations, but you can draw your own conclusions as to the extent of the problem.
>
>
> Potential Solutions:
>
> In the case of virus defense, make sure that your anti-virus software does NOT include .VI* in its exclusion list. This is a short-term solution until a fix can be created.
>
>
>
> Jonathan Andrews, CISSP
> Network Security Group
> Deloitte & Touche
> joandrews@???
>
>
>
> **Please Note***
> The opinions expressed above are my own and have no relation
> to those of Deloitte & Touche. No warranties, expressed or implied,
> are given about the solutions provided.
>
> ----- End forwarded message -----
>
>