Educause Security Discussion mailing list archives
Anyone seeing CLSID files being mailed
From: Gary Dobbins <dobbins () ND EDU>
Date: Wed, 24 Mar 2004 09:27:54 -0500
In the context of renaming 'dangerous' filename extensions in central email (to reduce viral propagation), we're curious if anyone's yet seeing 'CLSID' files? Such a file is 'magic' to Windows Explorer merely by virtue of its name, and so can trigger explorer to run a program w/o user doing anything beyond letting explorer list the file in a folder. Here's a benign example: Create any file, even an empty one, and then rename it to: an-example-name.{2227A280-3AEA-1069-A2DE-08002B30309D} When viewed in Explorer (filespace explorer, not IE), it should look just like your "Printers and Faxes" folder. Had its name been related to the CLSID of a more abusable program (e.g. cmd.exe), much more is possible. -- ------------------------------------------------------------ Gary Dobbins, CISSP -- dobbins () nd edu Director, Information Security University of Notre Dame, Office of Information Technologies Voice: 574.631.5554 ------------------------------------------------------------ ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Anyone seeing CLSID files being mailed Gary Dobbins (Mar 24)
- <Possible follow-ups>
- Re: Anyone seeing CLSID files being mailed Gary Flynn (Mar 24)