Re: Serious Microsoft File Association Bug

[Attonbitus Deus <thor () hammerofgod com>]

RE: Serious Microsoft File Association BugI agree that it is a bad practice.
And please don't take my response as a belittlement of your find; I just
disagree that this issue should be considered as 'serious', even given the
corporate model you outline.

I am not saying that it should be discarded- I am just suggesting that it be
filed more appropriately. In fact, this type of behavior was noticed during
the interim fix MS released regarding the IE/Access Object tag vuln.  A
simple removal of the file associate to .mdb/.mde files (as well as
.adp/.ade) files would break the auto-execute association, but not the
launch capabilities via the tag due to the ActiveX control's classid
registration.  We thought it was potentially dangerous then, but decided
that standard procedures would obviate the need for patching.  I think the
same holds true for this issue.

I'll CC the group on this, as I am interested in the community's view.
(List- pardon the long message quote- it is needed for content)

If you are getting 4 millions messages per month through that guy, then you
must have a huge internal net.  Counting on each and every one of your
(hundred thousand?) users to do the right thing is dangerous.  That kind of
traffic should REQUIRE gateway scanning, not make it unfeasible.

----------------------------------------------------------------
Attonbitus Deus
thor () hammerofgod com


----- Original Message -----
From: Andrews, Jonathan (US - Hermitage)
To: 'Attonbitus Deus'
Sent: Thursday, August 31, 2000 12:55 PM
Subject: RE: Serious Microsoft File Association Bug


No to belabor the point...  But I do want to respond to your comments.
1)  Yes, if you have Norton scanning your email it will pick up the virus,
but in a corporate scenario, Anti-Virus policies are not dictated by the
individual, but by the company or firm.  Same goes for the gateway scanning
software.  If you receive well over four million messages per month,
scanning every incoming email and attachment is not a feasible solutions and
you therefor have to rely on desktop security.
2)  Correct.  It will not launch from Outlook.
3)  Again, I am speaking from a large corporation standpoint.  Macros
provide funtionality.
4)  Mmmm...  If only they allowed us to shoot people.  Anyway, having it be
a .VI* file would bypass the default settings on most AV software as they
have .VI* in their exclusions list.
5)  It may be a designed feature, but it is STILL a Microsoft issue in my
opinion.  If you do not have an association with a specific filetype, you
should not automatically open it with Microsoft Word (Office).  If nothing
else, it's bad practice.
6)  Yes, given the majority of the audience that read's Bugtraq, it would be
common knowledge to have certain options turned on or off...  but, this is a
more generic problem that in a large corporate situation, something will
have to be done about it.  Unfortunately, we do not have the luxury of being
the end-all-be-all of what is done on our network.  Large corporations and
firms have to compromise to accomodate users and functionality that are
driven by the business needs.
So, for most security professionals, yes, this is probably a no-brainer
since common sense drives our actions.  Although, there are times when this
is not the action that your employer will take with you, yet you are still
responsible for the security of the network.
Thanks,


Jonathan Andrews, CISSP
Network Security Group
Deloitte & Touche



-----Original Message-----
From: Attonbitus Deus [mailto:thor () hammerofgod com]
Sent: Thursday, August 31, 2000 1:44 PM
To: Joandrews
Subject: Re: Serious Microsoft File Association Bug


The classification of this should be downgraded from "serious" to "medium"
for a number of reasons:
1) First, within the context of the AV software, and specifically Norton as
mentioned, one should note that the EMail protect feature will scan ALL
incoming attached documents regardless of extensions or exclusions (as they
are still in mime at that point and not actual 'files').  Macro viruses and
others will still be immediately flagged.  This is also true of gateway mail
scanning products.
2) The file will not launch from Outlook, even if the user tries to 'Open'
it from the console.  The file would first have to be saved to the hard
drive, and the executed.
3) Even then, the user would have to have macro's enabled. (Note this
behavior does not exist with Access given current sp's and patches).
4) Socially, you may as well just send them a Word document, given the
above. A user will open a word doc sooner than they will open an unknown
file (which, if they do, they should be shot, fired from their job, and shot
again.)  If it is a custom macro, the virus software probably wouldn't pick
it up anyway unless they used a variant of known macro v's.
5) This is actually designed behavior for signed and registered ActiveX
controls called by class id.  Let's not turn it into a Microsoft issue.
6) Given the (indented) target audience of this list, one would have to
assume that security professionals would have some sort of gateway or mail
server based content filtering app.  Given this, the proper configuration of
said app should only let specific documents in (not keep specific documents
out).
While this behavior is noteworthy, it should hardly be classified as a
serious bug.  For this to be exploited, many standard security practices
must be absent, and even then, it comes down to user policy, not system
security.
----------------------------------------------------------------
Attonbitus Deus
thor () hammerofgod com



----- Original Message -----
From: <jandrews () SQA-EXTERNAL DTTUS COM>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Thursday, August 31, 2000 10:19 AM
Subject: Serious Microsoft File Association Bug


> Background:
>
> While working on a virus issue that we have come across, we have
discovered a serious issue with Microsoft's association of file types.
Normally, when you open a file of an unknown type, it will prompt you for an
application to use to open the file.  This does not prove true for Microsoft
Office documents.  If you rename an Office document to an unknown extension,
Windows will still use the Office application to open the file.  It seems
that Windows uses the header information contained in a file to determine if
it is an Office document before offering a list of applications.
> Potential Risk:
>
> Someone with malicious intent could create a macro virus embedded in an
Office document, then rename the file with a .VIR extension.  Since most
anti-virus software have an exclusion of .VI* this file would never be
scanned by Norton.  If a user opens the file, Windows will detect that this
.VIR file has MS Office header information and open it in the cooresponding
application.  Given the correct circumstances, this would infect the machine
and replicate to other users.
> Systems Affected:
>
> These scenarios have been tested on the following systems:
> Windows NT 4 SP5 running Office 97
> Windows 2000 running Office 2000
> Windows 2000 SP1 running Office 2000
> Windows 98 SE running Office 97
>
> I have not tested all variations, but you can draw your own conclusions as
to the extent of the problem.
> Potential Solutions:
>
> In the case of virus defense, make sure that your anti-virus software does
NOT include .VI* in its exclusion list.  This is a short-term solution until
a fix can be created.
> Jonathan Andrews, CISSP
> Network Security Group
> Deloitte & Touche
> joandrews () dttus com
>
>
>
> **Please Note***
> The opinions expressed above are my own and have no relation
> to those of Deloitte & Touche.  No warranties, expressed or implied,
> are given about the solutions provided.