Microsoft .doc exploit
Julian Field
MailScanner at ecs.soton.ac.uk
Sat May 20 18:01:42 IST 2006
Jim Holland wrote:
> On Fri, 19 May 2006, Kevin Miller wrote:
>
>
>> May be premature to block .doc files, but SANS reports on a zero day
>> rootkit carried in a word doc.
>> http://www.incidents.org/diary.php?storyid=1345 It's in the wild but
>> was a targeted attack.
>>
>> Apparently no AV signatures yet. One to watch.
>>
>> Boy it's good to have a system that can block such things with a couple
>> lines and 30 seconds of time! In the past couple of weeks I've had two
>> different venders try to sell me their proprietary systems. They're
>> wasting their time. MailScanner rocks!
>>
>
> Note that you would need to block this by file type (eg Microsoft Office
> Document) not extension:
>
> In most cases, Windows will call Word to open a document even if
> the document has an unknown file extension. For example, if
> document.d0c (note the digit "0") contains the correct file header
> information, Windows will open document.d0c with Word.
>
Yes, this is a real pain. Everyone thinks that Windows works on filename
extenstions to determine filetypes. This is *mostly* true, but not
*totally* true. In a few cases, it uses the file contents as well. So
for a random filename and file content, you actually cannot say for
definite what will happen when a user tries to "run" a file. As far as I
am aware, Microsoft do not document the circumstances in which they use
the file's content and not its name.
Unix is easy, it uses the file contents apart from a few braindead apps
that aren't part of the operating system or major applications. Windows
unfortunately is totally unclear on this issue. Everyone thinks it works
one way, and they're wrong :-(
--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.
More information about the MailScanner
mailing list