Microsoft .doc exploit

Julian Field MailScanner at ecs.soton.ac.uk
Sat May 20 18:01:42 IST 2006 

Jim Holland wrote:
> On Fri, 19 May 2006, Kevin Miller wrote:
>
>   
>> May be premature to block .doc files, but SANS reports on a zero day
>> rootkit carried in a word doc.
>> http://www.incidents.org/diary.php?storyid=1345  It's in the wild but
>> was a targeted attack.
>>
>> Apparently no AV signatures yet.  One to watch.  
>>
>> Boy it's good to have a system that can block such things with a couple
>> lines and 30 seconds of time!  In the past couple of weeks I've had two
>> different venders try to sell me their proprietary systems.  They're
>> wasting their time.  MailScanner rocks!
>>     
>
> Note that you would need to block this by file type (eg Microsoft Office 
> Document) not extension:
>
>     In most cases, Windows will call Word to open a document even if
>     the document has an unknown file extension. For example, if
>     document.d0c (note the digit "0") contains the correct file header
>     information, Windows will open document.d0c with Word.
>   
Yes, this is a real pain. Everyone thinks that Windows works on filename 
extenstions to determine filetypes. This is *mostly* true, but not 
*totally* true. In a few cases, it uses the file contents as well. So 
for a random filename and file content, you actually cannot say for 
definite what will happen when a user tries to "run" a file. As far as I 
am aware, Microsoft do not document the circumstances in which they use 
the file's content and not its name.

Unix is easy, it uses the file contents apart from a few braindead apps 
that aren't part of the operating system or major applications. Windows 
unfortunately is totally unclear on this issue. Everyone thinks it works 
one way, and they're wrong :-(

-- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.

More information about the MailScanner mailing list