Watch out for misformed or misused file extensions - they can spell trouble
Friday, April 15 2005 @ 09:51 AM PDT
Contributed by: Richard Pitt
I've lived through the evolution of Windows from its DOS days and have some insight into how they've done things and why.
One of the ways that Windows differs from Unix is in the way it determines what program to use to open a data file with, or in fact whether a file is a program or a data file.
Unix has a command line program called "file" and an operating system facility that functions in a similar manner as part of the command system. This facility uses knowledge of the format of the first few characters in any standard file to determine what the file is; whether it is a program, data, binary, text, PDF, or any of hundreds (4409 in my current version of Red Hat) of slightly different file types.
Windows on the other hand uses two different methods, the 3 character extension of the file name, and in some files, the actual name of the program that the data should be opened with such as Word, Excel, PowerPoint and some others.
The subject of this particular news item is that there is an exploit now going the rounds that uses the second facility to cause you to run a program that might (will) compromise your computer just by doing what you normally do, double-click on a document and assume it will be opened by the correct program. The exploiter will give you what looks like a standard file but with the name of the program replaced by something else.
This exploit takes advantage of the fact that by default a Windows system is set to not show the file extension portion of the file name. Even if you have (as I always do) used to uncheck the "Hide file extensions for known file types" option, you may be fooled by slight misspellings of the typical extensions to try to open the files as normal anyway. The misspellings might be something like "D0C" instead of "DOC" (center character is a zero, not letter O) or "pppt" instead of "ppt" (extra p)
So... watch out for incoming files that purport to be normal document or data files. If they are stored in the OLE2 file format and have been altered to use a different program to open the file, they can end up running a script that does damage instead of opening a document. Note that this may bypass virus checking that has been installed to check Word, Excel, PowerPoint or other standard documents.
As usual you should also be watching for files that look like they are data but in fact have a second extension, usually in lower case which can fool the eye. Examples are: THIS.DOC.pif THAT.PPT.exe ANOTHER.XLS.bat
In each of the above, the last 3 characters actually determine what your system will use to open the file. Note also that since Windows file names can easily have spaces in them, the actual extension may be farther along the line that shows what the file name is:
ANOTHER FILE NAME OF DUBIOUS LINEAGE.DOC .bat
and of course there is also the facility to obfuscate a file name with really strange characters that follow the extended characterset naming conventions for foreign language (16 bit characters as opposed to the typical ASCII) use. Unless your computer has the extended charactersets installed, you will see some pretty strange things such as: 0xAF 0xB1 0x1B as well as completely unprintable things.
If in doubt (and you should have a very low threshold of doubt) don't open it, check back with whomever sent you the file and have them double check it's correct.
Bruce Schneier's latest CRYPTO-GRAM newsletter has articles on Biometrics (criminals in Malaysia cut off a man's finger to open the biometric lock on his Mercedes) and even one on the "Hacking the Papal Election" - you can see it at www.schneier.com
Great reading from one of the people I most respect in the area of personal and corporate security.
Hope this finds your computers working fine and you getting the best use out of them.
You can also read this at blog.pacdat.net along with other information and opinions on a variety of topics.