Title: MS Windows Explorer and Internet Explorer CLSID File Execution Vulnerability
Severity: HIGH
Description:
A vulnerability exists in Windows Explorer and Internet Explorer. An attacker can mislead a user to execute a file of the attacker's choice on their system.
CLSID (Class Id) is a unique file type identifier. Each file type has a 16 byte value identifier associated with it. This unique identifier is used by the OS to determine the action to take when opening different file types.
If a file is created with a CLSID appended to the file name (for example: filename.ext.CLSID), Windows Explorer and Internet Explorer will not display the CLSID (for example: filename.ext).
An attacker could compose a malicious file and disguise it as a low risk file (.txt, .jpg, etc.). The CLSID associated with the malicious file must be appended to the file name (for example: filename.txt.CLSID_of_malicious_file). Seeing only the filename of a trusted file type, a user may proceed to open the file under the presumption that it is an innocuous file. Due to the appended CLSID, the file will be handled as being of the type specified by the CLSID.
It should be noted that in Windows Explorer the non-CLSID portion of the file name appears under 'Name' and the file type specified by the appended CLSID will be displayed under 'Type'. In addition, the file icon displayed will not be the icon associated to the file extension but will instead be the Windows "unknown file type" icon.
Successful exploitation of this vulnerability could lead to complete compromise of the host.
This vulnerability is exploited by a virus known as 'VBS/Postcard@MM'. These attacks were first reported on March 18, 2001. See attached web page reference for further details.
Affected Products:
- Avaya DefinityOne Media Servers
- Avaya IP600 Media Servers
- Avaya S3400 Message Application Server
- Avaya S8100 Media Servers
- Microsoft Internet Explorer 5.5
- Microsoft Internet Explorer 5.5 SP1
- Microsoft Internet Explorer 5.5 SP2
- Microsoft Internet Explorer 6.0
- Microsoft Internet Explorer 6.0 SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP3
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP3
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP3
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP3
- Microsoft Windows 2000 Terminal Services
- Microsoft Windows 2000 Terminal Services SP1
- Microsoft Windows 2000 Terminal Services SP2
- Microsoft Windows 2000 Terminal Services SP3
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows Server 2003 Datacenter Edition
- Microsoft Windows Server 2003 Datacenter Edition Itanium
- Microsoft Windows Server 2003 Enterprise Edition
- Microsoft Windows Server 2003 Enterprise Edition Itanium
- Microsoft Windows Server 2003 Standard Edition
- Microsoft Windows Server 2003 Web Edition
- Microsoft Windows XP Home
- Microsoft Windows XP Professional
References:
- Network Associates Inc.: VBS/Postcard@MM
- Symantec: VBS.Postcard@mm
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
