[Esa-l]IMPSEC works - or does it.

Howard Lowndes lannet at lannet.com.au
Fri May 18 13:32:11 PDT 2001


Given the assumption about the file magic, then you would assume that php
rendered the spreadsheet rather than invoking Excel, but that does not
appear to be the case.  It appears that Winblast uses file magic as well
as extension association.

I right clicked on the attachment icon and selected "Open link in a new
window".  Well it opened in  a new window OK, but the menu bars are
different from the standard IE.  Under View there is not option to view
source as there is with straight IE.

Under Help you get About Internet Explorer, but below that you get
Microsoft Excel Help, follow that and you get About Microsoft Excel.

Regretably it appears that IE 5.5 is recognising the file type despite the
defanging of the file name and is invoking Excel, which would imply that a
Winshit system is vulnerable to malicious macros despite reasonable
efforts to avoid them.  Perhaps the defanging of .doc and .xls needs to be
re-considered.

I believe M$ call this "Giving the user a better Internet experience" -
until their system get toasted.

I tried it in Netscape and all it did was offer to save the file to disk.

-- 
Howard.
____________________________________________________
LANNet Computing Associates <http://lannetlinux.com>
   "...well, it worked before _you_ touched it!"

On Fri, 18 May 2001, John D. Hardin wrote:

> On Fri, 18 May 2001, Howard Lowndes wrote:
> 
> > I assume that php used file magic to determine what the file type
> > was and was able to display the spreadsheet because it clearly did
> > not use the file name extension and the MIME type was
> > application/octet-stream.
> 
> Running on a *nix box, that's a safe assumption.
> 
> > What concerns me is whether any macros would have been executable
> > had they been embedded.
> 
> Did it just render the spreadsheet, or did Excel actually get started
> on the client's computer (perhaps embedded in their browser)? If the
> latter, then yes, macros probably would get executed.
> 
> In this case there's little the sanitizer could do.
> 
> Does anybody know of a strip-VBA-from-MS-Office-Documents perl module?
> 
> --
>  John Hardin KA7OHZ   ICQ#15735746   http://www.wolfenet.com/~jhardin/
>  jhardin at wolfenet.com      pgpk -a finger://gonzo.wolfenet.com/jhardin
>   768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
>  1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
>   An entitlement beneficiary is a person or special interest group
>   who didn't earn your money, but demands the right to take your
>   money because they *want* it.
>                                   -- John McKay, _The Welfare State:
>                                      No Mercy for the Middle Class_
> -----------------------------------------------------------------------
>    1264 days until the Presidential Election
> _______________________________________________
> E-mail Security Announce list mailing list
> E-mail Security Announce list at spconnect.com
> http://www.spconnect.com/mailman/listinfo/esa-l



More information about the esd-l mailing list