Guninski: IE, Windows can mask dangerous files

Microsoft's Windows Explorer and Web browser Internet Explorer can be tricked into masking dangerous files as innocent ones, a security specialist said Monday.

Hackers can exploit the flaw to have unknowing computer users run arbitrary programs on their PCs, potentially ruining the systems, according to Bulgarian bug hunter Georgi Guninski, a well-known Microsoft gadfly (see his advisory).

By adding a certain Class Identifier (CLSID) to a file name Windows Explorer and IE will show the file extension given to the file by the creator, instead of the actual file extension, Guninski said. CLSIDs consist of a string of numbers between curly brackets.

A file may appear to be an innocent ".txt" (text) file, but could in fact be a ".hta" (HTML Application) file, which can execute programs on the PC. The damage is done when the user double clicks the file to open it. The malicious file could also be portraying as any other file type, like various graphics formats.

Guninski rates the problem as "high risk" and recommends Windows users not to double click on files in Windows Explorer or IE.

A masked file can be identified, a quick test showed. Windows Explorer and IE won't associate the appropriate program icon with the file. The ".txt" file made by Guninski for test purposes did not have the icon for the Windows Notepad program. Also the file's properties - displayed by right clicking and selecting "Properties" from the menu - will show the actual file type.

Exploit scenarios include leaving malicious files on shared system resources or sending them by e-mail.

Guninski said he informed Microsoft on April 11. Nobody at Microsoft was available for comment.

The IDG News Service is a Network World affiliate.