The basic claim of the advisory is that the new file-attachment security features of SP2 have a hole that allows attachments from untrusted sources to be executed in spite of protections Windows claims to provide. What are these protections?
According to Microsofts description of these new capabilities, "Application developers will be able to call the new AES [Attachment Execution Service] dialog box from their Windows applications." It appears that CMD.EXE doesnt do this. This is what Heises Schmidt found.
The AES consists of a single COM interface named IAttachmentExecute. It lets programs do all of the safety tasks, including, I presume, persisting the Zone IDs as the Heise Security advisory mentions. It saves applications from having to do some things they might do on their own.
Note that the quote from Microsoft doesnt say that these capabilities automatically accrue to all Windows programs; they are new capabilities available to the programmer. The idea is that a program can become "safe," as Outlook Express has, by using this facility. Programs that use them automatically get a display of warnings and information about the program, such as its publisher. Other programs arent using them, and users cant trust them as much.
The heart of the scenario in the advisory is a social engineering attack. The user is told to save the file and run it from a command prompt. The author suggests a message that tells the user to Start-Run "CMD" and drag the attached file to the command window.
This is the part that got me laughing initially, and I still have to laugh. Yes, it does appear that the command shell doesnt use the AES and therefore will execute files that Internet Explorer thinks come from untrusted sources. So? Lets imagine that Windows actually somehow changed all file exchanges to use this facility. Other programs behavior would change and potentially break—and guess who would take the heat for it?
This same scenario, I should point out, works beautifully with non-Microsoft browsers. Theres nothing in Mozilla to stop it. If one more instruction is added to the message, using the chmod command, it works just as well in Linux and Unix, too. Is it a "vulnerability" that users are allowed to run programs?
Just how far are we going to go blaming platforms for social engineering attacks? What do you think of this one?
Subj: vehicle recall
Our records show that the gas tank in your car model tends to collect dirt deposits. To preserve your vehicle warranty, we recommend that you add a cup of ordinary laundry detergent with each tank of gas.
The new attachment security in Windows is meant to stop the casual execution of attachments from untrusted sources in the e-mail program where the user encounters them. If the attachments find their way to other environments, such as CMD, theres little Windows can do without seriously getting in the way.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:
More from Larry Seltzer