Vulnerability Note VU#655100

Microsoft Internet Explorer fails to properly handle CLSID extensions

According to Microsoft MSDN, A CLSID is a "globally unique identifier (GUID) associated with an OLE class object."

CLSID extensions

Prior to the update in Microsoft Security Bulletin MS04-024, a file could use a CLSID as a file extension and Windows Explorer would obey the CLSID when determining how to open the file. This can mislead the user into opening a dangerous file. After installing the update for MS04-024, Windows Explorer no longer obeys a CLSID as a file extension.

The problem

The MS04-024 update does not completely address the vulnerability. Directories can have a CLSID extension. Even with the MS04-024 update installed, Windows Explorer will treat a directory with a CLSID extension as a file of the type specified by the CLSID. Within the context of Windows Explorer, this can mislead the user with respect to what is on the local filesystem. However, within the context of Internet Explorer, this technique can be used to bypass the warning dialog that Internet Explorer should display before executing downloaded code. Publicly available proof-of-concept code uses an SMB share and requires the user to double-click within the browser window.

II. Impact

This vulnerability is addressed in Microsoft Security Bulletin MS06-045. With this update, Windows Explorer (and in turn, Internet Explorer) will prompt before executing code specified by a directory with a CLSID extension.

Do not follow unsolicited links

In order to convince users to visit their sites, attackers often use URL encoding, IP address variations, long URLs, intentional misspellings, and other techniques to create misleading links. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.

Block or restrict access

Block outgoing connections on ports 139/tcp, 139/udp, 445/tcp, and 445/udp at your network perimeter. Doing so will prevent machines on the local network from connecting to SMB servers on the internet. While this does not remove the vulnerability, it does block a commonly known attack vector.

Systems Affected

http://www.kb.cert.org/vuls/id/106324
http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060627/3d930eda/ PLEBO-2006.06.16-IE_ONE_MINOR_ONE_MAJOR.obj
http://secunia.com/advisories/20825/
http://isc.sans.org/diary.php?storyid=1448&rss
http://windowssdk.msdn.microsoft.com/en-us/library/ms691424.aspx
http://www.microsoft.com/technet/security/bulletin/MS04-024.mspx

Credit

This vulnerability was publicly disclosed by Plebo Aesdi Nael.

This document was written by Will Dormann.

Other Information

If you have feedback, comments, or additional information about this vulnerability, please send us email.