Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: Re: Double clicking on MS Office documents from Windows Explorer may execute arbitrary programs in some cases
From: John Fleischauer (jbfleischauerHOTMAIL.COM)
Date: Mon Sep 18 2000 - 17:32:45 CDT

Scott and team,

Normally I'm just a lurker reading all of these security issues and
implementing what is applicable and makes sense at my and our customers
facilities. I normally don't respond to many messages as I just don't have
the time. I sure that's the same in your shop.

However, I must thank you all for taking the time in responding to a couple
of tricky problems areas and explaining (in english) why you are taking that
specific course of action. I also appreciate the explanations within the
security bulletins written so even I understand the issue. This shows a
real dedication to getting it "right" which is somewhat unique in this day
and age. It also gives us grunts in the trenches a real "warm and fuzzy".

I for one really appreciate all the time and effort you and your team have
put into resolving the many issues that have come up in the recent past. It
also goes a long way in countering adverse publicity.

Keep up the good work.

John Fleischauer
Senior Scientist
Dominion Consulting Group
Chantilly, VA 20151-1321

>From: Microsoft Security Response Center <secureMICROSOFT.COM>
>Reply-To: "Discussion regarding Windows-related security vulnerabilities
> and risks." <win2ksecadviceLISTSERV.NTSECURITY.NET>
>Subject: Re: Double clicking on MS Office documents from Windows Explorer
> may execute arbitrary programs in some cases
>Date: Mon, 18 Sep 2000 11:58:41 -0700
>Hi All -
>We'd like to thank Mr. Guninski for giving us an opportunity to
>investigate this issue, and for working with us to provide additional
>data as the investigation progressed. Both the Office and IE
>Security Teams checked into the report, and our overall conclusion is
>that, although there are circumstances under which a trojaned .dll
>could be launched as discussed in the report, there isn't a
>compelling exploit scenario. Specifically, it would not be possible
>to launch a trojaned .dll simply by visiting a web site and opening
>an Office document -- instead, the user would need to take a series
>of deliberate steps that we believe would only occur as part of a
>social engineering attack.
>We considered two cases. In the first one, a malicious user would
>seek to persuade a user to download a malicious version of
>riched20.dll or msi.dll onto the user's machine, in the same
>directory as an Office document. The malicious user would then
>persuade the user to open the Office document. In the end, this case
>turns out to be simply a case of persuading the user to download and
>run untrusted code -- and if the malicious user can do this, there
>are far easier ways to accomplish the same goal.
>The second case is the more interesting one. In this case, a
>malicious user would host an Office document on his web site, put a
>trojaned riched20.dll or msi.dll into the same directory as the
>Office document, and then seek to persuade a user into launching the
>Office document. Our investigation found that this case has
>significant limitations:
>* We found no means by which the malicious user could cause the
>trojaned .dll to launch automatically when a user visited his web
>site. Opening an Office document via IE, Outlook, or Outlook Express
>would not result in the .dll being launched under any conditions. In
>our tests, we were only able to launch the .dll if we mapped a UNC
>share to the malicious user's server and opened the Office document
>using Windows Explorer or the Start | Run command. (We confirmed by
>code inspection that Windows Explorer and Start | Run use a
>completely different method of launching .dlls than IE, Outlook and
>Outlook Express).
>* Even if the user could be persuaded to use Windows Explorer or
>Start | Run to open an Office document on a remote site, the trojaned
>copy of riched20.dll or msi.dll would only launch if a bona fide
>version was *not* already in memory. If the user had previously used
>Word, Wordpad, Outlook, or any of a host of other programs that loads
>the affected .dlls, the version already in memory, rather than the
>trojaned version, would be used.
>If anyone can devise a compelling exploit scenario for this issue --
>one that would allow a malicious user to exploit it without the
>user's consent -- we'd be most interested in investigating it.
>Scott Culp
>Security Program Manager
>Microsoft Security Response Center
>- -----Original Message-----
>From: Georgi Guninski [mailto:guninskiGUNINSKI.COM]
>Sent: Monday, September 18, 2000 6:51 AM
>Subject: Double clicking on MS Office documents from Windows Explorer
>may execute arbitrary programs in some cases
>Georgi Guninski security advisory #21, 2000
>Double clicking on MS Office documents from Windows Explorer may
>arbitrary programs in some cases
>Systems affected:
>MS Office 2000, Win98/Win2000 probably other applications
>Risk: Medium
>Date: 18 September 2000
>Legal Notice:
>This Advisory is Copyright (c) 2000 Georgi Guninski. You may
>it unmodified. You may not modify it and distribute it or distribute
>parts of it without the author's written permission.
>The opinions expressed in this advisory and program are my own and
>of any company.
>The usual standard disclaimer applies, especially the fact that
>is not liable for any damages caused by direct or indirect use of
>information or functionality provided by this advisory or program.
>Georgi Guninski, bears no responsibility for content or misuse of
>advisory or program or any derivatives thereof.
>If certain DLLs are present in the current direcotory and the user
>double clicks on
>a MS Office Document or launch the document from "Start | Run" then
>DLLs are executed.
>This allows executing native code and may lead to taking full control
>over user's computer.
>It also works on remote UNC shares.
>If either of the following files:
>(other DLLs also may do, don't know)
>are present in the current directory, double clicking on an Office
>document in the current directory executes
>the code in DllMain() of the above DLLs.
>(Excel seems not to work with riched20.dll but works with msi.dll).
>I could not make this work from HTML and IE, if you can, please let
>1) Download dll1.cpp from http://www.guninski.com/dll1.cpp and build
>I discourage downloading native code from unknown site, but you may
>at your own risk
>the compiled version: http://www.guninski.com/dll1.dll
>2) Rename dll1.dll to riched20.dll
>3) Place riched20.dll in a directory of your choice
>4) Close all Office applications
>5) From Windows Explorer double click on an Office document
>MS Word document)
>in the directory containg riched20.dll
>Workaround: Do not double click on Office documents or use "Start |
>... office.doc".
> Instead start the Office application from "Start Menu"
>then use "File | Open"
>Georgi Guninski
>** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
>** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
>SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
>Version: PGP Personal Privacy 6.5.3
><< smime.p7s >>

Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Share information about yourself, create your own public profile at

** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net