Results 1 to 6 of 6
  1. #1
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Error in Woody's Level 1 extensions.

    I just checked out Woody's article here:
    <A target="_blank" HREF=http://www.zdnet.com/zdhelp/stories/main/0,5594,2713383-3,00.html>http://www.zdnet.com/zdhelp/stories/main/0...13383-3,00.html</A>

    On that page he lists the Level 1 security extensions for the infamous Outlook Security patch. I believe he is wrong about this entry:

    .shb Shell Scrap object

    If you check your registry, you will find these:

    HKEY_CLASSES_ROOT.shb
    @=DocShortcut

    HKEY_CLASSES_ROOTDocShortcut
    @="Shortcut into a document"

    You will also find that this is one of the EXTREMELY hidden File Types -- there is a "NeverShowExt" value. I recommend you DELETE the "NeverShowExt" entry for this File Type.

    I also recommend the same thing be done for .pif (piffile = "Shortcut to MS-DOS program") and .shs (ShellScrap = "Scrap Object") as well.

    Interestingly, Zone Alarm 2.6.88 (free or Pro) provides protection from all of these extensions -- except for .shb!!

    More interestingly, ZoneLabs does NOT advertise that the free version does this! See my thread here where I discuss the same issue:
    <A target="_blank" HREF=http://www.dslreports.com/forum/remark,872495>http://www.dslreports.com/forum/remark,872495</A>;root=security,1;mode=flat

  2. #2
    Platinum Lounger
    Join Date
    Jan 2001
    Location
    Roanoke area, Virginia, USA
    Posts
    3,729
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Error in Woody's Level 1 extensions.

    in plain english, it's a shell scrap object which is in the form of a shortcut to the orginial doc, rather than the actual content of part of the doc (which is a shell scrap) and it is a blocked extension.

    He might be technologicly inaccurate on the official MS description of what the file type is, but to most users, since the icon looks like a shell scrap, calling it a shell scrap is better than calling it a "shortcut into a document".

  3. #3
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Error in Woody's Level 1 extensions.

    Gotcha. It is the same icon -- except for the 'shortcut arrow'. Thanks for the explanation. Very helpful.

  4. #4
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Error in Woody's Level 1 extensions.

    OK, I was inappropriately harsh on Woody. He seems to have taken his list almost directly from Microsoft: <A target="_blank" HREF=http://support.microsoft.com/support/kb/articles/Q262/6/31.ASP>http://support.microsoft.com/support/kb/ar...s/Q262/6/31.ASP</A>

    The Shortcut to Document IS related to Scrap Objects! Check out the Open command for DocShortcut:

    [HKEY_CLASSES_ROOTDocShortcutshellopencommand]
    @ = "c:windowsrundll32.exe shscrap.dll,OpenScrap_RunDLL /r /x %1"
    ___________________________

    Here is more information on the potential dangers of the .shs and .shb extensions: <A target="_blank" HREF=http://www.pc-help.org/security/scrap.htm>http://www.pc-help.org/security/scrap.htm</A>

    Especially note these lines:

    By The Way...

    There is another "scrap file" type. The .SHB extension marks a file type called "Shortcut into a document," intended to point to an embedded object within a document. You can see it listed in the illustration just above.

    ...if a .SHS "object" is renamed to carry the .SHB extension, *it will behave exactly the same way*. The NeverShowExt Registry value (this time located in HKEY_CLASSES_ROOTDocShortcut) prevents the .SHB extension from being displayed.

    *Everything you are reading here about the behavior of .SHS applies equally to .SHB.*
    _______________________


    So NOW I turn the tables. Why did ZoneAlarm MailSafe EXCLUDE this potentially dangerous extension? It protects you against 37 extensions -- but NOT 38! The problem with .shs should extend to .shb!

    What this an over site by ZoneLabs??

    The good news is that ScriptSentry does quarantine .shb files. But, if you don't use ScriptSentry and are only relying on ZA MailSafe, you should disable the Open command for "DocShortcut".

    ~~~~~~~~~~~~~~~~~~~~~~~~~~

    I keep finding more info... Outlook 2002 apparently has an larger list even still! It is printed here:
    <A target="_blank" HREF=http://www.microsoft.com/Office/ORK/xp/FOUR/outg03.htm>http://www.microsoft.com/Office/ORK/xp/FOUR/outg03.htm</A>

    .ade Microsoft Access project extension
    .adp Microsoft Access project
    .asx Windows Media Audio / Video shortcut**
    .bas Microsoft Visual Basic class module
    .bat Batch file
    .chm Compiled HTML Help file
    .cmd Microsoft Windows NT command script
    .com Microsoft MS-DOS program
    .cpl Control Panel extension
    .crt Security certificate
    .exe Executable program
    .hlp Help file
    .hta HTML program
    .inf Setup information
    .ins Internet naming service
    .isp Internet communication settings
    .js Jscript file
    .jse Jscript-encoded script file
    .lnk Shortcut
    .mda Microsoft Access add-in program **
    .mdb Microsoft Access program
    .mde Microsoft Access MDE database
    .mdz Microsoft Access wizard program **
    .msc Microsoft Common Console document
    .msi Windows Installer package
    .msp Windows Installer patch
    .mst Visual Test source files
    .pcd Photo CD image or Microsoft Visual Test compiled script
    .pif Shortcut to MS-DOS program
    .prf Microsoft Outlook Profile Settings **
    .reg Registration entries
    .scf Windows Explorer Command **
    .scr Screen saver
    .sct Windows script component
    .shb Shortcut into a document **
    .shs Shell scrap object
    .url Internet shortcut
    .vb VBScript file
    .vbe VBScript-encoded script file
    .vbs VBScript file
    .wsc Windows script component
    .wsf Windows script file
    .wsh Windows script host settings file

    This brings the total of potentially harmful extensions to 43. The ones that ZA MailSafe does NOT protect you from have two asterisks after them.

    I would argue that ZA MailSafe should be upgraded to provide this improved level of security.
    ___________________

    I found that ".scf Windows Explorer Command" is also an 'extremely hidden' File Type. So you need to delete the NeverShowExt entry for that also. That advice appies to .pif, .shs, and .shb extensions.

    Strangely, for .prf, I found this:

    [HKEY_CLASSES_ROOT.prf]
    @="prffile"
    "Content Type"="application/pics-rules"
    _____________

    [HKEY_CLASSES_ROOTprffile]
    @="PICSRules File"

    [HKEY_CLASSES_ROOTprffileDefaultIcon]
    @="msrating.dll,3"

    [HKEY_CLASSES_ROOTp rffileShell]

    [HKEY_CLASSES_ROOTprffileShellOpen]

    [HKEY_CLASSES_ROOTprffileShel lOpenCommand]
    @="rundll32.exe msrating.dll,ClickedOnPRF %1"
    __________

    This certainly does NOT look like a "Microsoft Outlook Profile Settings" File Type... So I have to wonder if this extension was changed for Outlook 2002?

    I hope this diatribe is helpful... I just wanted to let you know I investigated this further.

  5. #5
    Platinum Lounger
    Join Date
    Jan 2001
    Location
    Roanoke area, Virginia, USA
    Posts
    3,729
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Error in Woody's Level 1 extensions.

    i'm not sure i'd say oversight by ZA or just less of a risk. Or, MS is being overly protective.

    i'll have to check on the outlook profile to see if it changed, but one possible risk with the outlook profile is that someone could send you a new profile, changing security settings and follow it with a virus.

  6. #6
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Error in Woody's Level 1 extensions.

    Mary, no, I jumped the gun once -- I won't do it again! I verified this myself. See the pc-help reference I included above. The .shb extension can be used EXACTLY like .shs. Simply create an .shs file (as pc-help describes) and rename it with a .shb extension. Double-click it and the SAME result will occur. The risks are real. ZoneLabs missed this one.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •