|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
recent security patch prevents desktop.ini CLSID folder-app association and custom iconto (1) create a unique icon for the "library folders" used with our application and (2) to associate these folders with our application so that double-clicking on the folder launches our application and lets our application open the library. The desktop.in just looks like this: [.ShellClassInfo] ConfirmFileOp=0 CLSID={our-class-id} And then in the registry: To assign an icon to the folder: Key Name: HKEY_CLASSES_ROOT\CLSID\{our-class-id}\DefaultIcon Class Name: <NO CLASS> Value 0 Name: <NO NAME> Type: REG_SZ Data: path to our icon To associate the folder with our application: Key Name: HKEY_CLASSES_ROOT\CLSID\{our-class-id}\Shell\Open\command Class Name: <NO CLASS> Value 0 Name: <NO NAME> Type: REG_SZ Data: "path to our application" "%1" Unfortunately, a recent XP security patch has broken this. According to <http://secunia.com/advisories/11633/>: "The problem is that "desktop.ini" files may contain CLSID references to arbitrary executables in the "[.ShellClassInfo]" section. This can be exploited to execute arbitrary files with another user's privileges when the user browses a folder containing a malicious "desktop.ini" file." Does anybody know if there might be another way to accomplish this? I spent a lot of time making this work, and now it's broke! Thanks
Show quote
Hide quote
"asinning" <and***@learningware.com> wrote in message Posting this to all these different newsgroups is not going to get MS to news:1156771907.169036.30390@m73g2000cwd.googlegroups.com... > We (the software company I work for) have been using a desktop.ini file > to (1) create a unique icon for the "library folders" used with our > application and (2) to associate these folders with our application so > that double-clicking on the folder launches our application and lets > our application open the library. > > The desktop.in just looks like this: > > [.ShellClassInfo] > ConfirmFileOp=0 > CLSID={our-class-id} > > And then in the registry: > > To assign an icon to the folder: > > Key Name: > HKEY_CLASSES_ROOT\CLSID\{our-class-id}\DefaultIcon > Class Name: <NO CLASS> > Value 0 > Name: <NO NAME> > Type: REG_SZ > Data: path to our icon > > To associate the folder with our application: > > Key Name: > HKEY_CLASSES_ROOT\CLSID\{our-class-id}\Shell\Open\command > Class Name: <NO CLASS> > Value 0 > Name: <NO NAME> > Type: REG_SZ > Data: "path to our application" "%1" > > Unfortunately, a recent XP security patch has broken this. > According to <http://secunia.com/advisories/11633/>: > > "The problem is that "desktop.ini" files may contain CLSID references > to arbitrary executables in the "[.ShellClassInfo]" section. This can > be exploited to execute arbitrary files with another user's privileges > when the user browses a folder containing a malicious "desktop.ini" > file." > > Does anybody know if there might be another way to accomplish this? I > spent a lot of time making this work, and now it's broke! > > Thanks > change it back - it was a security threat, they plugged the threat, now we have to figure out another way to accomplish the same thing - shoot, you most likely could have found a workaround solving the problem if you had worked the problem instead of all the time spent posting/complaining to the newsgroups. 
Other interesting topics
How to validate client certificate?
Bad Data. Any idea what this means? Aplying more than 1 attributes ????? Preferred method of hashing salted password How to convert string to SecureString? SignedXml gives false negatives when using namespaces in signed xm Encrypting connection string in app.config Get role for any given user name ... Laptop Problems when my C# service impersonates a secondary account does the secondary account need any special perm |
|||||||||||||||||||||||
