Wordpad May Execute Embedded Code

There is a vulnerability in Wordpad which allows executing arbitrary programs without warning the user after activating an embedded or linked object. This may be also exploited in IE for Win9x.

Wordpad executes programs embeded in .doc or .rtf documents without any warning if the object is activated by doubleclick. This may be exploited under Internet Explorer for Win9x using the view-source: protocol. The view-source: protocol starts Notepad, but if the file is large, then the user is prompted to launch Wordpad instead.

By creating a large .rtf document and by creating an HTML view-source: link to that document in an HTML page or HTML-based email message, the user will be prompted to use Wordpad where a program may be executed if the user doubleclicks on an object in the opened document.

DEMONSTRATION

A copy of Georgi"s demo RTF file is located here.

Click here to launch the doc using the "view source:" protocol tag.

Please note, on NT systems with large amounts of RAM available, even Georgi"s demo document will not force Wordpad to open since Notepad appears to use all available memory.

VENDOR RESPONSE

Microsoft is aware of this problem however no response was known at the time of this writing.

CREDITS
Discovered by Georgi Guninski