[prev in list] [next in list] [prev in thread] [next in thread] 

List:       spamassassin-users
Subject:    Re: new(ish) malware: RTF with MIME payload
From:       RW <rwmaillists () googlemail ! com>
Date:       2016-03-21 14:14:19
Message-ID: 20160321141419.69e33d1c () gumby ! homeunix ! com
[Download RAW message or body]

On Sun, 20 Mar 2016 21:22:52 +0000
Cedric Knight wrote:


> > Anything that opens in MS Word, eg do[ct][mx]?, asd, wbk, wll and
> > might run VBA, so includes Excel too, xl.*  - whether it launches
> > depends how the MUA handles the Content-Type I think - so
> > "application/.*" .  
> 
> On second thoughts, that's nowhere near safe to catch everything that
> might run VBA.  Need someone with more knowledge of a Windows system
> with Office installed, but quite likely it will also try to open xml,
> prn, csv, od[st], dif, slk, wp, rt.*, ppt, p[op].* as a document and
> run any macros.
 

I think this is aimed at fairly old versions of MS Office, it's been
a long time since anything would autorun.  

AFAIK, since  Office 2007 there's been specific protection against file
content that doesn't match the file extension. My understanding is that
it's also possible to lock down the installation so that the user can't
override the malware warnings.

The same version also brought in new file extensions that end in "x" or
"m" according to whether any kind of active content is allowed,
e.g. .docm and .docx.  I would have thought that the x variants should
be fairly safe for email since it seems unlikely that a version of
Office that doesn't support the new document formats would be associated
with the new extensions.

[prev in list] [next in list] [prev in thread] [next in thread]