Attachment Execution Service (AES)
Wednesday 27th June, 2007 10:47 Comments: 0
Inspired by the lovely Susan Bradley's discovery of the Unblock button (which has been around on Windows 2003 for two years, not sure how she's missed it for so long), it got me thinking about Alternate Data Streams (ADS). The AES adds a Zone.Identifier ADS to a file. If the ZoneId=4 then it came from the internet and the file will be blocked (hence the Unblock button, or a big warning saying it might not be safe to run). But if it's an ADS and the information is consistent and in plain text, surely it's easy to manipulate the record? Could an innocuous looking script or program attached to an email, when launched by the user, download a malicious file, change the Zone.Identifier, and then launch the other program without the big warning? The zone is only checked by explorer.exe, I don't believe it's checked by cmd.exe, so the user could probably launch any downloaded executable via cmd.exe anyway, but it's still a neat idea if they implement the checks into cmd.exe. I suppose what they should be doing is storing the Zone.Identifier in a vaguely inconsistent manner, perhaps with some sort of hash based on something secret that's unique to a system?