COMMAND

    wordpad

SYSTEMS AFFECTED

    Win9x

PROBLEM

    Georgi  Guninski  found  following.   There  is a vulnerability in
    Wordpad which allows executing arbitrary programs without  warning
    the user after activating an embedded or linked object.  This  may
    be also exploited in IE for Win9x.

    Wordpad  executes  programs  embeded  in  .doc  or  .rtf documents
    without any  warning if  the object  is activated  by doubleclick.
    This  may  be  exploited  in  IE  for Win9x using the view-source:
    protocol.  The  view-source: protocol starts  Notepad, but if  the
    file is large, then the user is asked to use Wordpad.  So creating
    a large .rtf document and creating a HTML view-source: link to  it
    in a HTML page  or HTML based email  message will prompt the  user
    to  use  Wordpad  and  a  program  may  be  executed  if  the user
    doubleclicks on an object in the opened document.

    Demonstration which starts AUTOEXEC.BAT:

        http://www.whitehats.com/guninski/wordpad1.html

    The nice thing about that  is you can have '.txt'extension  in the
    file  (i.e.  wordpad1.txt).   WordPad  autodetects  it  as  a  RTF
    document  anyway.   It's  Win9x's  notepad  that  sees the file is
    >64KB and  prompts to  launch WordPad.   The NT/Win2K  versions of
    Notepad don't have  the filesize limitation  (so will simply  open
    the file).

SOLUTION

    Do not activate objects in Wordpad documents.