New tool: Masked Extension Control (MEC), don’t trust Windows extensions

ElevenPaths    3 September, 2019

Windows relies too much on extensions to choose the program that must process a file. For instance, any .doc file will be opened by Word, regardless of its “magic number” (the first two bytes that define the real nature of a file better than its extension). This may entail serious security problems. Opening .rtf files that exploit vulnerabilities in Word may be avoided if such files are processed by WordPad, for example. Masked Extension Control (MEC) is our open-source response to solve this, since each file is opened with the appropriate program and consequently the risk of exploiting vulnerabilities due to masked extensions is minimized.

What is Masked Extension Control?

Masked Extension Control is a program that makes Windows rely on magic numbers, and not only on extensions, to choose the program that will be used to open a file. This is much safer for your system, since a lot of attacks begin by fooling extensions and trying that a vulnerable program opens or executes them ꟷinstead of the one the file is really supposed to be opened with.

Prevent attacks based on fake extensions

Attackers usually change file extensions to make you trust the file, and this is dangerous. For example, some very popular attacks make .rtf files to be opened with Word, just by replacing the .rtf extension with .doc or .docx. This way, they build exploitable .rtf files that will take advantage of Word vulnerabilities or weaknesses to release their payload. However, if these .rtf files were opened by WordPad, the threat will disappear.

Easy to use

This program does not need to be resident on memory. It modifies the Windows registry to open .mht, .doc, .rtf and .docx files with the appropriate program, so trusting in magic numbers instead of extensions. If you want to stop using it, you just need to uninstall it.

Most common formats and extensions

Not only .rtf and .doc files, but .mht files as well: if they are opened with Word, some vulnerabilities may be exploited, but if they were opened with a browser it is less likely that something occurs. Masked Extension Control works even with malformed magic numbers in .rtf (which is much more common than you might think).

Masked Extension Control is an open-source tool written in C#, so any contribution will be welcome. It is available from:

Leave a Reply

Your email address will not be published.