recent security patch breaks desktop.ini CLSID folder-app association and custom icon
- From: "asinning" <andrew@xxxxxxxxxxxxxxxx>
- Date: 27 Aug 2006 19:04:20 -0700
I posted this at winxp/general last week but haven't gotten any
replies. Thanks for any insight!
We (the software company I work for) have been using a desktop.ini file
to (1) create a unique icon for the "library folders" used with our
application and (2) to associate these folders with our application so
that double-clicking on the folder launches our application and lets
our application open the library.
The desktop.in just looks like this:
[.ShellClassInfo]
ConfirmFileOp=0
CLSID={our-class-id}
And then in the registry:
To assign an icon to the folder:
Key Name:
HKEY_CLASSES_ROOT\CLSID\{our-class-id}\DefaultIcon
Class Name: <NO CLASS>
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: path to our icon
To associate the folder with our application:
Key Name:
HKEY_CLASSES_ROOT\CLSID\{our-class-id}\Shell\Open\command
Class Name: <NO CLASS>
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: "path to our application" "%1"
Unfortunately, a recent XP security patch has broken this.
According to <http://secunia.com/advisories/11633/>:
"The problem is that "desktop.ini" files may contain CLSID references
to arbitrary executables in the "[.ShellClassInfo]" section. This can
be exploited to execute arbitrary files with another user's privileges
when the user browses a folder containing a malicious "desktop.ini"
file."
Does anybody know if there might be another way to accomplish this? I
spent a lot of time making this work, and now it's broke!
Thanks
.
- Follow-Ups:
- Prev by Date: Re: Customizing Colors in OE
- Next by Date: Re: recent security patch breaks desktop.ini CLSID folder-app association and custom icon
- Previous by thread: F keys or Program Buttons capability
- Next by thread: Re: recent security patch breaks desktop.ini CLSID folder-app association and custom icon
- Index(es):
