|
.386
|
Low
|
Windows virtual device driver (VxD) file
|
Essentially the same as an .exe file.
|
|
.acf
|
Medium
|
Microsoft Agent file
|
Microsoft Agent (http://www.microsoft.com/msagent/default.asp) file, which is used by the Microsoft Agent ActiveX control. Vulnerability patched in MS06-068.
|
|
.ade
|
Low
|
Microsoft Access Project file
|
Can contain auto-executing macros. Is not often used maliciously.
|
|
.adn
|
Low
|
Microsoft Access Project Template
|
Can contain auto-executing filemacros. Is not often used maliciously.
|
|
.adp
|
Low
|
Microsoft Access Project file
|
Can contain auto-executing macros. Is not often used maliciously.
|
|
.ani
|
Medium
|
Windows Animated Cursor
|
Two exploits were announced by Flashsky Fangxing (flashsky@xfocus.org) on December 23, 2004. First, a Windows Kernel DoS exploit-Windows XP SP2 not vulnerable, but most other Windows versions are (NT to 2003) are. Second, an Integer buffer overflow-most Windows versions are vulnerable (NT to 2003), caused by LoadImage API in USER32.Lib.
|
|
.arc
|
Low
|
PKArc file archive
|
Older, pre-Windows file archive file format. Still used occasionally by malware to bypass computer security defenses.
|
|
.arj
|
Medium
|
File Archive file
|
Can be used by malware to bypass computer security defenses. Arj files can be created and unarchived using many popular programs including Winzip. More detail on .arj program can be found at http://www.filext.com/detaillist.php?extdetail=ARJ.
|
|
.asf
|
Medium
|
Microsoft Advanced Streaming Format
|
Streaming audio or video files usually opened using Windows Media Player (WMP). ASF files can be exploited through buffer overflows, header malformation, or dangerous scriptable content. Can contain binary files, scripts, and HTML links, which can retrieve other content. ASF files can be renamed to other extensions (for example, MP3) and they will still be recognized as ASF files and opened in WMP. Great discussion on ASF and ASX files located at http://www.webreference.com/js/column51/asf.html.
|
|
.asx
|
Medium
|
Windows Media Player file
|
ASX files are Windows Media Player textual command files that manage streaming of ASF files. They are very small in size (about 1K) because they contain no data, just instructions. Can call and invoke many other types of active content. Involved in a reported DoS vulnerability reported to NTBugtrack on November 22, 2006. Great discussion on ASF and ASX files located at http://www.webreference.com/js/column51/asf.html.
|
|
.atf
|
Low
|
Symantec pcAnywhere autotransfer file
|
Can initiate a pcAnywhere file-transfer session.
|
|
.avi
|
Medium
|
Microsoft video file format
|
AVI stands for Audio Video Interleave. Has been used in some exploits, such as MS-05-050, which was caused by a DirectX graphics vulnerability. User could download file and be exploited, including allow remote file execution (but not privilege escalation).
|
|
.b64
|
Medium
|
Base 64 MIME-encoded
|
Can be used to send MIME file attachments. Has been used to send malware.
|
|
.bas
|
Low
|
Visual Basic (VB) class module
|
Can contain malicious instructions. Association may not exist on newer PCs.
|
|
.bat
|
High
|
DOS batch file
|
Can contain malicious DOS command interpreter instructions.
|
|
.bhx
|
Medium
|
Winzip file archive
|
Has been used by a few worms to bypass antivirus scanners.
|
|
.bmp
|
Medium
|
Windows Bitmap graphics file
|
Integer buffer overflow, announced by flashsky fangxing (flashsky@xfocus.org) on December 23, 2004-most Windows versions are vulnerable (NT to 2003), caused by LoadImage API in USER32.Lib. Tough call, as this format is very popular for legitimate use.
|
|
.cab
|
Low
|
Microsoft cabinet archive file
|
Opens in Windows Explorer and IE, and can help install malicious files. Commonly used by Microsoft to install legitimate files, but could be used by malware to bypass computer security defenses. Unexpected CAB files arriving via e-mail or from untrusted Web sites should not be executed.
|
|
.cap
|
Low
|
Ethereal packet capture file
|
Contains network packets captured from a network protocol analyzer. Ethereal's dissectors (the filters that parse network packets into protocol disassemblies) are often subject to buffer overflows. But to date, no popular malware attack has used .cap files to exploit a computer.
|
|
.cbl
|
Medium
|
Microsoft Interactive Training file
|
User=field allows an exploitable buffer overflow (SEH pointer). Microsoft Interactive Training (Orun32.exe) must be present, although it is often present by default in OEM versions of Windows XP. First exploit of this file type announced on June 14, 2005 by iDEFENSE labs. Patched by MS05-31. HK_CR\MITrain.Document\shell\open\command is related to the Orun32.exe program.
|
|
.cbm
|
Medium
|
Microsoft Interactive Training file
|
User= field allows an exploitable buffer overflow (SEH pointer). Microsoft Interactive Training (Orun32.exe) must be present, although it is often present by default in OEM versions of Windows XP. First exploit of this file type announced on June 14, 2005 by iDEFENSE labs. Patched by MS05-31. HK_CR\MITrain.Document\shell\open\command is related to the Orun32.exe program.
|
|
.cbo
|
Medium
|
Microsoft Interactive Training file
|
User= field allows an exploitable buffer overflow (SEH pointer). Microsoft Interactive Training (Orun32.exe) must be present, although it is often present by default in OEM versions of Windows XP. First exploit of this file type announced on June 14, 2005 by iDEFENSE labs. Patched by MS05-31. HK_CR\MITrain.Document\shell\open\command is related to the Orun32.exe program.
|
|
.cer
|
Low
|
Digital certificate
|
Can be used to install a malicious certificate in IE to permit automatic downloading of malicious content
|
|
.ceo, ce0
|
Low
| |
Used by Winevar worm. NETCOM guidance 2004-11 recommends blocking this file extension.
|
|
.chm
|
High
|
Windows Compiled Help File
|
Windows Help Files (.hlp) can be compiled for better performance and feature sets. Malformed Compiled Help Files have been involved in many announced exploits over the years, including Microsoft Security Bulletin MS05-031 and exploits in 2006 (http://www.securityfocus.com/bid/17926/discuss). Can be opened in Internet Explorer automatically without user intervention using Ms-its moniker.
|
|
.cmd
|
High
|
Command file
|
Contains batch file-like DOS interpreter script commands. Can contain malicious instructions.
|
|
.cnt
|
Low
|
Microsoft Help Workshop Help Contents file
|
There is a stack-based memory corruption in Microsoft Help Workshop while processing .CNT Help Contents files. The tool is a standard component of Microsoft Visual Studio 6.0 and 2003 (.NET) for building and managing help projects and could be also downloaded alone from the Microsoft download center. Original announcement on January 18, 2007 (http://www.anspi.pl/~porkythepig/visualization/cnt-expl1.cpp).
|
|
.com
|
Medium
|
Program executable
|
Older, legacy DOS and 16-bit Windows executables. Still work under all Windows versions, except newer 64-bit Windows.
|
|
.cpl
|
High
|
Control Panelapplet
|
Executable program written to run in Control Panel context. Can be infected by viruses or used by malware programs to install themselves. Example includes a Win32.Beagle variant (http://www.securityresponse.symantec.com/avcenter/venc/data/w32.beagle@mm!cpl.html). Legitimate used all throughout Windows, but rarely needed to be accepted in e-mail, IM, and so on.
|
|
.crl
|
Low
|
Certificate Revocation List
|
CRL's list revoked digital certificates. Could be used in an attack to maliciously invalidate otherwise valid digital certificates in a denial of service attack.
|
|
.crt
|
Low
|
Digital Certificate
|
Can be used to install a malicious certificate in IE to permit automatic downloading of malicious content.
|
|
.cs
|
Medium
|
Windows scripting file
|
Scripting file that can be executed by Cscript.exe, can contain malicious commands.
|
|
.css
|
Medium
|
Cascading Style Sheet
|
Used by IE and other browsers. Used by web developers to easily deliver a consistent look-n-feel style to a Web site without having to recode the style each web page. Has been exploited maliciously many times. Should not be disabled in IE in most cases, but rarely needs to be sent in e-mail, IM, and so on.
|
|
.ctl
|
Low
|
Certificate Trust List
|
Could be used by remote attacker to trick victim into installing the attacker as a trusted publisher.
|
|
.cur
|
Medium
|
Windows cursor graphic file
|
Integer buffer overflow, announced by flashsky fangxing (flashsky@xfocus.org) on December 23, 2004, most Windows versions are vulnerable (NT to 2003); caused by LoadImage API in USER32.Lib.
|
|
.dbg
|
Low
|
Debug file
|
Can contain malicious machine language instructions that can be compiled by debug.exe into malware.
|
|
.desklink
|
Low
|
Desktop link to program
|
Could be used maliciously.
|
|
.der
|
Low
|
Digital Certificate
|
Can be used to install a malicious certificate in IE to permit automatic downloading of malicious content.
|
|
.dhtml
|
Low
|
Dynamic HTML file
|
Has been used in malicious attacks, but is not longer a popular attack vector.
|
|
.dif
|
Low
|
Data Interchange Format
|
Older common spreadsheet file format, commonly used in conversion. Has been used a few times in older malicious attacks.
|
|
.dll
|
High
|
Dynamic Linking Library
|
Most DLLs are legitimate program files containing pre-compiled library routines that other programs can call, or can contain complete programs. Have been involved in many viruses and worms. Because of Windows File Protection, most Windows system dlls cannot be overwritten or modified by malware, but rogue dlls can be installed.
|
|
.doc
|
High
|
Microsoft Office Word document
|
Can contain malicious macros, scripts, objects, links, and executables. Very difficult to block because legitimate use is very common. By default, many malicious objects are blocked by default Microsoft Office security settings. Note that recently many Office document formats have been targeted for zero-day attacks.
|
|
.dochtml
|
Low
|
Microsoft Office Word document in HTML format
|
Can contain malicious macros, scripts, objects, links, and executables. Very difficult to block because legitimate use is very common. By default, many malicious objects are blocked by default Microsoft Office security settings.
|
|
.docmhtml
|
Low
|
Microsoft Office Word document in MIME encapsulated format
|
Can contain malicious macros, scripts, objects, links, and executables. Not commonly used. By default, many malicious objects are blocked by default Microsoft Office security settings.
|
|
.docxml
|
Low
|
Microsoft Office Word Document
|
Can contain malicious macros, scripts, objects, links, and executables. By default, many malicious objects are blocked by default Microsoft Office security settings.
|
|
.dot
|
Medium
|
Microsoft Office Document Template
|
Can be manipulated by malware to contain malicious objects that are then added to every new document that relies on the related template file. Very commonly manipulated by early Microsoft Office macro files, but not as commonly modified by malware today.
|
|
.dothtml
|
Low
|
Microsoft Office Document Template in HTML format
|
Can be manipulated by malware to contain malicious objects that are then added to every new document that relies on the related template file.
|
|
.dsm
|
Medium
|
Nullsoft WinAmp media file
|
Has been involved in malicious exploits.
|
|
.dun
|
Low
|
DUN export file
|
Can contain malicious dial-up connection information that initiates outward calls.
|
|
.edt
|
Low
|
Adobe Reader PDF ebook file
|
Involved in at least one announced exploit (http://www.idefense.com/application/poi/display?id=163) in 2004. If ebook functionality is not needed, it can be blocked without affecting overall Adobe Reader functionality.
|
|
.email
|
Medium
|
Outlook Express e-mail message
|
Used by Nimda and many other worms.
|
|
.emf
|
Medium
|
Enhanced Metafile file
|
Windows graphics file format buffer overflow, MS05-053. High criticality if not patched. In January 2007, also found to be vulnerable in OpenOffice versions prior to 2.1.0 and Star Office versions prior to 8.
|
|
.eml
|
Medium
|
Outlook Express e-mail message
|
Used by Nimda and many other worms.
|
|
.eot
|
Low
|
Embedded Open Type font
|
Malicious font file could be used to take complete control of an unpatched Windows computer. Patch is MS06-002. Font extension is normally .eot, but could be anything.
|
|
.exe
|
High
|
Application file
|
Can be used to launch malicious executables. Cannot block on a Windows system, but should be blocked in e-mail, IM, and so on.
|
|
.far
|
Medium
|
Nullsoft WinAmp media file
|
Has been involved in malicious exploits.
|
|
.fav
|
Low
|
IE Favorites list
|
Can be used to list malicious Web sites. Don't block on Windows, but block coming through e-mail, IM, and so on.
|
|
.gadget
|
Medium
|
Vista Sidebar Gadget
|
Sidebar gadgets can contain nearly any type of Active content and scripting. They can be sent in e-mail and downloaded from the Internet. There is a good chance that malware writers will try to take advantage of Vista's new Sidebar gadgets feature.
|
|
.gif
|
Low
|
Graphic file format
|
GIF stands for Graphics Interchange Format. Although normally just a picture or image data file. It has been malformed to cause improper application handling and buffer overflows in many applications, including IE, Windows Messenger (see Microsoft Security Bulletin MS05-022), and Sun's Java (http://www.frsirt.com/english/advisories/2007/0211). Sun Java exploit announcement.
|
|
.gzip
|
Low
|
Gzip file format
|
Can be used by malware to bypass computer security defenses. Very common on Unix/Linux platforms, but can also be used in Windows. See .tar also.
|
|
.hhp
|
Medium
|
Microsoft HTML Help Workshop file
|
Used in buffer overflow exploit announced February 2006 (http://www.frsirt.com/english/advisories/2006/044).
|
|
.hlp
|
Medium
|
Microsoft Help File
|
Used legitimately throughout Windows, but has been used in multiple exploits. Block in e-mail, IM, and so on.
|
|
.hpj
|
Low
|
Microsoft Workshop Help File
|
Microsoft Help Workshop 4.03 .0002 is a standard component of Microsoft Visual Studio 6/2003 (.NET). It can also be downloaded alone from the Microsoft download center. January 22, 2007 exploit located at http://www.anspi.pl/~porkythepig/visualization/hpj-x01.cpp.
|
|
.hqx
|
Low
|
Macintosh BinHex 4 Compressed Archive
|
Has been used to spread malware.
|
|
.ht
|
Low
|
Hyperterminal file
|
Can initiate dial-up connections to untrusted hosts.
|
|
.hta
|
High
|
HTML application
|
Frequently used by worms and Trojans.
|
|
.htm
|
High
|
HTML file
|
Can initiate an Internet browser session and can be used to automatically download and execute rogue files.
|
|
.html
|
High
|
HTML file
|
Can initiate an Internet browser session and can be used to automatically download and execute rogue files.
|
|
.htt
|
Low
|
Internet Explorer stylesheet
|
Can be used/manipulated by adware/malware to display unwanted browser Windows and popups.
|
|
.ico
|
Medium
|
Windows Icon graphic file
|
Was involved in an integer buffer overflow, announced by flashsky fangxing (flashsky@xfocus.org) on December 23, 2004; most Windows versions were vulnerable (NT to 2003) before the patch was released. The vulnerability was caused by LoadImage API in USER32.Lib.
|
|
.idc
|
Medium
|
Interactive Disassembler application file
|
Normally only used by IDA Pro Disassembler (http://www.datarescue.com/idabase). Can be used by viruses. Proof of Concept virus was released (http://www.sarc.com/avcenter/venc/data/w32.gatt.html).
|
|
.inf
|
Low
|
Install configuration file/security
|
As a Setup Information installer template configuration file, it can be used to maliciously manipulate existing programs or to install new malicious programs. As a security template, it can be used to downgrade existing security permissions.
|
|
.ini
|
Low
|
Application configuration settings file
|
Can be used to maliciously change a program's default settings. Also, Desktop.ini can be used to auto-launch malicious programs.
|
|
.ins
|
Low
|
Internet communication settings
|
Can be used to initiate Internet connections to untrusted sources.
|
|
.iso
|
Low
|
Image file for disks, CD-ROMs, DVDs, etc.
|
There is worm that can arrive and spread using iso images. Very low risk. See http://www.trendmicro.com/vinfo/images/WORM_BAHISHO_A2.gif for more details.
|
|
.isp
|
Low
|
Internet communication settings
|
Can be used to initiate Internet connections to untrusted sources.
|
|
.it
|
Medium
|
Nullsoft WinAmp media file
|
Has been involved in malicious exploits.
|
|
.its
|
High
|
Microsoft Infotech Storage Library
|
Has been used in buffer overflows. Not installed by Microsoft by default, can be installed by many legitimate "teaching" programs. Related to compiled help file exploit (http://www.securityfocus.com/bid/17926/discuss).
|
|
.jar
|
Low
|
Java archive file
|
Can launch Java attacks.
|
|
.jav
|
Low
|
Java applet
|
Can launch Java attacks.
|
|
.java
|
Low
|
Java applet
|
Can launch Java attacks.
|
|
.jfif
|
Low
|
JPEG File Interchange File Format
|
The JPEG graphics file format has been involved in a few buffer overflows, including Microsoft MS04-028.
|
|
.jpe
|
Low
|
JPEG graphics files
|
The JPEG graphics file format has been involved in a few buffer overflows, including Microsoft MS04-028.
|
|
.jpeg
|
Low
|
JPEG graphics files
|
The JPEG graphics file format has been involved in a few buffer overflows, including Microsoft MS04-028.
|
|
.jpg
|
Low
|
JPEG graphics file
|
The JPEG graphics file format has been involved in a few buffer overflows, including Microsoft MS04-028.
|
|
.js
|
High
|
JavaScript file
|
Can contain malicious code that can easily be decoded and read by Windows and IE. These files are executed by Wscript.exe, Cscript.exe, or JScript.dll.
|
|
.jse
|
Medium
|
Encoded JavaScript file
|
Can contain malicious code. JSE files are encoded JavaScript files that can easily be decoded and read by Windows and IE. These files are executed by Wscript.exe, Cscript.exe, or JScript.dll. JSE files are as easy to create as JavaScript files, but haven't been popularly used so far.
|
|
.key
|
Low
|
Windows Registry modification file
|
Could contain malicious Registry keys and values.
|
|
.lnk
|
Low
|
Shortcut link
|
Can be used to automate malicious actions.
|
|
.lsf
|
Low
|
Streaming audio or video file
|
Can be exploited through buffer overflows, head malformation, or dangerous scriptable content.
|
|
.lsx
|
Low
|
Streaming audio or video file
|
Can be exploited through buffer overflows, head malformation, or dangerous scriptable content.
|
|
.lzh
|
Medium
|
Archive file format
|
Can be used by malware to bypass computer security defenses. Is used on Windows platforms, especially by game developers or Japanese programmers, but is not common.
|
|
.m3u
|
Low
|
XMPPlay audio file
|
XMPlay is an audio player, supporting different audio formats and playlists. XMPlay was shown to be buffer overflow-exploitable on November 20, 2006, http://www.milw0rm.com/exploits/2815. XMPlay can also be buffer overflowed by ASX files (http://www.milw0rm.com/exploits/2824).
|
|
.mad
|
Low
|
Microsoft Access module shortcut
|
Can carry out macro manipulation that isn't controlled by Office security settings.
|
|
.maf
|
Low
|
Microsoft Access module form
|
Can contain malicious behavior.
|
|
.mag
|
Low
|
Microsoft Access module diagram
|
Can contain malicious behavior.
|
|
.mam
|
Low
|
Microsoft Access module macro
|
Can contain malicious behavior.
|
|
.maq
|
Low
|
Microsoft Access module query
|
Can contain malicious behavior.
|
|
.mar
|
Low
|
Microsoft Access module report
|
Can contain malicious behavior.
|
|
.mas
|
Low
|
Microsoft Access module stored procedure
|
Can contain malicious macros and procedures.
|
|
.mat
|
Low
|
Microsoft Access module table
|
Can contain malicious behavior.
|
|
.mav
|
Low
|
Microsoft Access module view
|
Can contain malicious behavior.
|
|
.maw
|
Low
|
Microsoft Access module shortcut
|
Can contain malicious behavior.
|
|
.mda
|
Low
|
Microsoft Access extension
|
Can contain malicious behavior.
|
|
.mdb
|
Low
|
Microsoft Access application or database
|
Can contain malicious behavior.
|
|
.mdbhtml
|
Low
|
Access application or database in HTML format
|
Can contain malicious macros.
|
|
.mde
|
Low
|
Microsoft Access database with all modules compiled and source code removed
|
Can contain malicious macros.
|
|
.mdn
|
Low
|
Microsoft Access database template
|
Can contain malicious behavior.
|
|
.mdt
|
Low
|
Microsoft Access database wizard file
|
Can contain malicious behavior.
|
|
.mdz
|
Low
|
Microsoft Access database wizard template file
|
Can contain malicious behavior.
|
|
.mht
|
Medium
|
MIME HTML document
|
Can contain malicious content.
|
|
.mhtml
|
Medium
|
MIME HTML document
|
Can contain harmful commands.
|
|
.mid
|
Medium
| |
Malformed header has been used to buffer overflow Windows Media Player (http://www.frsirt.com/english/advisories/2006/5039).
|
|
.midi
|
Medium
| |
Malformed header has been used to buffer overflow Windows Media Player (http://www.frsirt.com/english/advisories/2006/5039).
|
|
.mim
|
Medium
|
MIME-encoded file or archive file
|
Is a MIME (Multipurpose Internet Mail Extensions) file. Many e-mail clients, including sometimes Outlook and OE, create a .MIM file when forwarding an e-mail with an attachment. Attachment could be anything. In malicious e-mails, the .MIM attachments are often zip or executable files. See http://www.securityresponse.symantec.com/avcenter/venc/data/w32.blackmal.e@mm.html.
|
|
.mmf
|
Low
|
Microsoft Mail or Outlook item file
|
Can carry malware.
|
|
.mov
|
High
|
Quicktime movie files
|
Involved in multiple vulnerabilities over the years, including buffer overflows announced on 11/10/05 and 12/20/05 (http://www.frsirt.com/english/advisories/2005/3012).
|
|
.msg
|
Low
|
Microsoft Mail or Outlook Express item
|
Can carry malware.
|
|
.msh
|
Low
|
Microsoft Shell Command file
|
New file format in Windows Vista, used to replace previous shell language files (.bat, .cmd, and so on). Demonstration viruses have already been developed exploiting this file format (http://www.f-secure.com/v-descs/danom.shtml).
|
|
.msi
|
Medium
|
Microsoft Installer package
|
Can be used to install or modify software.
|
|
.msp
|
Low
|
Microsoft Installer package
|
Can be used to install malware.
|
|
.mst
|
Low
|
Visual Basic test source file
|
Can be used maliciously.
|
|
.nch
|
Low
|
Outlook Express folder
|
I could not find how this was used to spread malware. Many malware programs look inside legitimate NCH files to find more e-mail addresses to spread to. However, NETCOM guidance 2004-11 recommends this file extension be blocked, so I mention it here just in case.
|
|
.nrg
|
Low
|
Nero cd-rom or dvd image file
|
There is a very low-risk worm that can spread using Nero image files. See http://www.trendmicro.com/vinfo/images/WORM_BAHISHO_A2.gif for more details.
|
|
.nws
|
Low
|
Outlook Express news message
|
Network newsgroup protocol. Can carry viruses, worms, and other malware.
|
|
.ocx
|
High
|
ActiveX control
|
Can be used to install malicious ActiveX programs.
|
|
.oft
|
Low
|
Outlook Template file
|
Outlook Template file can contain malicious scripting or objects. Not commonly used by malware. e-mail worms and viruses can sometimes harvest legitimate e-mail addresses from OFT files.
|
|
.oss
|
Low
|
Microsoft Office Saved Searches file
|
Can be used to exploit unpatched versions of Microsoft Windows/Outlook/Office. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0034
|
|
.ovl
|
Low
|
Program overlay file
|
Commonly used by legitimate programs. Can be used to install malware or legitimate ones can be infected by viruses.
|
|
.pcap
|
Low
|
Ethereal packet file
|
Can be used to buffer overflow capture Ethereal, not popularly used to exploit.
|
|
.pct
|
Low
|
Apple PICT graphics file
|
Used in QuickDraw and QuickTime applications, among other applications. Buffer overflow announced in both Windows and Unix on November 11, 2005.
|
|
.pdc
|
Low
|
Microsoft compiled script
|
Can contain dangerous code.
|
|
.pdf
|
Medium
|
Adobe Reader Portable Document Format
|
Involved in several exploits over the years. Difficult to block because of widespread legitimate use.
|
|
.pi
|
Medium
| |
On some systems, PIF files come across as .pi, or so I've been told. NETCOM 2004-11 recommends that it be blocked.
|
|
.pic
|
Low
|
Apple PICT graphics file
|
Used in QuickDraw and QuickTime applications, among other applications. Buffer overflow announced in both Windows and Unix on November 11, 2005.
|
|
.pict
|
Low
|
Apple PICT graphics file
|
Used in QuickDraw and QuickTime applications, among other applications. Buffer overflow announced in both Windows and Unix on November 11, 2005.
|
|
.pif
|
High
|
Program information file
|
Can run malicious programs.
|
|
.pl
|
Medium
|
Perl script file
|
Can contain rogue code.
|
|
.pls
|
Medium
|
Winamp Playlist
|
Malformed playlist file (containing overly large filenames) can cause a buffer overflow in Winamp (http://www.frsirt.com/english/advisories/2006/0361).
|
|
.png
|
Medium
|
Portable Network Graphics file
|
PNG is an open source graphics format with lossy compression (http://www.libpng.org/pub/png). Has been involved in several exploits, including multi-browser buffer overflows. Last PNG IE buffer overflow resolved by MS05-025.
|
|
.pol
|
Low
|
Windows Policy File
|
Can be used to lower security settings on Windows 9x and above machines.
|
|
.pot
|
Low
|
Microsoft PowerPoint template file
|
Can contain scripted exploits.
|
|
.pothtml
|
Low
|
Microsoft PowerPoint template file in HTML format
|
Can contain malicious content.
|
|
.ppa
|
Low
|
Microsoft PowerPoint add-in
|
Can contain malicious content.
|
|
.ppt
|
Low
|
Microsoft PowerPoint presentation
|
Can contain malicious content.
|
|
.ppthtml
|
Low
|
Microsoft PowerPoint presentation in HTML format
|
Can contain malicious content.
|
|
.pptmhtml
|
Low
|
Microsoft PowerPoint presentation in MIME-encoded HTML format
|
Can contain malicious content.
|
|
.prf
|
Low
|
Outlook profile settings
|
Can override default or trusted settings.
|
|
.pst
|
Low
|
Outlook or Exchange personal store file
|
Can contain malicious attachments and be imported into Outlook or Outlook Express.
|
|
.pwl
|
Low
|
Windows 9x password file
|
Could be used to overwrite legitimate passwords in Windows 9x.
|
|
.py
|
Low
|
Python script file
|
Can contain rogue code.
|
|
.qtl
|
Medium
|
Quicktime Media Link
|
QTL files allow flexibility in the way that Quicktime files are accessed. QTL files can hold Javascript coding. QTL files can end in any extension (For example, MP3, MOV, QT). Has been used in at least one widespread XSS attack (http://www.gnucitizen.org/blog/myspace-quicktime-worm-follow-up).
|
|
.qtif
|
Medium
|
Quicktime file
|
Can be used to accomplish a buffer overflow in vulnerable versions of QuickTime (http://www.frsirt.com/english/advisories/2006/0128).
|
|
.rar
|
Medium
|
WinRAR archived files
|
Being used by malware to bypass detectors that normally open zip files, but don't open RAR files. Used by Bagle worm among others. http://www.geocities.com/marcoschmidt.geo/rar-archive-file-format.html
|
|
.rat
|
Low
|
Internet Explorer content ratings file
|
Part of Internet Explorer's content advisor rating feature. Can be installed to allow malicious Web sites to be approved as secure. Also can be used on IIS Web sites to pre-rate content to be delivered to visitors. If installed on IIS, could be used to execute malicious program instructions. Has been involved in a malicious buffer overflow announcement in the past.
|
|
.rc
|
Low
|
Microsoft Visual Studio file
|
http://www.secunia.com/advisories/23856. Affected products: Microsoft Visual Studio 6 SP6 and prior.
|
|
.rdp
|
Low
|
Remote Desktop Top connection shortcut
|
If an end user can be tricked into running a malicious RDP file, it could execute local commands, or map a drive (should provide warning in XP Pro and above) to remote malicious machine and give attacker access to local files. Currently not popularly exploited.
|
|
.reg
|
Low
|
Registry entry file
|
Can create malicious registry keys or values.
|
|
.rjs
|
Medium
|
RealPlayer skin file
|
Can be downloaded and applied automatically through a web browser without the user's permission. A skin file is a bundle of graphics and an .ini file, stored together in ZIP format. Fixed in RealPlayer versions above 10.5.
|
|
.rm
|
Medium
|
RealPlayer media file
|
Involved in multiple vulnerabilities over the year. The latest buffer overflow was announced on November 10, 2005.
|
|
.rpt
|
Low
|
Crystal Reports report file
|
RPT file has been used in multiple buffer overflow exploits. First reported in November 2006 (http://www.frsirt.com/english/advisories/2006/4691), and again in January 2007 (http://www.lssec.com/advisories/LS-20061102.pdf). RPT file extension represents many other types of "report files" and isn't used exclusively in Crystal Reports. Other .rpt file formats have not been reported as vulnerable.
|
|
.rtf
|
Medium
|
Rich Text Format file
|
Can script other attacks and contain embedded malicious links.
|
|
.scf
|
Medium
|
Windows Explorer command
|
Could be used maliciously in future attacks.
|
|
.scp
|
Low
|
DUN script
|
Can initiate rogue outbound connections.
|
|
.scr
|
High
|
Windows screen saver file
|
Usually legitimate, but can contain worms or Trojans, and has been used in many popular worm attacks in the past. Essentially, an SCR file is the same as an any other EXE file, and can do anything to a system.
|
|
.sct
|
Medium
|
Windows scriptlet file
|
Can contain malicious commands.
|
|
.shb
|
High
|
Shell scrap object
|
Can mask rogue programs by containing links to other programs. Shell scrap file objects can have hidden extensions even when Windows is told to display hidden file extensions.
|
|
.shs
|
High
|
Shell scrap object
|
Can mask rogue programs by containing links to other programs. Shell scrap file objects can have hidden extensions even when Windows is told to display hidden file extensions.
|
|
.shtml
|
Low
|
HTML file with server-side include directives
|
Could contain malicious content, but not popularly used.
|
|
.sit
|
Low
|
Mac Stuff-it compression archive file
|
Could be used to sneak malware past antivirus scanners.
|
|
.slk
|
Low
|
Excel SLK data-import file
|
Can contain hidden malicious macros.
|
|
.smi
|
Medium
|
RealPlayer file
|
Real Networks RealPlayer Synchronized Multimedia Integration Language (SMIL) file parser in RealPlayer was found to have a buffer overflow in March 2005 by eEye.
|
|
.smil
|
Medium
|
RealPlayer file
|
Real Networks RealPlayer Synchronized Multimedia Integration Language (SMIL) file parser in RealPlayer was found to have a buffer overflow in March 2005 by eEye.
|
|
.spl
|
High
|
Shockwave Flash object
|
Flash files have been involved in multiple exploits.
|
|
.stl
|
Low
|
Certificate Trust List (CTL)
|
Can induce user to trust a rogue certificate.
|
|
.stm
|
Medium
|
Nullsoft WinAmp media file
|
Has been involved in malicious exploits.
|
|
.swf
|
High
|
Shockwave Flash object
|
Flash files have been involved in multiple exploits, including MS06-020 released in May 2006.
|
|
.sys
|
Medium
|
Driver or configuration file
|
Used by many autorun files, including config.sys. Can be used to install malicious programs. Legitimate .sys files can be infected by viruses.
|
|
.tar
|
Medium
|
Unix archive file format
|
TAR stands for Tape Archive file format. Common Linux/Unix archive file format, but is used in Windows. Can be used by malware to bypass computer security defenses.
|
|
.TAZ
|
Medium
|
Unix archive file format
|
Can be used my malware to bypass computer security defenses.
|
|
.tga
|
Medium
|
Quicktime file
|
Can be used to accomplish a buffer overflow in vulnerable versions of Quicktime (http://www.frsirt.com/english/advisories/2006/0128).
|
|
.tgz
|
Medium
|
Unix archive file format
|
Can be used by malware to bypass computer security defenses.
|
|
.tif
|
Low
|
Common graphics file format
|
Has been involved in exploits before.
|
|
.tiff
|
Low
|
Common graphics file format
|
Has been involved in exploits before.
|
|
.tz
|
Medium
|
Unix archive file format
|
Can be used to accomplish a buffer overflow in vulnerable versions of Quicktime (http://www.frsirt.com/english/advisories/2006/0128).
|
|
.ult
|
Medium
|
Nullsoft WinAmp media file
|
Has been involved in malicious exploits.
|
|
.url
|
High
|
Internet shortcut
|
Can connect user to malicious Web site or launch a malicious action.
|
|
.uu
|
Low
|
Older (UUENCODE) archive file format
|
UUecode file format used to send program files and other objects through plain-text e-mail. Used to be common across most PC platforms, but is not super common today. Can be used by malware to bypass computer security defenses.
|
|
.uue
|
Low
|
Older (UUENCODE) archive file format
|
UUecode file format used to send program files and other objects through plain-text e-mail. Used to be common across most PC platforms, but is not super common today. Can be used by malware to bypass computer security defenses.
|
|
.xxe
|
Low
|
XX-encoded file
|
See http://www.membrane.com/synapse/library/uuenc.html for more information on xx-encoding. Recommended to be blocked by NETCOM 2004-11 guidance document.
|
|
.vb
|
Medium
|
VBScript file
|
Can contain malicious code that will be launched in Windows and IE and executed by Wscript.exe, Cscript.exe, or VBScript.dll.
|
|
.vbs
|
High
|
VBScript file
|
Can contain malicious code that will be launched in Windows and IE and executed by Wscript.exe, Cscript.exe, or VBScript.dll.
|
|
.vbe
|
Medium
|
Encoded VBScript file
|
Can contain malicious code. VBE files are encoded VBScript files that can easily be decoded and read by Windows and IE. These files are executed by Wscript.exe.
|
|
.vcf
|
Medium
|
vCard file format
|
Used in many e-mail clients, including Outlook and Outlook Express to communicate recipient addressing details. Has been involved in a few exploits.
|
|
.vxd
|
High
|
Virtual device driver
|
Can be used to execute malicious code.
|
|
.wab
|
Medium
|
Outlook Express Address book
|
Has been used in remote buffer overflow. See http://www.microsoft.com/technet/security/Bulletin/MS06-016.mspx and MS06-076.
|
|
.wbk
|
Low
|
Microsoft Word backup document
|
Can contain malicious content.
|
|
.wiz
|
Low
|
Microsoft Word Wizard file
|
Used by Microsoft to launch enduser-friendly "wizards" that walk new users through common tasks. Could be used to automate future social engineering attack, but is not a common malware vector.
|
|
.wma
|
Medium
|
Nullsoft WinAmp media file
|
Has been involved in malicious exploits.
|
|
.wmf
|
Medium
|
Windows metafile
|
Has been involved in multiple buffer overflow exploits, including MS05-053 and another exploit discovered on December. 27, 2005. Bug is Microsoft's Graphics Rendering Engine. WMF files can be named to other extensions that will still execute as if they are WMF files. In January 2007, it was also found to be vulnerable in OpenOffice versions prior to 2.1.0 and Star Office versions prior to 8.
|
|
.ws
|
High
|
WSH script file
|
Windows script file, executed by Wscript.exe, can execute malicious code.
|
|
.wsc
|
High
|
Windows scriptlet file
|
Windows script file, executed by Wscript.exe, can execute malicious code.
|
|
.wsf
|
High
|
WSH script file
|
Windows script file, executed by Wscript.exe, can execute malicious code.
|
|
.xla
|
Low
|
Microsoft Excel add-in program
|
Add-ins can contain dangerous macros and code.
|
|
.xlb
|
Low
|
Microsoft Excel file
|
Can contain harmful content.
|
|
.xlc
|
Low
|
Microsoft Excel Chart
|
Can contain harmful content.
|
|
.xld
|
Low
|
Microsoft Excel dialog box file
|
Can contain malicious content.
|
|
.xlk
|
Low
|
Microsoft Excel Backup file
|
Can contain malicious content.
|
|
.xll
|
Low
|
Microsoft Excel file
|
Can contain malicious content.
|
|
.xlm
|
Low
|
Microsoft Excel macro file
|
Can contain malicious content.
|
|
.xls
|
High
|
Microsoft Excel spreadsheet
|
Can contain dangerous macros and code.
|
|
.xlshtml
|
Low
|
Microsoft Excel spreadsheet in HTML format
|
Although not popularly used, can contain malicious content.
|
|
.xlsmhtml
|
Low
|
Microsoft Excel spreadsheet in MIME-encoded HTML format
|
Although not popularly used, can contain malicious content.
|
|
.xlt
|
Low
|
Microsoft Excel spreadsheet template file
|
Could contain malicious content.
|
|
.xlthtml
|
Low
|
Microsoft Excel spreadsheet template in HTML format
|
Could contain malicious content.
|
|
.xlv
|
Low
|
Microsoft Excel Visual Basic module
|
Can contain malicious content or commands.
|
|
.xml
|
Low
|
XML file
|
Likely to be the next language of choice for malicious coders.
|
|
.xsl
|
Low
|
XML conversion/translation file
|
Likely to be the next language of choice for malicious coders.
|
|
.z
|
Low
|
Gzip file format
|
Can be used by malware to bypass computer security defenses. Very common on Unix/Linux platforms, but can also be used in Windows.
|
|
.zip
|
High
|
Pkzip or Winzip archive file
|
Can be used maliciously several ways, including: 1) To allow malware to bypass file integrity checkers and antivirus software that does not unzip zip files. 2) Can contain a zip file within a zip file (several levels of nesting possible) to bypass security programs that do not do recursive scanning. 3) Can be used to auto-launch programs when file is unzipped. 4) Can be used to overwrite other legitimate files. 5) Can be used to create an overwhelming number of directories and subdirectories causing quota problems, low disk space, and other operating system abnormalities. Latter problem has also been used to bypass security programs that do not handle long and "deep" directory names well.
|
