April 15, 2024

Outlook’s habits is totally different for varied kinds of hyperlinks. For instance, for hyperlinks that begin with http:// or https://, the e-mail consumer will ship the hyperlink to the default browser put in on the working system. Nonetheless, if an electronic mail consists of hyperlinks for different protocol handlers, for instance skype:, the e-mail consumer will show a warning that the hyperlink may be unsafe earlier than permitting the consumer to proceed and ahead the request to the domestically put in Skype software, which is the registered protocol handler for skype: hyperlinks.

One other widespread hyperlink protocol is file:// which might usually name an exterior software to render the file relying on its format. Nonetheless, Microsoft has deliberately put a restriction in place to not permit the opening of distant file hyperlinks — for instance, information hosted on a distant community share doubtlessly over the web.

Nonetheless, the Examine Level researchers discovered that this restriction might be bypassed by including the character “!” adopted by a random string on the finish of the URL. For instance, file:///10.10.111.111testtest.rtf wouldn’t work, however file:///10.10.111.111testtest.rtf!one thing would work and the file could be handed to Microsoft Phrase, which is the registered handler for the .rtf file extension.

The explanation this works is as a result of the !one thing half makes Outlook deal with the hyperlink as a Moniker Hyperlink within the context of the Element Object Mannequin (“COM”) on Home windows the place the half after ! is used to search for a COM object. The Element Object Mannequin is a binary interface by way of which totally different software program parts can talk with one another. Courting again to 1993 it has served as the muse for various applied sciences comparable to ActiveX or Microsoft Object Linking & Embedding (OLE).

In essence, Outlook strips the file:// protocol handler and parses the hyperlink utilizing the “ole32!MkParseDisplayName()” API. This in flip treats it as a compound moniker: a FileMoniker being 10.10.111.111testtest.rtf and an ItemMoniker being “one thing.”

As a result of the FileMoniker has the extension .rtf, the API will name a COM server that handles that extension, which occurs to be Microsoft Phrase, which runs as a COM server within the background with out the GUI. When receiving the request, Phrase opens the distant file after which tries to search for a COM object for the ItemMoniker “one thing.”