Detailed Information:

The CLSID vulnerability makes use of the CLSID extension so that you don't see the true extension for that file. This may trick you're users into double clicking harmful files because they thought they were harmless, i.e., they had a .txt extension.

A CLSID looks like this:

{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}

where x is any alphanumeric character.

For example, a file with the following name will truly look like a text tile (except for the icon) but will open in Word:

testdoc.txt.{00020906-0000-0000-C000-000000000046}

See these web sites for further discussion and an example:

• http://www.guninski.com/clsidext.html
• http://www.bugnet.com/lab/ba010419.html

Resolution:

To defend against this using EMF, create a policy similar to the following:

For all messages sent from this user
with a "*.{*}" attachment
quarantine the message with no tags