XYplorer Beta Club

This new Windows vulnerability got me thinking... it would be really nice if we had more control over item icons in XY.

What I'm picturing is essentially a clone of PFA, the user would provide the path to an icon and any item with that extension would display this icon instead of asking the shell.

Thus anyone concerned with the above vulnerability could add a definition, "lnk>Icons\Generic.ico", which would, show "<xydata>\Icons\Generic.ico" and prevent XY from asking the shell and thus stopping the exploit.


This could also allow us to have custom icons on network locations without sacrificing time lost to extraction. Plus it would be portable so those users moving between machines could view the same icons everywhere instead of the system definitions.



There are a few additions I think we'd need to add to the existing PFA pattern handling:
1) A way to specify the shell's generic icon ("lnk>!generic")

2) A way to specify the shell/extracted icon ("exe>!shell"). The reason for this is to restrict extracting to a specific pattern, the same could be achieved by allowing inverted match patterns.

3) A network location switch. This would allow us to define generic icons to be used for network locations. (Let's just call it a pattern starting with n! for now.)

Then the existing "Use generic icon" options could be replaced with four default entries:
n!\>Icons\Generic-Network-Folder.ico
n!*>Icons\Generic-Network-File.ico
\>Icons\Generic-Folder.ico
*>Icons\Generic-File.ico

4) This is more for PIA v2 or v3, but a switch to define whether or not the icon overlay should be displayed for matching items. Then we could limit overlays to only being enabled in the folders where they are used.

Is this possible without slowing browsing and list display to a halt, Don?



NOTE: I'm not sure that vulnerability can be exploited when viewing the crafted shortcuts through XY, but my thoughts are it still can since XY would call the shell which is where the problem lies.

Thanks for the fine feature layout (as usual)! But you know my to do list...

Can you quickly describe the vulnerability?

admin wrote:Thanks for the fine feature layout (as usual)! But you know my to do list...

Indeed I do, and I only wish it could be added somewhere on the list. Though I hoped the similarity to PFA (and also color filters) would significantly help its placement.

admin wrote:Can you quickly describe the vulnerability?

I can't claim to fully understand it but my understanding is that it's possible to craft a shortcut and abuse some of the features the Control Panel relies on so that when the shell attempts to extract the icon for display it executes 'malicious' code that would have the same privileges as the current user. It doesn't have to be malicious, but whose going to exploit it for good instead?

The recommended fix, for now, is to disable displaying of custom icons for all shortcuts, but then your start menu becomes one awful mess.


As I said not sure XY is similarly affected, but I'd imagine so since you presumably call the shell. Configuring XY to use generic icons and not show the embedded ones in Properties probably prevents it. Though I'm not concerned enough to actually follow this advice.

I see, but it's not that easy to implement, and it would also bring increased support costs to my home (inquiries about icon files and formats...), so I'm not really attracted to adding this now.

admin wrote:I see, but it's not that easy to implement, and it would also bring increased support costs to my home (inquiries about icon files and formats...), so I'm not really attracted to adding this now.

Not now, but in the distant future... right?

I would actually like to second this request, as I think it is a great idea.

I'm still waiting for XYplorer to handle matters like Explorer does when browsing to a folder full of different EXEs. It allows a user to enter a folder and then retrieves individual icons, in XYplorer it's the other way around

zer0 wrote:I'm still waiting for XYplorer to handle matters like Explorer does when browsing to a folder full of different EXEs. It allows a user to enter a folder and then retrieves individual icons, in XYplorer it's the other way around

No. XY browses the folder with generic icons first, then it retrieves the specific icons. But it is usually so fast that you cannot see it.

The difference is that XY does it all in the same thread.

admin wrote:

zer0 wrote:I'm still waiting for XYplorer to handle matters like Explorer does when browsing to a folder full of different EXEs. It allows a user to enter a folder and then retrieves individual icons, in XYplorer it's the other way around

No. XY browses the folder with generic icons first, then it retrieves the specific icons. But it is usually so fast that you cannot see it.

This has not been my experience since a long time. If it's only a few executables, the delay is is barely noticeable. However, if it's 15+ different EXEs I have to wait 5 seconds (or proportionally more) to be allowed into a folder.

zer0 wrote:... If it's only a few executables, the delay is is barely noticeable. However, if it's 15+ different EXEs I have to wait 5 seconds (or proportionally more) to be allowed into a folder.

Maybe antivirus scanner?

PeterH wrote:Maybe antivirus scanner?

I doubt it. A delay only occurs once per XYplorer session. And it does not delay Explorer from navigating into a folder and then extracting icons.

OT and FYI: It is expected that Microsoft will release an out-of-band security update to address this vulnerability

.

Please, put my vote for "Yes, I want it too" in the ballot...
-Optionally also for files with no extension, so we could easily tell which app will open that kind of file from inside XY.
-Support for .ico, .exe, .icl, .jpg, .bmp (being the last two a room to improvise with in an unfriendly environment - i.e. not having tools to fast create .ico files).