Secure Coding mailing list archives
RE: Re: Hypothetical design question
From: "Michael S Hines" <mshines () purdue edu>
Date: Fri, 30 Jan 2004 14:52:44 +0000
The other part of this issue, of course, is that Outlook hides the true file extension.. If it is SRC, EXE, COM or such, one can fool Outlook into hiding the *real* file type so you think you are looking at a picture when in fact you may be executing a program (which may display a picture as a part of the process to think you got what you expected) which installs back doors onto the system (either for later entry, or to send information out). If we had 'full disclosure' there might not be such a problem. MSH ----------------------------------- Michael S Hines [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Goldman Sent: Thursday, January 29, 2004 1:39 PM To: [EMAIL PROTECTED] Subject: [SC-L] Re: Hypothetical design question
the user community has grown very fond of some of the very features that viruses and worms thrive on (e.g., file attachments that can be executed with a single/double click of a mouse)
I don't think this is quite true. I think most users want to __view__ attachments, either pictures or text. They expect the viewer to be Word, Powerpoint Paint, etc. They don't expect, when they click on an attachment, to __execute__ it. Most virus attachments disguise themselves as text or pictures. The accompanying teaser text says "look at this cool picture" or "here's the document you asked for". The teaser text never says "here's the program I want you to execute." So my improved email client would say, "clicking an attachment can pass it's contents to this approved list of viewers, but it will never just execute the attachment." -- Ken Goldman [EMAIL PROTECTED] 914-784-7646
Current thread:
- Re: Hypothetical design question, (continued)
- Re: Hypothetical design question Paco Hope (Jan 29)
- Re: Hypothetical design question David Harmon (Jan 30)
- RE: Hypothetical design question David Crocker (Jan 30)
- RE: Hypothetical design question Alun Jones (Feb 01)
- Re: Hypothetical design question Paco Hope (Jan 29)
- Re: Hypothetical design question Ken Goldman (Jan 29)
- Re: Re: Hypothetical design question Kenneth R. van Wyk (Jan 29)
- Re: Re: Hypothetical design question der Mouse (Jan 29)
- RE: Re: Hypothetical design question Alun Jones (Jan 30)
- Re: Re: Hypothetical design question Jose Nazario (Jan 30)
- Re: Re: Hypothetical design question der Mouse (Jan 31)
- RE: Re: Hypothetical design question Michael S Hines (Jan 30)
- RE: Re: Hypothetical design question Ben Corneau (Jan 31)
- RE: Re: Hypothetical design question Alun Jones (Feb 01)
- Re: Hypothetical design question der Mouse (Jan 30)
- Re: Hypothetical design question Glenn and Mary Everhart (Jan 30)
- Re: Hypothetical design question Fernando Schapachnik (Jan 30)