RE: Eudora MUA: Risky practice -> Security domains

[borjam () sarenet es]

> I'm sorry, maybe I'm missing the point, but what is keeping the 
user
> from deleting the file in Explorer, besides the fact that they may
> execute one of them "by accident"?  Also, isn't this an issue no 
matter
> what you're doing?  That you might do something "by accident" that 
has
> undesired effects?

        Well, it is a problem with security domains. You can 
consider that the contents of an email message which you have 
received from who knows where may not be trusty, but the contents in 
your hard disk (especially, files forgotten long ago) may not look 
suspicious to the user, hence he/she may execute them without paying 
attention to the risks. They are simply "files in the hard disk", 
not "attachments in a message". -

        When you receive an email message with Eudora, the attached 
files travel from one security domain to another without user 
intervention. User intervention is required (for example) to delete 
them, with the known risks.

        A file should never cross the "border" between two security 
domains without explicit user intervention. For example, with KMail 
or Netscape (at least the last versions I used), you have to select 
the attachment and save (or open) it. If you don't select it, it 
isn't extracted.

        A MUA and a web browser are security applications. A flaw 
can lead to a complete system compromise.

        And don't forget something apparently silly, but important: 
the less code deals with a suspicious attachment, the less 
probability of using a security bug. If the attachments are 
automatically extracted whenever a message is received, and there is 
a security flaw in the extraction code, it will be possible to 
exploit it even though the user doesn't open the attachment. 
Designing software with this kind of precautions is a good thing, 
IMHO.

> I'm sorry, but I have to disagree with you here.  It's a windows
> feature;  when you double-click an executable, it executes.  If you
> double-click a JPEG, it brings up the default viewer with the JPEG 
in
> it.  How is it the fault of Windows that a careless user might
> accidentally run an executable?

        Well, when some smart guy felt innovative and decided that 
Windows should have a lot of different permissions in files, he 
somehow forgot to add an "execute" permission. This *is* a problem 
in a system connected to a network. A file extension is information 
received form the outside, in the message headers. An execute 
permission is not transmitted through MIME.

        Just think about the situation in Unix: unless you are the 
superuser, you cannot run a program unless it is marked as 
executable. It is a protection embedded in the operating system, at 
the program execution system call.

        And in the command line, if you follow good practice and 
don't put the current directory in the PATH, you won't execute a 
file outside of the system directories (or whatever you have in the 
PATH) by accident, unless you explicitly write the complete path to 
the program or "./". Is this similar to Windows? ;-)

        Regards,




        Borja.