RE: A worm...

["Schmehl, Paul L" <pauls () utdallas edu>]

Unfortunately, Microsoft is now including an unzipper program in their
OS (XP), so it's much easier for a lay user to make a mistake.  It used
to be that if you wanted to deal with zip files you needed to download
WinZip, PKZip or something similar, but now, thanks to Microsoft, all
you have to do is double click.

Mind you, it will *still* prompt you for a location to put the archived
files and you *still* have to go get those files and double click on
them to run them.  It's just a bit easier for the novice to get to them
now.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

> -----Original Message-----
> From: Richard M. Smith [mailto:rms () computerbytesman com] 
> Sent: Thursday, June 26, 2003 7:44 AM
> To: full-disclosure () lists netsys com
> Subject: RE: [Full-disclosure] A worm...
>
>
> Hi Peter,
>
> Thanks for the background info.  Because of the password 
> issue, any security protections for .ZIP files need to be 
> built into a unzipper program.  As a minimum, Microsoft needs 
> to put a warning dialog in the Windows unzipper when 
> double-clicking on an executable file in a .ZIP file that 
> comes attached to an email message.  Better yet, don't allow 
> .ZIP files to be opened from an email message.  Force people 
> to save them first.  Netscape had this second basic 
> protection scheme in Communicator years ago.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html