Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Hypothetical design question

From: Dave Aronson <securecoding () dja mailme org>
Date: Wed, 28 Jan 2004 19:54:36 +0000
On Wed January 28 2004 11:05, Paco Hope wrote:


I don't think there is *more* control if you save to
disk and execute versus clicking an attachment in email. The two are
exactly the same. Clicking the attachment in the email client is
basically a macro. It saves to a temporary file, then executes the
temporary file. The result is exactly the same as if the user saved
the attachment to a file and then clicked on the file they made. 
Any controls possible in one context are possible in the other.


Sort of.  Saving it externally makes it much easier to decide on a case 
by case basis how you want to open it, such as opening a suspected 
mal-script with vi rather than executing it.  Many MUAs are difficult 
to configure correctly WRT how to handle various kinds of files, and 
some will not let you (at least easily) open it with other than the 
currently specified handler for its type (which may be incorrectly 
specified or represented).

-- 
Dave Aronson, Senior Software Engineer, Secure Software Inc.
(Opinions above NOT those of securesw.com unless so stated!)
Email me at: work (D0T) 2004 (@T) dja (D0T) mailme (D0T) org
Web: http://destined.to/program http://listen.to/davearonson
Previous By Date Next
Previous By Thread Next

Current thread: