Secure Coding mailing list archives

RE: Re: Hypothetical design question

From: "Ben Corneau" <bencorneau () adelphia net>
Date: Sat, 31 Jan 2004 16:57:19 +0000

The other part of this issue, of course, is that Outlook hides the true

file extension..  If

it is SRC, EXE, COM or such, one can fool Outlook into hiding the *real*

file type so you

think you are looking at a picture when in fact you may be executing a

program (which may

display a picture as a part of the process to think you got what you

expected) which installs

back doors onto the system (either for later entry, or to send information

out).


If we had 'full disclosure' there might not be such a problem.

MSH


As of Outlook 2000 SP2 Outlook blocks access to most executable files types
(EXE, COM, SCR, BAT, VBS, etc..) unless the Exchange Server is specifically
configured to allow them (also configurable per PC via registry settings
from Outlook 2000 SP3 and later).  I'm also quite certain that outlook (at
least the more recent versions) do not hide file extensions regardless of
Windows Explorer settings to hide file extensions.

Ben 

-----------------------------------
Michael S Hines
[EMAIL PROTECTED]

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Ken Goldman
Sent: Thursday, January 29, 2004 1:39 PM
To: [EMAIL PROTECTED]
Subject: [SC-L] Re: Hypothetical design question

the user community has grown very fond of some of the very features 
that viruses and worms thrive on (e.g., file attachments that can be 
executed with a single/double click of a mouse)


I don't think this is quite true.  I think most users want to __view__
attachments, either pictures or text.  They expect the viewer to be Word,
Powerpoint Paint, etc.  They don't expect, when they click on an attachment,
to __execute__ it.

Most virus attachments disguise themselves as text or pictures.  The
accompanying teaser text says "look at this cool picture" or "here's the
document you asked for".  The teaser text never says "here's the program I
want you to execute."

So my improved email client would say, "clicking an attachment can pass it's
contents to this approved list of viewers, but it will never just execute
the attachment."

--
Ken Goldman   [EMAIL PROTECTED]   914-784-7646

Current thread:

Re: Hypothetical design question, (continued)
- - - Re: Hypothetical design question David Harmon (Jan 30)
    - RE: Hypothetical design question David Crocker (Jan 30)
    - RE: Hypothetical design question Alun Jones (Feb 01)
- Re: Hypothetical design question Ken Goldman (Jan 29)
  - Re: Re: Hypothetical design question Kenneth R. van Wyk (Jan 29)
  - Re: Re: Hypothetical design question der Mouse (Jan 29)
    - RE: Re: Hypothetical design question Alun Jones (Jan 30)
    - Re: Re: Hypothetical design question Jose Nazario (Jan 30)
    - Re: Re: Hypothetical design question der Mouse (Jan 31)
  - RE: Re: Hypothetical design question Michael S Hines (Jan 30)
    - RE: Re: Hypothetical design question Ben Corneau (Jan 31)
    - RE: Re: Hypothetical design question Alun Jones (Feb 01)
- RE: Hypothetical design question Nick Lothian (Jan 29)
  - Re: Hypothetical design question der Mouse (Jan 30)
  - Re: Hypothetical design question Glenn and Mary Everhart (Jan 30)
  - Re: Hypothetical design question Fernando Schapachnik (Jan 30)
- RE: Re: Hypothetical design question Nick Lothian (Jan 29)
- Re: Hypothetical design question Greenarrow 1 (Jan 30)
- RE: Re: Hypothetical design question Carl G. Alphonce (Jan 30)
- RE: Hypothetical design question Jeremy Epstein (Jan 30)
  - Re: Hypothetical design question der Mouse (Jan 31)

(Thread continues...)