Re: FUD about security and file extensions (was Re: Why file content sniffing sucks)
- From: Adam Williams <awilliam whitemice org>
- To: Fabio Gomes <bugtraq gs2 com br>
- Cc: Gnome List <gnome-list gnome org>
- Subject: Re: FUD about security and file extensions (was Re: Why file content sniffing sucks)
- Date: Fri Dec 26 12:17:23 2003
> > > 1. Windows hides the .exe
> > > 2. Even if windows does not have the .exe, the users are able to execute
> > > attached programs.
> > So you're advocating that all users know what .exe means. Oh, and .pl,
> > .py, .sh, etc etc. Yes, that's really a solution... not.
> > Or are you advocating that we kill email functionality by disallowing
> > the manual opening of attachments to protect the user?
> No. If you've read carefully, you willl notice that I said "the users
> are able to execute attached *programs*". It is insane to execute
> attached *programs* from mail clients. Clients must open only files with
> their associated application. And if we associate .py, .pl, .sh and .tcl
> with they interpreters, we are running programs as if they were
> documents, putting the user at risk.
If a user can execute a temporary file your system is configured
poorly.
> I'm advocating that we separate the concepts of 'opening files' from
> 'running programs'. An e-mail client should not 'run programs'. Just
> 'open files'.
It should be left up to the site administrator - and it already is.
> The Micros~1 flaw is to have a single function
> (ShellExecute, actually) that opens files, programs, URLs, etc. If they
> had a ShellOpenFile and a ShellExecute and used them in the correct
> places, they didn't have such problems.
Microsoft has lots of problems.
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]