Re: FUD about security and file extensions (was Re: Why file content sniffing sucks)



> > > 1. Windows hides the .exe
> > > 2. Even if windows does not have the .exe, the users are able to execute
> > > attached programs.
> > So you're advocating that all users know what .exe means.  Oh, and .pl,
> > .py, .sh, etc etc.  Yes, that's really a solution... not.
> > Or are you advocating that we kill email functionality by disallowing
> > the manual opening of attachments to protect the user?
> No. If you've read carefully, you willl notice that I said "the users
> are able to execute attached *programs*". It is insane to execute
> attached *programs* from mail clients. Clients must open only files with
> their associated application. And if we associate .py, .pl, .sh and .tcl
> with they interpreters, we are running programs as if they were
> documents, putting the user at risk.

If a user can execute a temporary file your system is configured
poorly.  

> I'm advocating that we separate the concepts of 'opening files' from
> 'running programs'. An e-mail client should not 'run programs'. Just
> 'open files'.

It should be left up to the site administrator - and it already is.

>  The Micros~1 flaw is to have a single function
> (ShellExecute, actually) that opens files, programs, URLs, etc. If they
> had a ShellOpenFile and a ShellExecute and used them in the correct
> places, they didn't have such problems.

Microsoft has lots of problems.




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]