Re: FUD about security and file extensions (was Re: Why file content sniffing sucks)
- From: Fabio Gomes <bugtraq gs2 com br>
- To: Charles Goodwin <charlie xwt org>
- Cc: Gnome List <gnome-list gnome org>
- Subject: Re: FUD about security and file extensions (was Re: Why file content sniffing sucks)
- Date: Fri Dec 26 08:10:02 2003
Em Sex, 2003-12-26 ās 07:05, Charles Goodwin escreveu:
> > 1. Windows hides the .exe
> > 2. Even if windows does not have the .exe, the users are able to execute
> > attached programs.
> So you're advocating that all users know what .exe means. Oh, and .pl,
> .py, .sh, etc etc. Yes, that's really a solution... not.
> Or are you advocating that we kill email functionality by disallowing
> the manual opening of attachments to protect the user?
No. If you've read carefully, you willl notice that I said "the users
are able to execute attached *programs*". It is insane to execute
attached *programs* from mail clients. Clients must open only files with
their associated application. And if we associate .py, .pl, .sh and .tcl
with they interpreters, we are running programs as if they were
documents, putting the user at risk.
I'm advocating that we separate the concepts of 'opening files' from
'running programs'. An e-mail client should not 'run programs'. Just
'open files'. The Micros~1 flaw is to have a single function
(ShellExecute, actually) that opens files, programs, URLs, etc. If they
had a ShellOpenFile and a ShellExecute and used them in the correct
places, they didn't have such problems.
Fabio Gomes de Souza <fabio gs2 com br> (+55 81 9127-0597)
.- GS2 TECNOLOGIA DA INFORMACAO LTDA :: www.gs2.com.br
|- IT Infrastructure :: Security :: Embedded systems :: Linux
`- Olinda, Brazil - +55 81 3492-7777 - negocios gs2 com br
] [Thread Prev