Re: [PMH] Re: [Nautilus-list] Idea for Nautilus and GMC.



On 24 May 2001 00:00:49 -0400, Miguel de Icaza wrote:
> > what if someone distributes a malicious elf/a.out binary as
> > foo-1.5-2.i386.rpm the user will open the file with gmc/nautilus and
> > instead of telling the user "no viewer capable of opening this file" (or
> > whatever it says when someone runs a binary w/o the execute bit) it will
> > set the execute bit and run the file. boom!
> 
> I have said this a couple gazillion of times.  But here it goes
> gazillion plus one:
> 
> 	He will get a warning that the program is about to be executed
> 	and that it lacks a security bit.

And for the gazillion and oneth time on the other side: IT DOESN'T
MATTER. It doesn't matter how many warnings the user gets. It doesn't
matter how dire they are. You can pop up a dialog that says "If you
proceed, your children will be kidnapped, tortured, and murdered", and
*THEY'LL STILL CLICK "OK"* because they want to see the funny joke
they've been promised is in the attachment. This has been demonstrated
time and time again in the Outlook world. The so-called "security fixes"
for Outlook have done almost nothing to slow the spread of viruses.

Do you really think that your mom would know that double-clicking an RPM
is not supposed to pop up a dialog talking about a security bit?


Here's another scenario. I send out a message with two attachments
"foo.jpg" and "foo-no-security-bit.jpg". The first contains random data,
the second contains a trojan horse. I mention in the message that some
versions of Evolution don't properly handle the "security bit" in the
first image, so I've also attached a second copy without the security
bit set. Recipient tries to view the first attachment, but it doesn't
work (cause it's random data). User then tries to view the second
attachment, the exe handler warns that he's trying to execute a binary
without the security bit set, and the user clicks "ok", because after
all, the message already told him to expect that, right? Boom.


If you feel comfortable shipping the exe-handler without a warning
dialog, well, then, go ahead, I guess (but please don't tie it into
gnome-vfs!). But don't kid yourself into believing that a warning
message will make it any more secure.

-- Dan

PS - Oh, and not all OSes use ELF/a.out. You need something more
generic.





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]