Re: Thank you.....and goodbye
From: *Vanguard* (no-email_at_no-spam.invalid)
Date: 02/24/04
- Next message: Nick Cavalancia: "Re: Outlook 2003 sending via exchange instead of pop3"
- Previous message: MIG: "Preview Pane Pain"
- In reply to: Brian Tillman: "Re: Thank you.....and goodbye"
- Next in thread: Brian Tillman: "Re: Thank you.....and goodbye"
- Reply: Brian Tillman: "Re: Thank you.....and goodbye"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 24 Feb 2004 12:01:30 -0600
"Brian Tillman" said in
news:%235o%23mgu%23DHA.3500@TK2MSFTNGP10.phx.gbl:
> *Vanguard* <no-email@no-spam.invalid> wrote:
>
>> And apparently none of these senders ever considers the hazard of
>> executable attachments, huh?
>
> Sorry, but this is the tail wagging the dog. Email clients shouldn't
> EVER _execute_ an attachment. That's stupidity in the extreme.
You have an e-mail client that becomes a command interpreter that will load
the attachment file into memory and start its execution? On Windows using
Outlook or OE, a shell or application runs the attachment file if you decide
to run it. You clicking on Open in the dialog to choose what to do with the
attachment does NOT have the e-mail client run the attachment. But I get
your point and that was my point, too, that no one should be sending a live
bomb through e-mail by using an extension for the attachment's filename that
renders it an executable file. With Windows, the extension determines the
server application that will load the file, and some extensions are
executable. So receiving something like "formatdisk.exe" could be very bad
news to the recipient.
A more appropriate security measure would have been for the e-mail client to
rename every "bad" attachment (those that have extensions like .exe, .com,
.js, .vbs, and so on) in a received e-mail so it has an non-executable
extension (since that's how Windows associates filetypes to what program is
used to load and run it). If the Windows e-mail client renamed every
attachment in a received e-mail by appending ".ATT", ".HAZ", ".XXX", or
whatever was deemed appropriate, we wouldn't be screwing around with this
stupid security block. The attachment couldn't executed until the user
saved it and renamed it to remove the security extension. So attachment
"formatdisk.exe.att" won't get accidentally executed and the recipient knows
how to rename the file (by removing ".att") without having to be told what
is the correct extension to make it executable if they so choose. I suppose
some virus could alter the e-mail client's behavior so it did not append the
security extension, but then a virus could also alter the registry so that
.exe was no longer a Level 1 blocked filetype. It would be much harder for
a virus to alter a fixed and hardcoded behavior in the code of the e-mail
client than to alter registry values (although I can the using a plug-in
could do the job just as easily).
In fact, using a security extension is what I do. I use SpamPal to detect
spam e-mails. It has an HTML-Modify plug-in which has an option to rename
all attachments with "bad" extensions to append a ".TXT' extension, so no
bad attachment will ever be executable. Not until I save the file and
rename it can it be executed, but obviously I've taken several deliberate
and overt steps to make the file executable. Basically I defuse all those
live bombs that senders might e-mail to me. Some folks just don't think
farther ahead than their next breath.
-- ____________________________________________________________ *** Post replies to newsgroup. E-mail is not accepted. *** ____________________________________________________________
- Next message: Nick Cavalancia: "Re: Outlook 2003 sending via exchange instead of pop3"
- Previous message: MIG: "Preview Pane Pain"
- In reply to: Brian Tillman: "Re: Thank you.....and goodbye"
- Next in thread: Brian Tillman: "Re: Thank you.....and goodbye"
- Reply: Brian Tillman: "Re: Thank you.....and goodbye"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
