Author: W B Hacker Date: To: exim users Subject: Re: [exim] caution to those blocking files by extension
Peter Velan wrote: > am 2006-11-04 14:37 schrieb John Hall:
>> On 11/4/06, Peter Velan <pv0001@???> wrote:
>>
>>>>> Will windoze execute a file that ends in dot-space-space-space-exe ?
>>>>> dosent the os see this as NOT ending in .exe
>>>> I think that windows will happily exec the file, but I don't have a
>>>> machine to test on.
>>> You are right - WindowsXP with shell cmd.exe:
>>>
>>> C:\>"xxx. exe" --- will "happily" be executed.
>> Except your average user is not going to extract the file from the zip
>> file and then launch a command prompt in order to run it.
>
> There was no mention of a .zip in the original posting ;-) But, you are
> right with:
>
>> If you
>> simply double-click the file, Windows does not appear to be willing to
>> execute it.
>
> The real danger ist an old, unpatched client which opens an attachment
> without users intervention. Wasn't there some problems with .lnk or .pif
> or something else in the past? What kind of mechanism was involved in
> these cases? I'm sure it was not the "shell" named "Windows Explorer"
> with its doubleclicking technique.
>
> Greetings,
> Peter
>
ISTR it had to do with the client being led to try to open an attachment because
it was interpreted as something that was to be displayed, or masqueraded as
something needed by a displayed part.
The process of opening then allowed the WinCrobe to act with the authority of
the logged-in user of the MUA - all too often an 'Administrator' equivalent.
Note that this persists with embedding calls to off-box files and 'images'
(which may not be...) in html malware - not as obvious as 'clickable' links.
Blocking or converting html is painful 'coz so many folks who compose in it are
not even aware they are doing so, let alone being willing to work in text instead.
NB: We've just started adding html-block as a 'recipient choice', as well as
(still in test) checking for a user's choice of *permitted* attachments (short
list!) rather than *prohibited* attachments (far too long of a list).
- Where the user's choice for attachment filename can be a proprietary code
agreed with regular correspondents - who must, of course rename the file before
attaching.
Fairly low-nuisance between/among, for example branch offices & HQ.
Otherwise, sort of TMDA'ish for 'new' arrivals. TANSTAAFL.
But it is cheap and cheerful and seems to make more sense than trying to OCR
arriving .gif's.
%20But,%20you%20are%0A>%20>%20right%20with:%0A>%20>%20%0A>%20>>%20If%20you%0A>%20>>%20simply%20double-click%20the%20file,%20Windows%20does%20not%20appear%20to%20be%20willing%20to%0A>%20>>%20execute%20it.%0A>%20>%20%0A>%20>%20The%20real%20danger%20ist%20an%20old,%20unpatched%20client%20which%20opens%20an%20attachment%0A>%20>%20without%20users%20intervention.%20Wasn't%20there%20some%20problems%20with%20.lnk%20or%20.pif%0A>%20>%20or%20something%20else%20in%20the%20past?%20What%20kind%20of%20mechanism%20was%20involved%20in%0A>%20>%20these%20cases?%20I'm%20sure%20it%20was%20not%20the%20%22shell%22%20named%20%22Windows%20Explorer%22%0A>%20>%20with%20its%20doubleclicking%20technique.%0A>%20>%20%0A>%20>%20Greetings,%0A>%20>%20Peter%0A>%20>%20%0A>%20%0A>%20ISTR%20it%20had%20to%20do%20with%20the%20client%20being%20led%20to%20try%20to%20open%20an%20attachment%20because%20%0A>%20it%20was%20interpreted%20as%20something%20that%20was%20to%20be%20displayed,%20or%20masqueraded%20as%20%0A>%20something%20needed%20by%20a%20displayed%20part.%0A>%20%0A>%20The%20process%20of%20opening%20then%20allowed%20the%20WinCrobe%20to%20act%20with%20the%20authority%20of%20%0A>%20the%20logged-in%20user%20of%20the%20MUA%20-%20all%20too%20often%20an%20'Administrator'%20equivalent.%0A>%20%0A>%20Note%20that%20this%20persists%20with%20embedding%20calls%20to%20off-box%20files%20and%20'images'%20%0A>%20(which%20may%20not%20be...)%20in%20html%20malware%20-%20not%20as%20obvious%20as%20'clickable'%20links.%0A>%20%0A>%20Blocking%20or%20converting%20html%20is%20painful%20'coz%20so%20many%20folks%20who%20compose%20in%20it%20are%20%0A>%20not%20even%20aware%20they%20are%20doing%20so,%20let%20alone%20being%20willing%20to%20work%20in%20text%20instead.%0A>%20%0A>%20NB:%20We've%20just%20started%20adding%20html-block%20as%20a%20'recipient%20choice',%20as%20well%20as%20%0A>%20(still%20in%20test)%20checking%20for%20a%20user's%20choice%20of%20*permitted*%20attachments%20(short%20%0A>%20list!)%20rather%20than%20*prohibited*%20attachments%20(far%20too%20long%20of%20a%20list).%0A>%20%0A>%20-%20Where%20the%20user's%20choice%20for%20attachment%20filename%20can%20be%20a%20proprietary%20code%20%0A>%20agreed%20with%20regular%20correspondents%20-%20who%20must,%20of%20course%20rename%20the%20file%20before%20%0A>%20attaching.%0A>%20%0A>%20Fairly%20low-nuisance%20between/among,%20for%20example%20branch%20offices%20&%20HQ.%0A>%20%0A>%20Otherwise,%20sort%20of%20TMDA'ish%20for%20'new'%20arrivals.%20TANSTAAFL.%0A>%20%0A>%20But%20it%20is%20cheap%20and%20cheerful%20and%20seems%20to%20make%20more%20sense%20than%20trying%20to%20OCR%20%0A>%20arriving%20.gif's.%0A>%20%0A>%20:-(%0A>%20%0A>%20Bill%0A>%20%0A>%20%0A>%20 "Reply to this message")