Secure Coding mailing list archives
Re: Hypothetical design question
From: Dave Aronson <securecoding () dja mailme org>
Date: Wed, 28 Jan 2004 19:54:36 +0000
On Wed January 28 2004 11:05, Paco Hope wrote:
I don't think there is *more* control if you save to disk and execute versus clicking an attachment in email. The two are exactly the same. Clicking the attachment in the email client is basically a macro. It saves to a temporary file, then executes the temporary file. The result is exactly the same as if the user saved the attachment to a file and then clicked on the file they made. Any controls possible in one context are possible in the other.
Sort of. Saving it externally makes it much easier to decide on a case by case basis how you want to open it, such as opening a suspected mal-script with vi rather than executing it. Many MUAs are difficult to configure correctly WRT how to handle various kinds of files, and some will not let you (at least easily) open it with other than the currently specified handler for its type (which may be incorrectly specified or represented). -- Dave Aronson, Senior Software Engineer, Secure Software Inc. (Opinions above NOT those of securesw.com unless so stated!) Email me at: work (D0T) 2004 (@T) dja (D0T) mailme (D0T) org Web: http://destined.to/program http://listen.to/davearonson
Current thread:
- Hypothetical design question Kenneth R. van Wyk (Jan 27)
- Re: Hypothetical design question Paco Hope (Jan 27)
- Re: Hypothetical design question Andreas Saurwein (Jan 28)
- RE: Hypothetical design question Dave Paris (Jan 28)
- RE: Hypothetical design question Andreas Saurwein (Jan 28)
- RE: Hypothetical design question Dave Paris (Jan 28)
- RE: Hypothetical design question Michael S Hines (Jan 28)
- Re: Hypothetical design question Kenneth R. van Wyk (Jan 29)
- Re: Hypothetical design question Andreas Saurwein (Jan 28)
- Re: Hypothetical design question Paco Hope (Jan 27)
- Re: Hypothetical design question Paco Hope (Jan 28)
- Re: Hypothetical design question Dave Aronson (Jan 28)
- Re: Hypothetical design question Andreas Saurwein (Jan 28)
- RE: Hypothetical design question Michael S Hines (Feb 02)
- Re: Hypothetical design question Louis Solomon [SteelBytes] (Feb 03)
- RE: Hypothetical design question Jason Wilcox (Feb 03)
- <Possible follow-ups>
- RE: Hypothetical design question Robert Shields (Jan 28)
- RE: Hypothetical design question Nick Lothian (Jan 28)
- RE: Hypothetical design question ljknews (Jan 28)
- RE: Hypothetical design question Nick Lothian (Jan 28)