Secure Coding mailing list archives

Bugs and flaws

From: bellovin at acm.org (Steven M. Bellovin)
Date: Wed, 01 Feb 2006 11:53:48 -0500

In message <43E0650D.7000205 at novell.com>, Crispin Cowan writes:

Unfortunately, this safety feature is nearly useless, because if you
take an infected whatever.doc file, and just *rename* it to whatever.rtf
and send it, then MS Word will cheerfully open the file for you when you
double click on the attachment, ignore the mismatch between the file
extension and the actual file type, and run the fscking VB embedded within.


That actually illustrates a different principle: don't have two 
different ways of checking for the same thing.

                --Steve Bellovin, http://www.stevebellovin.com

Current thread:

Bugs and flaws Gary McGraw (Jan 30)
- Bugs and flaws Crispin Cowan (Jan 31)
  - Bugs and flaws John Steven (Feb 01)
    - Bugs and flaws Crispin Cowan (Feb 01)
    - Bugs and flaws Wall, Kevin (Feb 02)
    - Bugs and flaws John Steven (Feb 02)
    - Bugs and flaws Crispin Cowan (Feb 02)
    - Bugs and flaws Jeff Williams (Feb 02)
    - Bugs and flaws Gunnar Peterson (Feb 01)
- <Possible follow-ups>
- Bugs and flaws Steven M. Bellovin (Feb 01)
- Bugs and flaws Gary McGraw (Feb 02)
  - Bugs and flaws Chris Wysopal (Feb 02)
    - Bugs and flaws David Crocker (Feb 02)
    - Bugs and flaws Chris Wysopal (Feb 02)
    - Bugs and flaws Blue Boar (Feb 02)
    - Bugs and flaws Al Eridani (Feb 03)
  - Bugs and flaws Gunnar Peterson (Feb 02)
- Bugs and flaws Gary McGraw (Feb 02)
  - Bugs and flaws Kenneth R. van Wyk (Feb 03)
- Bugs and flaws Gavin, Michael (Feb 02)

(Thread continues...)