RE: GMail blocking "executable" attachments

["Scovetta, Michael V" <Michael.Scovetta () ca com>]

Mike,
  Wow, I really didn't expect that. That could be considered a
vulnerability. *.txt files should not be executed, even if the
underlying content is in a binary format. A few things I've noticed:

1. Renaming foo.exe to foo (no extension) prevents foo from being
executed. It seems that just about any other extension (com, bat, .bar,
.txt) all have it executed.

2. It seems that only .exe files. Renaming batch files to .xyz doesn't
work, and renaming it to a .zip brings it up in winzip (or whatever is
registered for .zip files). .com files also don't work if you change the
extension. 

Consider renaming new_virus.exe to new_britney_spears.mp3 and pushing it
out to kazaa or something. People download it, and click on it in
Explorer. The file does whatever it wants to, because it's an
executable, and isn't picked up by winamp/etc.

Does anyone know if there's a registry key to disable this "feature"?

Michael Scovetta
Computer Associates
Senior Application Developer


-----Original Message-----
From: Michael Silk [mailto:michaelslists () gmail com] 
Sent: Wednesday, April 20, 2005 7:30 PM
To: Scovetta, Michael V
Cc: webappsec () securityfocus com
Subject: Re: GMail blocking "executable" attachments

I'm pretty sure they do.

It's depends on where the content will be delievered, I guess. If the
extension makes a difference as to whether it is executed or not then
there is no point checking the internal content. If the file is
executed based on it's header, then definately check it.

For example, find an executable, rename it to .txt and then go into
dos and type:
"whatever.txt". In my windows 2k and presumably XP, it will run it as
an executable, and not open it with notepad. If you double-click on it
from explorer, notepad opens it.

There should probably be a setting [but I suspect there already is] to
perform such a scan on the scanners you have on your servers.

-- Michael


On 4/19/05, Scovetta, Michael V <Michael.Scovetta () ca com> wrote:
> All-
>
> I've noticed that G-Mail blocks attachments that contain "executable"
> files. (A zip file containing an .MDB, and even a zip file containing
a
> zip file containing an .MDB). I assume they'd block all the usual
> suspects, but isn't that sort of the point of sending e-mails with
> attachments? Renaming the enclosed .MDB to .TXT allows it to be send
> through, so it's not really a major problem. Do you think Google
should
> be deep-scanning the files for content, or just the extension, and
would
> running a virus detector against it be just as good?
>
> No real issue here, I just thought it was interesting-not sure if
other
> major email providers do the same thing.
>
> Regards,
>
> Michael Scovetta
> Computer Associates
> Senior Application Developer