<<<
Chronological Index
>>> <<<
Thread Index
>>>
Re: [ga] Reliability of the Internet - the silent battle - part 2
On 2001-11-07 03:04:31 -0800, Roeland Meyer wrote:
>I am sorry if it caused you concern. The DAT file, while not
>normally executable, shouldn't have been there. I thought my
>methods had removed it. My filters had already renamed it to the
>DAT type, which is a non-executable type under windows, and I
>manually deleted the attachment from the message.
Whatever your filter did, it was only visible on your system. Your
message had an application/mixed attachment with a file name ending
in .doc.com, which contained a 16-page word document at offset
137216.
Of course, the problem you are trying to describe has nothing at all
to do with attachments "as such": It's more about inappropriate
interpretation of attachments in implementations, and about users
who carelessly execute every program sent to them. This leads, in
turn, to software trying to second-guess malware, with all evil side
effects this may have.
The problem is also (and, one may say, even more so) about using and
being used to inappropriate data formats when transferring data.
Word documents can contain macros, which can basically control a
windows PC. That's a problem in any circumstance where such
documents cross trust boundaries - be it, possibly, on local
networks, be it on the web, or be it via e-mail. That is, making
word documents available for download is in no way better than
attaching them to e-mail messages.
The same argument does, of course, apply to any "active" content
being spread on the net, including even HTML when clients on the
receiving end are configured without paying attention to trust
boundaries. (With windows, you should possibly have another look at
your Security Zones settings, and make sure that e-mail content is
considered to come from some zone which has sufficiently paranoid
security settings.)
This means that any data formats having "active" components are
totally inappropriate when publishing information which is supposed
to cross trust boundaries. If you want to publish or spread large
documents, use plain text (which is sufficient for most things), or
use HTML or PDF (and hope that your correspondents either don't know
about the possible dangers, or are using sufficiently safe viewers).
Concerning Peter de Blanc's "complaint" about Roeland's message, and
the news item about f-prot being integrated with listserv which was
forwarded by Danny: Filtering viruses and worms at mailing list
distribution points is pointless, and a cosmetic "solution" _at_
_best_. Because, either users rely on software which isn't
susceptible to the worms and viruses generally distributed - in this
case, filtering is unnecessary. Or they are using software which is
susceptible. In this case, they are acting irresponsibly when not
using local filtering solutions anyways. In this case, central
scanning will possibly delay infection (and learning of an important
lesson) a bit - but such users will eventually be hit directly. That
effect is nothing worth spending any money or effort for.
Thus, scanning for malware at list servers only helps to reduce
bandwidth consumption (a bit), and it does of course help to cover
up the fact that quite a few virus-scanning gateways are of so poor
quality that they aren't even able to properly determine where to
send an error message.
--
Thomas Roessler http://log.does-not-exist.org/
--
This message was passed to you via the ga@dnso.org list.
Send mail to majordomo@dnso.org to unsubscribe
("unsubscribe ga" in the body of the message).
Archives at http://www.dnso.org/archives.html
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|