[22441] in bugtraq
RE: Eudora MUA: Risky practice -> Security domains
daemon@ATHENA.MIT.EDU (borjam@sarenet.es)
Mon Aug 27 21:15:01 2001
To: BlueJAMC <bluejamc@netzero.net>, "'Borja Marcos'" <borjam@sarenet.es>
Cc: bugtraq@securityfocus.com
From: borjam@sarenet.es
Date: Mon, 27 Aug 101 23:20:33 MET
Message-ID: <99894725102@192.148.167.16>
> I'm sorry, maybe I'm missing the point, but what is keeping the
user
> from deleting the file in Explorer, besides the fact that they may
> execute one of them "by accident"? Also, isn't this an issue no
matter
> what you're doing? That you might do something "by accident" that
has
> undesired effects?
Well, it is a problem with security domains. You can
consider that the contents of an email message which you have
received from who knows where may not be trusty, but the contents in
your hard disk (especially, files forgotten long ago) may not look
suspicious to the user, hence he/she may execute them without paying
attention to the risks. They are simply "files in the hard disk",
not "attachments in a message". -
When you receive an email message with Eudora, the attached
files travel from one security domain to another without user
intervention. User intervention is required (for example) to delete
them, with the known risks.
A file should never cross the "border" between two security
domains without explicit user intervention. For example, with KMail
or Netscape (at least the last versions I used), you have to select
the attachment and save (or open) it. If you don't select it, it
isn't extracted.
A MUA and a web browser are security applications. A flaw
can lead to a complete system compromise.
And don't forget something apparently silly, but important:
the less code deals with a suspicious attachment, the less
probability of using a security bug. If the attachments are
automatically extracted whenever a message is received, and there is
a security flaw in the extraction code, it will be possible to
exploit it even though the user doesn't open the attachment.
Designing software with this kind of precautions is a good thing,
IMHO.
> I'm sorry, but I have to disagree with you here. It's a windows
> feature; when you double-click an executable, it executes. If you
> double-click a JPEG, it brings up the default viewer with the JPEG
in
> it. How is it the fault of Windows that a careless user might
> accidentally run an executable?
Well, when some smart guy felt innovative and decided that
Windows should have a lot of different permissions in files, he
somehow forgot to add an "execute" permission. This *is* a problem
in a system connected to a network. A file extension is information
received form the outside, in the message headers. An execute
permission is not transmitted through MIME.
Just think about the situation in Unix: unless you are the
superuser, you cannot run a program unless it is marked as
executable. It is a protection embedded in the operating system, at
the program execution system call.
And in the command line, if you follow good practice and
don't put the current directory in the PATH, you won't execute a
file outside of the system directories (or whatever you have in the
PATH) by accident, unless you explicitly write the complete path to
the program or "./". Is this similar to Windows? ;-)
Regards,
Borja.
