OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Tzafrir Cohen (tzafrirtechnion.ac.il)
Date: Tue Jan 15 2002 - 18:36:23 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On 16 Jan 2002, Bill Kenworthy wrote:

    > On Wed, 2002-01-16 at 01:45, Tzafrir Cohen wrote:
    > > On 15 Jan 2002, Bill Kenworthy wrote:

    > > > It picks up the usual virii attachments quite
    > > > reliably, defangs html mail (embedded scripts etc in the html) and also
    > > > perl/shell scripts etc (inserts an "exit" statement and comment at the
    > > > top of the file so it cant be run by accident!)
    > >
    > > Sounds very intrusive to me.
    >
    > How paranoic are you? - i.e., this is the preference (or specification
    > worked to) by many people. Its only mildly intrusive and my family use
    > mail lists that love cute html things and this is a bit safer. and no,
    > one cannot turn off incoming html mail (a popular uprising would occur!)
    > - some of the lists have no alternatives! We also get the odd html
    > carried virus and this picks up and sanitises them quite reliably.

    hint: netscape/mozilla allows you to disable javascript separatly on the
    mail client.

    > >
    > > A decent mail program does not execute scripts. If my mailer (OK, it
    > > probably has a number of buffer overflows somewhere, but it is rather sane
    > > apart from that) gets some script, it simply displays it to me.
    > >
    > > Now if some support guy sent Joe User a script to use, he had to work
    > > around those strange (=unexpected) limitations
    > >
    >
    > Now if someone set up a mimetype in evolution for say, perl and
    > misclicked one time...
    > Not likely, but it could happen. Also, one place I have worked had a
    > number of developers working in windoze with perl and the windoze unix
    > and shell environment (cant remember the name - mental block!!!) which

    cygwin

    > would be at risk of executable shell scripts for all the usual windoze
    > reasons.
    >

    Then go to their systems and configure them properly! Anyway, blocking is
    betteer than modifying. You should generally assume that at least 99% of
    the suspects are innocent in this case. If you block, the user will know
    that a workaround is required. If you modify: the user may not know that.

    Anyway, I can think of more creative ways of shooting myself in the foot.

    Have a look at the standard mailcap in the mime type
    application/x-metamail-patch (this was remmed-out when I upgraded from 7.2
    to 8.1) for one such creative way.

    > > > It can also call a true
    > > > virus scanner to scan documents you want to let through, but need
    > > > checking internally.
    > >
    > > IMHO you should not try to overly clean. I rather have a virus scanner
    > > bounce a message than trying to clean it, and possibly creating an
    > > incorrect content.
    > >
    >
    > personnel pref. Also not clean, rather look inside a file and see if it
    > does contain a virus, rather than just bounce based on criteria - its
    > flexible! At one time I did have anomy set to bounce, but I dont trust
    > the return address any more. I have heard that there is at least one
    > virus that trys to fake the header.

    So what? So you get an error message. But it is not a DoS, as you only
    send out one message for every message that you recieve (unless you bounce
    on delivery. In this case one message can cause many bounces!)

    Again: don't let the guilty tamper your handling of the innocent.

    > > > The documents have some discussion on performance
    > > > tuning, which from memory was quite acceptable considering what it is
    > > > doing.A good first line for Linux users and
    > >
    > > For linux users?
    > > Linux users have decent mail clients (read: not many people used Outlook
    > > & co. on linux lately)

    Err...

    Are linux clients better? (not to mention the latest flop of pine)

    I tried kmail. Just like a typical windows program, it has no notion of
    "view" a file. Only "open". Naturally you "open" a jpg image with an image
    viewer and a shell script with /bin/sh . In both cases you get the same
    scary warning dialog. People get used to this dialog crying wolf on
    images, and simply ignore it.

    Solution: the approach of mailcap: allow only to "view" attachments by
    default, never to "run" them. 

    -- 
Tzafrir Cohen
mailto:tzafrirtechnion.ac.il
http://www.technion.ac.il/~tzafrir

    For help, email discuss-helpmandrakesecure.net; to unsubscribe send a message to discuss-unsubscribemandrakesecure.net. To visit MandrakeSecure, go to http://www.mandrakesecure.net/.