Preventing the next MyDoom (fwd)
phiscock-g851W1bGYuGnS0EtXVNi6w at public.gmane.org
phiscock-g851W1bGYuGnS0EtXVNi6w at public.gmane.org
Wed Feb 18 05:31:39 UTC 2004
Good info, Hugh.
Peter
> I sent the following letter to a local commercial newsletter.
>
> I thought some TLUGgers might be interested.
>
> ---------- Forwarded message ----------
> Date: Tue, 17 Feb 2004 19:50:22 -0500 (EST)
> From: "D. Hugh Redelmeier" <hugh-pmF8o41NoarQT0dZR+AlfA at public.gmane.org>
> To: rdutt-baJCGVF0K2RfOZc0+OmrVg at public.gmane.org
> cc: swexler-5fEA2WC4m+QrCQQS9T2b3QC/G2K4zDHf at public.gmane.org
> Subject: Preventing the next MyDoom
>
> I just read your column.
> <http://www.integratedmar.com/connectit/story.cfm?item=375>
>
> You seem to blame everyone for MyDoom except the maker of the
> fundamental mistakes: Microsoft.
>
> "opening" an attachment should not be a problem. It isn't a problem
> on my computer (it runs LINUX). It is crazy to let opening a document
> run potentially dangerous code.
>
> Microsoft has made a whole bunch of decisions that leave its
> customers open to attack. I'm not talking about bugs: all code has
> bugs. I'm talking about design mistakes that were made years ago and
> have not been fixed:
>
> - Microsoft Excel, PowerPoint, Word, and so on allow embedded Visual
> BASIC for Applications scripts. This turns what should be passive
> documents into active threats. (This problem is wider than email
> attachments.)
>
> - "opening" a .exe file is interpreted as: please run this. This is a
> crazy default for email attachments. Aside from the danger, it
> probably makes no sense in the MS Windows environment where programs
> generally have to be installed to be runnable.
>
> As far as I can tell, the major use for freestanding .exe files is as
> self-extracting archives. Surely this could be replaced by a
> sensible archive file type (perhaps .zip). Then there would be
> no reason to allow "opening" a .exe anywhere.
>
> - There are many other extensions that are dangerous to "open" (eg.
> .pif, .com). And Microsoft didn't even disclose all of them (eg.
> .scr).
>
> - Microsoft tools, by default, don't show the file extension. Combine
> this with the fact that the user has to protect himself from some of
> them (because Microsoft tools don't) and you are in a Catch 22
> situation.
>
> - As I understand it, in the past, Outlook used to "open" mail
> attachments automatically to create thumbnails. Wow.
>
> All these problems have been well known for a decade or more. And yet
> Microsoft hasn't fixed them (except for the thumbnail problem).
>
> Why are you not holding Microsoft accountable? Isn't it about time?
>
> For related (but slightly different) view, look at this item from the
> current issue of Crypto-Gram:
> <http://www.schneier.com/crypto-gram-0402.html#8>
> Bruce Schneier is a very well respected security expert. I recommend
> subscribing to his free newsletter.
>
> Hugh Redelmeier
> hugh-pmF8o41NoarQT0dZR+AlfA at public.gmane.org voice: +1 416 482-8253
>
>
> --
> The Toronto Linux Users Group. Meetings: http://tlug.ss.org
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
>
--
The Toronto Linux Users Group. Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
More information about the Legacy
mailing list