RE: Windows Media Player executes WMF content in .MP3 files.

From: David Korn (dkornat_private)
Date: Wed Feb 27 2002 - 02:55:41 PST

Next message: Brewis, Mark: "Commercial stack fragility (Was RE: Cert Advisory 2002-03 and HP JetDirect)"

Previous message: Roman Drahtmueller: "SuSE Security Announcement: mod_php/mod_php4 (SuSE-SA:2002:007)"
Maybe in reply to: David Korn: "Windows Media Player executes WMF content in .MP3 files."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>-----Original Message-----
>From: Russ [mailto:Russ.Cooperat_private]
>Sent: 26 February 2002 21:35

>Its also foolish to suggest that security be based on file extensions,
>Windows has been interpreting file types based on content for years and
>anyone who thinks they can safely run their system by excluding some
>file types is just plain dumb. AV products all have the ability to scan
>all files, and this should be the setting on your system.

  Well, file extensions *used* to be a valid way for a user to know that a
file either contained a given type of content, or was invalid.  (That's a
separate issue from whether or not a given file viewer will correctly
reject an invalid file of a given type, or perhaps be exploitable through
cleverly malformed data.)  Remember, there isn't a virus in the file in
question: the vulnerability arises because there's no way for the user to
know what type of content is in the file, and therefore no way for them to
adopt different handling procedures appropriate to the different content.

  For security's sake, there ought to be *some* way for an end user to know
what kind of content is in a file without having to inspect it in a hex
editor.  The file extension would be a valid way to convey that information
to the user *if* the extension was guaranteed to be respected by the viewer
apps.  Or have I overlooked something?


    DaveK
-- 
Burn your ID card!  http://www.optional-identity.org.uk/
Help support the campaign, copy this into your .sig!


**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.

www.mimesweeper.com
**********************************************************************

Next message: Brewis, Mark: "Commercial stack fragility (Was RE: Cert Advisory 2002-03 and HP JetDirect)"
Previous message: Roman Drahtmueller: "SuSE Security Announcement: mod_php/mod_php4 (SuSE-SA:2002:007)"
Maybe in reply to: David Korn: "Windows Media Player executes WMF content in .MP3 files."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Mar 01 2002 - 02:45:42 PST