[Full-Disclosure] M$ - so what should they do?
eballen1 at qwest.net
Tue Jun 22 04:52:36 BST 2004
On Mon, 21 Jun 2004, joe wrote:
> I am not sure I agree with the first thing. Actually I think it helps in
> that it is easier for people to know something is executable veruss having
> to look at additional attributes to see if something is executable.
I think that making the name of a file determine whether it counts as
"executable" or not conflates two distinct properties:
(i) name, (ii) executableness
Don't most of the "worms" like Bagel and Netsky depend on this sort of
thing? Naming a file "xyz.pif" or "abc.scr" makes it executable. Clearly
the "name making a file executable" contributes rather dramatically to the
ease of constructing email "worms". Since so many "extensions" make a
file executable, your point is basically wrong. You can't look at a file
extension and know whether naming a file with that extension will cause
Windows to consider it "executable" or "not executable".
> What security benefit do you see for the second thing?
Here, the "second thing" is getting rid of magic, in-every-directory
device files like "CON" or "AUX" or an undocumented host of others.
I don't happen to believe in the badness of magic files as such, merely
that having some magic file names really confuses things. This property
has caused problems over and over through the years:
And probably others. The point is that a "DIR" (or whatever) doesn't
show these magic files, but doing an "open()" works fine. It's an exception
to a usual rule about how file names work. Clearly, as evidenced above,
it causes problems over and over. Exceptional cases are bad.
Note that Unix/Linux/Plan 9/others get this sort of thing correct.
Magic files like /dev/null or /dev/tty show up when you run "ls" or
do opendir()/readdir(). Yeah, they're magic in some sense or another,
but they follow all the rules that other files follow with their names.
And you have to open them by path "/dev/null". Just opening "null" won't
hurt, unless the current directory happens to be "/dev".
Full-Disclosure is hosted and sponsored by Secunia.