[Esa-l]IMPSEC could zip-wrap attachments
Brian D. Hanna
bdhanna at cmrr.umn.edu
Mon May 21 07:06:03 PDT 2001
On Fri, May 18, 2001 at 08:29:46PM -0700, John D. Hardin wrote:
> On Sat, 19 May 2001, Howard Lowndes wrote:
>
> > Regretably it appears that IE 5.5 is recognising the file type
> > despite the defanging of the file name and is invoking Excel,
> > which would imply that a Winshit system is vulnerable to malicious
> > macros despite reasonable efforts to avoid them. Perhaps the
> > defanging of .doc and .xls needs to be re-considered.
>
> Any email security steps taken on the mail server will have their
> effects modified if you're going through a webmail system and reading
> the message and attachments via a browser instead of a dedicated email
> client. I've seen some discussion of Windows using file magic to
> recognize Office documents, so this isn't too surprising, especially
> if the MIME type of the attachment is APPLICATION/OCTET-STREAM.
>
> If you're curious, you might hack your sanitizer to make it substitute
> TEXT/PLAIN instead of APPLICATION/OCTET-STREAM and see if opening the
> attachment via the webmail interface still fires off Excel. Having the
> binary file come up in Notepad might be just the sort of benign
> negative feedback (as opposed to the malignant negative feedback of
> being hit by a macro virus) you're seeking.
>
I wonder if it is worth considering wrapping the attachments in a
zip header automatically. gzip has a zero-compression algorithm, so
I assume that would just wrap it, and be pretty fast.
I like the macro scanning, etc., but an option to zip-wrap attachments
might be useful. It avoids the file magic problems and achieves what
the original intent was, i.e. not to run things automatically.
Brian
--
Brian Hanna CMRR Unix System Admin bdhanna at cmrr.umn.edu
More information about the esd-l
mailing list