[Mimedefang] Thoughts on list of "bad" extensions
Matt Bruce
mbruce at insl.co.uk
Mon Aug 18 07:53:00 EDT 2003
Kelson Vibber wrote:
> There is a difference. An EXE file can do anything it wants, so it's
> always dangerous. A data file is limited by the application that handles
> it, unless that application contains a security vulnerability.
One point worth remembering here is that some media files can have a "start
browser" command embedded in them. I've seen this with some ASF files
travelling across networks I manage - just before the end of the video the
machine's browser is opened and directed to a website, which can of course
contain malicious code. Though usually it's just a website to advertise more
videos of people bumping uglies.
Again it's relying upon a vulnerability, but it makes it even more important
that you justify allowing these types of media across your network -
especially via *email* (ok, I'm a purist).
If it's possible to spawn a browser process, anyone know if it's possible to
spawn any programme of choice (Word, etc)?
Cya,
Matt
More information about the MIMEDefang
mailing list