[Mimedefang] Unsafe file types

Jon R. Kibler Jon.Kibler at aset.com
Sun Nov 30 09:58:26 EST 2003 

Greetings All:

I have several questions/comments about unsafe file types.

1) Several weeks ago, there was some discussion in a security group I follow about unsafe file types. The list compiled by that group included several Windows extensions that are not in the current MD list. These are:
	ad
	asp
	cab
	ceo
	dbx
	enc
	nws
	png
	vbx
	vsd 
	vss 
	vst 
	vsw 
	ws
	xml
Should they be included in the MD list?

2) Knowing next to nothing about windows, I was wondering if the MD list, plus the above extensions, included unsafe file types from various non-M$ products such as Lotus's Smart Suite (or whatever they call it today), Corel Office, various Adobe products, etc., or is the list strictly limited to Windows products?

3) I know that M$ publishes a list of unsafe extensions (http://support.microsoft.com/default.aspx?scid=kb;EN-US;290497) that gives a half-dozen word definition of each of these extensions, but doesn't say what makes them unsafe (for example, how is a Windows media file potentially unsafe?). Is there any resource that anyone is aware of that defines what is unsafe about any give file type?

4) Finally, rather than looking at the file extension, wouldn't it be smarter to look at the content-type header to judge whether a file is potentially dangerous? 
   4a) For example, I could create a text file called 'aset.com' that contained information about out domain that I wanted to send to someone. When the file was attached to an email, it would be given the content-type of text/plain (at least when I attach the file to an email from *nix), correctly recognizing that it is not executable content. However, if we used MD to filter outgoing messages, it would gag on the file because of its name, not content.
   4b) Using the current MD schema of looking only at file extensions, it would appear to be easy to slip executable content past the filter by simply changing the file name from something like 'prog.exe' to 'prog.exe.txt'. Am I missing something here?
   4c) So, I guess the bottom line to this question is why examine file extensions when content-type may be a better indicator of what the file contains?

Thanks!

Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

More information about the MIMEDefang mailing list