[Esa-l] Double Extensions fails

Bjarni R. Einarsson bre at klaki.net
Tue Feb 13 08:20:15 PST 2001 

On 2001-02-13, 16:50:11 (+0100), Phil Pennock wrote:
> On 2001-02-13 at 15:45 +0000, Bjarni R. Einarsson wrote:
> > So basically, I think explicitly worrying about double extensions is
> > a little silly.  If you have a sane policy for handling really long
> > file names and another sane policy for handling unknown and/or
> > dangerous extensions, then worrying about double extensions is
> > totally unnecessary.
> > 
> > That's why I don't bother in my sanitizer (although user are free to
> > implement their own policies which detect double file names via.
> > regexps in their config files).
> 
> I see from:
>  X-Mailer: Mutt 0.95.4i
> that you're probably a Unix user (gratz); but Windows clients do things
> like hide known extensions.  So foo.jpg.vbs would be shown as foo.jpg --
> quite sick, yes.  When forced into using a Windows box, I change that
> setting fast.

I know.  But if a policy is enforced on the mail gateway which stops 
dangerous stuff before it gets to the client, then that doesn't matter.
This is what the John's sanitizer is all about, and mine as well.

In such a scenario the potential attacks are reduced to boring stuff
such as tricking users into opening .TXT files which they think are
.JPGs.  That thought totally fails to worry me, let alone justify
adding unnecessary complexity to a mail filtering solution. :-)

Double extensions don't fool the sanitizers, they just fool people. I
think this has some people a little confused about how to deal with
them.

> BTW -- there are security holes in _your_ email client.  You might wish
> to upgrade.  ;^)

I know that as well.  I'm lazy.  I was also reluctant to upgrade,
since I closed some big mutt-related holes on my system myself and
never got any replies from the author when I reported them.  Ever
looked at the source code to urlview, which was distributed with mutt
once upon a time? :)

Unix programs are full of holes just like Windows programs.  The
primary thing keeping the Unix world relatively safe from viruses
today is smaller market share, diversity and solid multi-user
permission support at the OS level.

-- 
Bjarni R. Einarsson                           PGP: 02764305, B7A3AB89
 bre at klaki.net                -><-              http://bre.klaki.net/

Check out my open-source email sanitizer: http://mailtools.anomy.net/

More information about the esd-l mailing list