[Esa-l]IMPSEC works - or does it.

John D. Hardin jhardin at impsec.org
Fri May 18 20:29:46 PDT 2001

On Sat, 19 May 2001, Howard Lowndes wrote:

> Regretably it appears that IE 5.5 is recognising the file type
> despite the defanging of the file name and is invoking Excel,
> which would imply that a Winshit system is vulnerable to malicious
> macros despite reasonable efforts to avoid them.  Perhaps the
> defanging of .doc and .xls needs to be re-considered.

Any email security steps taken on the mail server will have their
effects modified if you're going through a webmail system and reading
the message and attachments via a browser instead of a dedicated email
client. I've seen some discussion of Windows using file magic to
recognize Office documents, so this isn't too surprising, especially
if the MIME type of the attachment is APPLICATION/OCTET-STREAM.

If you're curious, you might hack your sanitizer to make it substitute
TEXT/PLAIN instead of APPLICATION/OCTET-STREAM and see if opening the
attachment via the webmail interface still fires off Excel. Having the
binary file come up in Notepad might be just the sort of benign
negative feedback (as opposed to the malignant negative feedback of
being hit by a macro virus) you're seeking.

 John Hardin KA7OHZ   ICQ#15735746   http://www.wolfenet.com/~jhardin/
 jhardin at wolfenet.com      pgpk -a finger://gonzo.wolfenet.com/jhardin
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  An entitlement beneficiary is a person or special interest group
  who didn't earn your money, but demands the right to take your
  money because they *want* it.
                                  -- John McKay, _The Welfare State:
                                     No Mercy for the Middle Class_
   1264 days until the Presidential Election

More information about the esd-l mailing list