[Esa-l]IMPSEC works - or does it.

Phil Pennock pdp at nl.demon.net
Sat May 19 16:29:05 PDT 2001

On 2001-05-19 at 06:32 +1000, Howard Lowndes wrote:
> Regretably it appears that IE 5.5 is recognising the file type despite the
> defanging of the file name and is invoking Excel, which would imply that a
> Winshit system is vulnerable to malicious macros despite reasonable
> efforts to avoid them.  Perhaps the defanging of .doc and .xls needs to be
> re-considered.

IE always does this (look at the data, determine the type from that,
and only fall back to using the HTTP-supplied MIME type).  It's so that
Windows-based servers don't need to sort out correct MIME types when
serving via HTTP -- let incompetence slip by letting it work with IE
anyway, and when NS users complain, MS get to say that NS Navigator is
inferior.  Politics.

> I tried it in Netscape and all it did was offer to save the file to disk.

As it should.

Basically, assumptions about email break when you start transferring
them to the web, with all the layers which try second-guessing you.

*shrugs*  Sorry, but at this stage the only solution is OS advocacy of
something which isn't an insecure steaming heap of donkey faeces.
Phil Pennock                        <pdp at nl.demon.net> <Phil.Pennock at thus.net>
Demon Internet Nederland -- Network Operations Centre -- Systems Administrator
Libertes philosophica.
NL Sales: +31 20 422 20 00                          NL Support: 0800 33 6666 8

More information about the esd-l mailing list