[Esa-l]IMPSEC could zip-wrap attachments

Brian D. Hanna bdhanna at cmrr.umn.edu
Mon May 21 07:06:03 PDT 2001

On Fri, May 18, 2001 at 08:29:46PM -0700, John D. Hardin wrote:
> On Sat, 19 May 2001, Howard Lowndes wrote:
> > Regretably it appears that IE 5.5 is recognising the file type
> > despite the defanging of the file name and is invoking Excel,
> > which would imply that a Winshit system is vulnerable to malicious
> > macros despite reasonable efforts to avoid them.  Perhaps the
> > defanging of .doc and .xls needs to be re-considered.
> Any email security steps taken on the mail server will have their
> effects modified if you're going through a webmail system and reading
> the message and attachments via a browser instead of a dedicated email
> client. I've seen some discussion of Windows using file magic to
> recognize Office documents, so this isn't too surprising, especially
> if the MIME type of the attachment is APPLICATION/OCTET-STREAM.
> If you're curious, you might hack your sanitizer to make it substitute
> TEXT/PLAIN instead of APPLICATION/OCTET-STREAM and see if opening the
> attachment via the webmail interface still fires off Excel. Having the
> binary file come up in Notepad might be just the sort of benign
> negative feedback (as opposed to the malignant negative feedback of
> being hit by a macro virus) you're seeking.

I wonder if it is worth considering wrapping the attachments in a 
zip header automatically. gzip has a zero-compression algorithm, so
I assume that would just wrap it, and be pretty fast.

I like the macro scanning, etc., but an option to zip-wrap attachments
might be useful. It avoids the file magic problems and achieves what
the original intent was, i.e. not to run things automatically.



 Brian Hanna 		CMRR Unix System Admin 		bdhanna at cmrr.umn.edu 

More information about the esd-l mailing list