[Esa-l]IMPSEC could zip-wrap attachments

[Brian D. Hanna]

On Fri, May 18, 2001 at 08:29:46PM -0700, John D. Hardin wrote:
> On Sat, 19 May 2001, Howard Lowndes wrote:
> 
> > Regretably it appears that IE 5.5 is recognising the file type
> > despite the defanging of the file name and is invoking Excel,
> > which would imply that a Winshit system is vulnerable to malicious
> > macros despite reasonable efforts to avoid them.  Perhaps the
> > defanging of .doc and .xls needs to be re-considered.
> 
> Any email security steps taken on the mail server will have their
> effects modified if you're going through a webmail system and reading
> the message and attachments via a browser instead of a dedicated email
> client. I've seen some discussion of Windows using file magic to
> recognize Office documents, so this isn't too surprising, especially
> if the MIME type of the attachment is APPLICATION/OCTET-STREAM.
> 
> If you're curious, you might hack your sanitizer to make it substitute
> TEXT/PLAIN instead of APPLICATION/OCTET-STREAM and see if opening the
> attachment via the webmail interface still fires off Excel. Having the
> binary file come up in Notepad might be just the sort of benign
> negative feedback (as opposed to the malignant negative feedback of
> being hit by a macro virus) you're seeking.
> 

I wonder if it is worth considering wrapping the attachments in a 
zip header automatically. gzip has a zero-compression algorithm, so
I assume that would just wrap it, and be pretty fast.

I like the macro scanning, etc., but an option to zip-wrap attachments
might be useful. It avoids the file magic problems and achieves what
the original intent was, i.e. not to run things automatically.

Brian

-- 

 Brian Hanna 		CMRR Unix System Admin 		bdhanna at cmrr.umn.edu