From: Chris Moore <dooglus@gmail.com>
Cc: Stephen Leake <stephen_leake@member.fsf.org>, emacs-devel@gnu.org
Subject: Re: C file recoginzed as image file
Date: Tue, 09 Jan 2007 23:58:42 +0100 [thread overview]
Message-ID: <m2y7oboli5.fsf@gmail.com> (raw)
In-Reply-To: <f7ccd24b0701090525q6737c13dxe45a85b3993fec3f@mail.gmail.com> (Juanma Barranquero's message of "Tue\, 9 Jan 2007 14\:25\:43 +0100")
"Juanma Barranquero" <lekktu@gmail.com> writes:
> Are you proposing also that we reject (or warn about) a .PNG file
> disguised as a .JPG, for example?
About a year ago, it became apparent that MS Windows would execute
arbitrary code when displaying a specially constructed .wmf file.
Microsoft were quite slow issuing a fix for this vulnerability. A lot
of companies blocked .wmf attachments on their firewalls in an attempt
to protect themselves.
As a result, the attackers simply renamed their dangerous .wmf files
to .jpg. This continued to work because Windows looks at the file's
contents, sees that it's not really a JPG image but a WMF image, and
displays it using the vulnerable code.
The vulnerability was relatively well known at the time, and people
who knew about it knew not to attempt to view WMF images using
Windows. What was more of a surprise was that .jpg and .gif files,
where double clicked could turn out to be WMF images in disguise.
I don't think we should make the same mistake that Windows makes of
silently ignoring the file extension. The default should be to warn
the user if the contents disagree with the extension, and people who
don't want this warning should be able to turn it off using the
customize interface.
next prev parent reply other threads:[~2007-01-09 22:58 UTC|newest]
Thread overview: 150+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-01-05 14:27 C file recoginzed as image file Charles Rendleman
2007-01-05 14:46 ` Chris Moore
2007-01-05 14:52 ` Lennart Borgman (gmail)
2007-01-05 15:02 ` Chris Moore
2007-01-05 19:02 ` Juanma Barranquero
2007-01-05 22:23 ` Chris Moore
2007-01-05 22:44 ` Juanma Barranquero
2007-01-05 22:47 ` Juanma Barranquero
2007-01-05 23:01 ` Chris Moore
2007-01-05 23:15 ` Juanma Barranquero
2007-01-06 18:07 ` Richard Stallman
2007-01-06 18:49 ` Chris Moore
2007-01-06 0:12 ` Jason Rumney
2007-01-06 18:07 ` Richard Stallman
2007-01-07 19:20 ` Juanma Barranquero
2007-01-08 5:33 ` Richard Stallman
2007-01-06 2:55 ` Richard Stallman
2007-01-06 10:52 ` Juanma Barranquero
2007-01-06 3:20 ` Stefan Monnier
2007-01-06 10:58 ` Juanma Barranquero
2007-01-07 16:50 ` Mathias Dahl
2007-01-07 3:46 ` Richard Stallman
2007-01-07 5:36 ` Stefan Monnier
2007-01-08 5:32 ` Richard Stallman
2007-01-08 15:09 ` Stefan Monnier
2007-01-08 15:25 ` Kim F. Storm
2007-01-08 17:32 ` Lennart Borgman (gmail)
2007-01-08 19:54 ` Eli Zaretskii
2007-01-09 11:12 ` Jan Nieuwenhuizen
2007-01-09 11:44 ` Chong Yidong
2007-01-09 11:57 ` Jan Nieuwenhuizen
2007-01-09 12:40 ` David Kastrup
2007-01-09 13:03 ` martin rudalics
2007-01-09 12:57 ` Chong Yidong
2007-01-09 16:01 ` Stuart D. Herring
2007-01-09 13:11 ` Stephen Leake
2007-01-15 6:06 ` Giorgos Keramidas
2007-01-09 21:49 ` Eli Zaretskii
2007-01-09 22:20 ` Alan Mackenzie
2007-01-08 19:48 ` Eli Zaretskii
2007-01-08 22:34 ` Stefan Monnier
2007-01-08 23:26 ` Lennart Borgman (gmail)
2007-01-09 4:08 ` Richard Stallman
2007-01-09 9:48 ` Lennart Borgman (gmail)
2007-01-09 11:06 ` Jason Rumney
2007-01-09 12:01 ` Lennart Borgman (gmail)
2007-01-09 12:16 ` Jason Rumney
2007-01-09 12:23 ` Lennart Borgman (gmail)
2007-01-10 1:04 ` Richard Stallman
2007-01-10 9:05 ` Jason Rumney
2007-01-10 9:38 ` Lennart Borgman (gmail)
2007-01-10 23:06 ` Richard Stallman
2007-01-09 21:54 ` Eli Zaretskii
2007-01-09 21:55 ` Lennart Borgman (gmail)
2007-01-09 23:56 ` Chris Moore
2007-01-10 0:21 ` Lennart Borgman (gmail)
2007-01-10 15:11 ` Chris Moore
2007-01-10 15:17 ` Lennart Borgman (gmail)
2007-01-09 21:08 ` Richard Stallman
2007-01-09 21:40 ` Lennart Borgman (gmail)
2007-01-08 17:09 ` Stephen J. Turnbull
2007-01-08 20:26 ` Juanma Barranquero
2007-01-08 20:39 ` David Kastrup
2007-01-08 20:48 ` Juanma Barranquero
2007-01-08 20:52 ` David Kastrup
2007-01-08 21:03 ` Juanma Barranquero
2007-01-09 7:57 ` David Kastrup
2007-01-09 9:08 ` Juanma Barranquero
2007-01-09 18:50 ` Chris Moore
2007-01-09 19:47 ` Juanma Barranquero
2007-01-09 22:38 ` Stefan Monnier
2007-01-09 23:19 ` Juanma Barranquero
2007-01-10 1:12 ` Stefan Monnier
2007-01-10 1:37 ` Stephen Leake
2007-01-08 22:42 ` Juanma Barranquero
2007-01-08 23:27 ` Stefan Monnier
2007-01-08 23:39 ` Juanma Barranquero
2007-01-09 2:07 ` Stefan Monnier
2007-01-08 23:32 ` Stefan Monnier
2007-01-08 23:43 ` Juanma Barranquero
2007-01-09 0:11 ` Stuart D. Herring
2007-01-09 0:19 ` Juanma Barranquero
2007-01-09 13:16 ` Stephen Leake
2007-01-09 17:57 ` Richard Stallman
2007-01-09 19:59 ` Lennart Borgman (gmail)
2007-01-10 1:04 ` Richard Stallman
2007-01-07 9:04 ` Chris Moore
2007-01-08 5:33 ` Richard Stallman
2007-01-08 13:34 ` Chris Moore
2007-01-08 18:20 ` David Kastrup
2007-01-08 21:02 ` Chris Moore
2007-01-08 21:14 ` Chris Moore
2007-01-09 0:01 ` Richard Stallman
2007-01-09 1:08 ` Chris Moore
2007-01-09 17:57 ` Richard Stallman
2007-01-09 23:24 ` Chris Moore
2007-01-09 23:39 ` Lennart Borgman (gmail)
2007-01-10 1:00 ` Chris Moore
2007-01-10 1:05 ` Lennart Borgman (gmail)
2007-01-09 4:40 ` Stephen J. Turnbull
2007-01-09 21:07 ` Richard Stallman
2007-01-10 4:23 ` Stephen J. Turnbull
2007-01-10 23:05 ` Richard Stallman
2007-01-09 13:07 ` Stephen Leake
2007-01-09 13:25 ` Juanma Barranquero
2007-01-09 13:57 ` Vinicius Jose Latorre
2007-01-09 23:37 ` Juanma Barranquero
2007-01-15 6:10 ` Giorgos Keramidas
2007-01-09 22:58 ` Chris Moore [this message]
2007-01-09 23:31 ` Juanma Barranquero
2007-01-10 1:31 ` Stephen Leake
2007-01-08 5:33 ` Richard Stallman
2007-01-07 10:05 ` Lennart Borgman (gmail)
2007-01-06 2:55 ` Richard Stallman
2007-01-06 3:16 ` Stefan Monnier
2007-01-06 12:48 ` Chris Moore
2007-01-07 3:47 ` Richard Stallman
2007-01-07 9:21 ` Chris Moore
2007-01-07 9:58 ` Lennart Borgman (gmail)
2007-01-08 5:32 ` Richard Stallman
2007-01-08 14:05 ` Reiner Steib
2007-01-08 14:16 ` Andreas Schwab
2007-01-08 18:12 ` Stuart D. Herring
2007-01-09 0:01 ` Richard Stallman
2007-01-14 2:52 ` Giorgos Keramidas
2007-01-14 18:55 ` Sascha Wilde
2007-01-15 14:58 ` Richard Stallman
2007-01-15 15:14 ` Jason Rumney
2007-01-19 16:14 ` Juanma Barranquero
2007-01-19 16:33 ` Jason Rumney
2007-01-19 17:10 ` Juanma Barranquero
2007-01-20 2:10 ` Richard Stallman
2007-01-20 23:38 ` Juanma Barranquero
2007-01-21 22:27 ` Richard Stallman
2007-01-21 22:36 ` Jason Rumney
2007-01-21 22:47 ` Juanma Barranquero
2007-01-22 9:04 ` Richard Stallman
2007-01-14 23:23 ` Richard Stallman
2007-01-15 1:14 ` Stefan Monnier
2007-01-15 5:59 ` Giorgos Keramidas
2007-01-15 23:27 ` Richard Stallman
2007-01-07 11:49 ` Jason Rumney
2007-01-07 16:21 ` Stefan Monnier
2007-01-08 5:33 ` Richard Stallman
2007-01-06 2:55 ` Richard Stallman
2007-01-06 12:42 ` Chris Moore
2007-01-07 3:47 ` Richard Stallman
2007-01-07 9:28 ` Michaël Cadilhac
2007-01-08 5:32 ` Richard Stallman
2007-01-06 2:55 ` Richard Stallman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m2y7oboli5.fsf@gmail.com \
--to=dooglus@gmail.com \
--cc=emacs-devel@gnu.org \
--cc=stephen_leake@member.fsf.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.