Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Re: Web based email issues

Reply
Thread Tools

Re: Web based email issues

 
 
mchiper
Guest
Posts: n/a
 
      09-15-2003

In alt.computer.security, Msg ID: <(E-Mail Removed)>
Jim Watt <(E-Mail Removed)>, wrote:

>On Mon, 2 Dec 2002 19:31:39 -0000, "Shaolin Tiger"
><(E-Mail Removed)> wrote:
>


>>Most important of all..EDUCATE YOUR USERS

>
>sigh !
>
>Most of the machines do have av running, but some of them
>are too old to support it and work.


A simple question, I think. ( I don't run a server, per se.)
The question derives from " have a/v running".

The fundamental security exposure comes from running
programs "unkowingly".

Why would a program in an image file (like .JPG, etc..)
ever have a chance to be executed?

A partial answer comes from the array of things browsers
can do.. Like execute programs..
Both Netscape and IE (the most commonly used browsers)
Have built in image "decoders", I do believe.

So....
Doesn't that mean that merely browsing the Internet
poses unavoidable security exposures..

Further..
IE is so tightly linked to windows OSs,
And all windows OSs take over ownership of the hardware..
How does one defeat an attack thru "their " OS ?


Ray
 
Reply With Quote
 
 
 
 
Leythos
Guest
Posts: n/a
 
      09-15-2003
In article <(E-Mail Removed)>,
http://www.velocityreviews.com/forums/(E-Mail Removed) says...
>
> In alt.computer.security, Msg ID: <(E-Mail Removed)>
> Jim Watt <(E-Mail Removed)>, wrote:
>
> >On Mon, 2 Dec 2002 19:31:39 -0000, "Shaolin Tiger"
> ><(E-Mail Removed)> wrote:
> >

>
> >>Most important of all..EDUCATE YOUR USERS

> >
> >sigh !
> >
> >Most of the machines do have av running, but some of them
> >are too old to support it and work.

>
> A simple question, I think. ( I don't run a server, per se.)
> The question derives from " have a/v running".
>
> The fundamental security exposure comes from running
> programs "unkowingly".
>
> Why would a program in an image file (like .JPG, etc..)
> ever have a chance to be executed?


A file with JPG or GIF will not be executed on ANY OS, but there are
helper applications that MAY launch if you click on one.

>
> A partial answer comes from the array of things browsers
> can do.. Like execute programs..
> Both Netscape and IE (the most commonly used browsers)
> Have built in image "decoders", I do believe.
>
> So....
> Doesn't that mean that merely browsing the Internet
> poses unavoidable security exposures..


Yes, you are exposed to the level that you educate yourself.

>
> Further..
> IE is so tightly linked to windows OSs,
> And all windows OSs take over ownership of the hardware..
> How does one defeat an attack thru "their " OS ?


IE can be limited in what it allows - it's just that MOST sites want
things that mean you need to enable things that open you to attempted
hacking. In most cases you have to do something to get attacked.

--
--
(E-Mail Removed)
(Remove 999 to reply to me)
 
Reply With Quote
 
 
 
 
Jim Watt
Guest
Posts: n/a
 
      09-15-2003
On Mon, 15 Sep 2003 12:22:21 -0400, mchiper <(E-Mail Removed)> wrote:

>Why would a program in an image file (like .JPG, etc..)
>ever have a chance to be executed?


Its not.

>A partial answer comes from the array of things browsers
>can do.. Like execute programs..
>Both Netscape and IE (the most commonly used browsers)
>Have built in image "decoders", I do believe.
>
>So....
>Doesn't that mean that merely browsing the Internet
>poses unavoidable security exposures..


Not from jpg files.

--
Jim Watt http://www.gibnet.com
 
Reply With Quote
 
Stephen K. Gielda
Guest
Posts: n/a
 
      09-15-2003
In article <(E-Mail Removed)>,
(E-Mail Removed)_way says...
> On Mon, 15 Sep 2003 12:22:21 -0400, mchiper <(E-Mail Removed)> wrote:
>
> >Why would a program in an image file (like .JPG, etc..)
> >ever have a chance to be executed?

>
> Its not.
>
> >A partial answer comes from the array of things browsers
> >can do.. Like execute programs..
> >Both Netscape and IE (the most commonly used browsers)
> >Have built in image "decoders", I do believe.
> >
> >So....
> >Doesn't that mean that merely browsing the Internet
> >poses unavoidable security exposures..

>
> Not from jpg files.
>


http://www.geocrawler.com/archives/3.../7/50/4082223/
http://www.securiteam.com/securitynews/5KP0O0K3FE.html

/steve
--
No one gives you more control of your e-mail than we do!
http://www.cotse.net/servicedetails.html
E-Mail, Anon Proxies, Remailers, Usenet, Web Hosting, More.
The Internet's Full Service Privacy Website, Your Shield From The
Internet.
 
Reply With Quote
 
Jim Watt
Guest
Posts: n/a
 
      09-15-2003
On Mon, 15 Sep 2003 15:23:05 -0400, Stephen K. Gielda
<(E-Mail Removed)> wrote:

>In article <(E-Mail Removed)>,
>(E-Mail Removed)_way says...
>> On Mon, 15 Sep 2003 12:22:21 -0400, mchiper <(E-Mail Removed)> wrote:
>>
>> >Why would a program in an image file (like .JPG, etc..)
>> >ever have a chance to be executed?

>>
>> Its not.
>>
>> >A partial answer comes from the array of things browsers
>> >can do.. Like execute programs..
>> >Both Netscape and IE (the most commonly used browsers)
>> >Have built in image "decoders", I do believe.
>> >
>> >So....
>> >Doesn't that mean that merely browsing the Internet
>> >poses unavoidable security exposures..

>>
>> Not from jpg files.
>>

>
>http://www.geocrawler.com/archives/3.../7/50/4082223/
>http://www.securiteam.com/securitynews/5KP0O0K3FE.html
>
>/steve

I stand corrected, and am impressed at the gross stupidity of MS
on that one, however they have fixed it.
--
Jim Watt http://www.gibnet.com
 
Reply With Quote
 
Colonel Flagg
Guest
Posts: n/a
 
      09-15-2003
In article <(E-Mail Removed)>,
(E-Mail Removed) says...

> A file with JPG or GIF will not be executed on ANY OS, but there are
> helper applications that MAY launch if you click on one.
>


I believe I would rethink the above or perhaps do a little more research
before making such a broad statement.




--
Colonel Flagg
http://www.internetwarzone.org/

Privacy at a click:
http://www.cotse.net

Q: How many Bill Gates does it take to change a lightbulb?
A: None, he just defines Darkness? as the new industry standard..."

"...I see stupid people."
 
Reply With Quote
 
mchiper
Guest
Posts: n/a
 
      09-15-2003

In alt.computer.security, Msg ID: <(E-Mail Removed)>
Colonel Flagg <(E-Mail Removed)>, wrote:

>In article <(E-Mail Removed)>,
>(E-Mail Removed) says...
>
>> A file with JPG or GIF will not be executed on ANY OS, but there are
>> helper applications that MAY launch if you click on one.
>>

>
>I believe I would rethink the above or perhaps do a little more research
>before making such a broad statement.


The thrust of the OP stands?
>Doesn't that mean that merely browsing the Internet
>poses unavoidable security exposures..


Just the facts.. Not who said what to whom..

>? Not from jpg files.


>?> http://www.geocrawler.com/archives/3.../7/50/4082223/
>?>http://www.securiteam.com/securitynews/5KP0O0K3FE.html


>? I stand corrected, and am impressed at the gross stupidity of MS
>? on that one, however they have fixed it.


Further..
- Only ONE example of gross stupidity?
- How about intentional gross neglect.
- Deriving from the belief that it's THEIR OS not yours..
- And selling access to YOU?, Who you are, and what you like, and do?
- What software you use... need I go on?

IE is so tightly linked to windows OSs,
And all windows OSs take over ownership of the hardware..
How does one defeat an attack thru "their " OS ?


Ray
 
Reply With Quote
 
Leythos
Guest
Posts: n/a
 
      09-15-2003
In article <(E-Mail Removed)>,
(E-Mail Removed) says...
> In article <(E-Mail Removed)>,
> (E-Mail Removed) says...
>
> > A file with JPG or GIF will not be executed on ANY OS, but there are
> > helper applications that MAY launch if you click on one.

>
> I believe I would rethink the above or perhaps do a little more research
> before making such a broad statement.


As a GIF and JPG are image files, are not executable files on any OS
that I know of, please feel free to tell us how a GIF or JPG can be
executed without the aid of a helper application.


--
--
(E-Mail Removed)
(Remove 999 to reply to me)
 
Reply With Quote
 
Colonel Flagg
Guest
Posts: n/a
 
      09-15-2003
In article <(E-Mail Removed)>,
(E-Mail Removed) says...
> In article <(E-Mail Removed)>,
> (E-Mail Removed) says...
> > In article <(E-Mail Removed)>,
> > (E-Mail Removed) says...
> >
> > > A file with JPG or GIF will not be executed on ANY OS, but there are
> > > helper applications that MAY launch if you click on one.

> >
> > I believe I would rethink the above or perhaps do a little more research
> > before making such a broad statement.

>
> As a GIF and JPG are image files, are not executable files on any OS
> that I know of, please feel free to tell us how a GIF or JPG can be
> executed without the aid of a helper application.
>
>
>


"that I know of" is the key element.

Your statement is very broad by saying "any" OS. The filename extension
doesn't determine whether it's executable or not in *nix. just about
_any_ file may be set executable in a unix-like system.

I would suspect your statement is the result from a lack of experience
in a unix-like environment. If you have access to a unix box where
you're free to "test" things, simply:

# touch filename.jpg
# ls -al filename.jpg
-rw-r--r-- 1 flagg 4077 0 Sep 15 19:41 filename.jpg

notice the above -rw-r--r--

read here for an explanation of unix file permissions:

http://www.ctssn.com/linux/lesson6.html

# chmod 700 filename.jpg
# ls -al filename.jpg
-rwx------ 1 flagg 4077 0 Sep 15 19:41 filename.jpg

now notice the -rwx------

whereas "x" == "executable". see above URL.

Also, stating it isn't executable doesn't resolve the possibility of a
..jpg containing malicious code, I believe elsewhere in this thread,
someone posted a link to bugtraq reports of jpgs and how browsers on
Microsoft Operating Systems mishandling them. True, they need a third
party product to mishandle the code, however, the jpg not being
executable has nothing to do whether they can cause harm or not, simply
opening the file in it's associated program *could* cause ill affects.

..jpg's and .gif's, once thought to be safe, haven't been for a number of
years.





--
Colonel Flagg
http://www.internetwarzone.org/

Privacy at a click:
http://www.cotse.net

Q: How many Bill Gates does it take to change a lightbulb?
A: None, he just defines Darkness? as the new industry standard..."

"...I see stupid people."
 
Reply With Quote
 
Mimic
Guest
Posts: n/a
 
      09-15-2003
Colonel Flagg" <(E-Mail Removed)> wrote in
message news:(E-Mail Removed).. .
> In article <(E-Mail Removed)>,
> .jpg's and .gif's, once thought to be safe, haven't been for a number of
> years.


Im with the coloenl, i have an executable jpg on my xp box.

--
Mimic

"Without Knowledge you have fear, With fear you create your own nightmares."
"There are 10 types of people in this world. Those that understand Binary,
and those that dont."
"C makes it easy to shoot yourself in the foot. C++ makes it harder, but
when you do, it blows away your whole leg"



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Problems with posting email/news messages via OE6 and working with Web-based email Alex Vinokur Computer Support 2 06-18-2004 12:56 PM
XML based language for defining web based user interfaces Christofer Dutz XML 3 12-09-2003 12:10 PM
Compatibility issues in Web Based Development using ASP.NET, C# with Win-XP. Diggy ASP .Net 1 12-08-2003 03:27 PM
Re: Web based email issues mchiper Computer Security 4 09-25-2003 02:02 PM
Re: Web based email issues mchiper Computer Security 12 09-20-2003 04:04 PM



Advertisments