Re: Web based email issues

In alt.computer.security, Msg ID: <>
Jim Watt <>, wrote:

>On Mon, 2 Dec 2002 19:31:39 -0000, "Shaolin Tiger"
><> wrote:
>

>>Most important of all..EDUCATE YOUR USERS
>
>sigh !
>
>Most of the machines do have av running, but some of them
>are too old to support it and work.

A simple question, I think. ( I don't run a server, per se.)
The question derives from " have a/v running".

The fundamental security exposure comes from running
programs "unkowingly".

Why would a program in an image file (like .JPG, etc..)
ever have a chance to be executed?

A partial answer comes from the array of things browsers
can do.. Like execute programs..
Both Netscape and IE (the most commonly used browsers)
Have built in image "decoders", I do believe.

So....
Doesn't that mean that merely browsing the Internet
poses unavoidable security exposures..

Further..
IE is so tightly linked to windows OSs,
And all windows OSs take over ownership of the hardware..
How does one defeat an attack thru "their " OS ?


Ray

mchiper

In article <>,
says...
>
> In alt.computer.security, Msg ID: <>
> Jim Watt <>, wrote:
>
> >On Mon, 2 Dec 2002 19:31:39 -0000, "Shaolin Tiger"
> ><> wrote:
> >
>
> >>Most important of all..EDUCATE YOUR USERS
> >
> >sigh !
> >
> >Most of the machines do have av running, but some of them
> >are too old to support it and work.
>
> A simple question, I think. ( I don't run a server, per se.)
> The question derives from " have a/v running".
>
> The fundamental security exposure comes from running
> programs "unkowingly".
>
> Why would a program in an image file (like .JPG, etc..)
> ever have a chance to be executed?

A file with JPG or GIF will not be executed on ANY OS, but there are
helper applications that MAY launch if you click on one.

>
> A partial answer comes from the array of things browsers
> can do.. Like execute programs..
> Both Netscape and IE (the most commonly used browsers)
> Have built in image "decoders", I do believe.
>
> So....
> Doesn't that mean that merely browsing the Internet
> poses unavoidable security exposures..

Yes, you are exposed to the level that you educate yourself.

>
> Further..
> IE is so tightly linked to windows OSs,
> And all windows OSs take over ownership of the hardware..
> How does one defeat an attack thru "their " OS ?

IE can be limited in what it allows - it's just that MOST sites want
things that mean you need to enable things that open you to attempted
hacking. In most cases you have to do something to get attacked.

--
--

(Remove 999 to reply to me)

Leythos

On Mon, 15 Sep 2003 12:22:21 -0400, mchiper <> wrote:

>Why would a program in an image file (like .JPG, etc..)
>ever have a chance to be executed?

Its not.

>A partial answer comes from the array of things browsers
>can do.. Like execute programs..
>Both Netscape and IE (the most commonly used browsers)
>Have built in image "decoders", I do believe.
>
>So....
>Doesn't that mean that merely browsing the Internet
>poses unavoidable security exposures..

Not from jpg files.

--
Jim Watt http://www.gibnet.com

Jim Watt

In article <>,
_way says...
> On Mon, 15 Sep 2003 12:22:21 -0400, mchiper <> wrote:
>
> >Why would a program in an image file (like .JPG, etc..)
> >ever have a chance to be executed?
>
> Its not.
>
> >A partial answer comes from the array of things browsers
> >can do.. Like execute programs..
> >Both Netscape and IE (the most commonly used browsers)
> >Have built in image "decoders", I do believe.
> >
> >So....
> >Doesn't that mean that merely browsing the Internet
> >poses unavoidable security exposures..
>
> Not from jpg files.
>

http://www.geocrawler.com/archives/3.../7/50/4082223/
http://www.securiteam.com/securitynews/5KP0O0K3FE.html

/steve
--
No one gives you more control of your e-mail than we do!
http://www.cotse.net/servicedetails.html
E-Mail, Anon Proxies, Remailers, Usenet, Web Hosting, More.
The Internet's Full Service Privacy Website, Your Shield From The
Internet.

Stephen K. Gielda

On Mon, 15 Sep 2003 15:23:05 -0400, Stephen K. Gielda
<> wrote:

>In article <>,
>_way says...
>> On Mon, 15 Sep 2003 12:22:21 -0400, mchiper <> wrote:
>>
>> >Why would a program in an image file (like .JPG, etc..)
>> >ever have a chance to be executed?
>>
>> Its not.
>>
>> >A partial answer comes from the array of things browsers
>> >can do.. Like execute programs..
>> >Both Netscape and IE (the most commonly used browsers)
>> >Have built in image "decoders", I do believe.
>> >
>> >So....
>> >Doesn't that mean that merely browsing the Internet
>> >poses unavoidable security exposures..
>>
>> Not from jpg files.
>>
>
>http://www.geocrawler.com/archives/3.../7/50/4082223/
>http://www.securiteam.com/securitynews/5KP0O0K3FE.html
>
>/steve
I stand corrected, and am impressed at the gross stupidity of MS
on that one, however they have fixed it.
--
Jim Watt http://www.gibnet.com

Jim Watt

In article <>,
says...

> A file with JPG or GIF will not be executed on ANY OS, but there are
> helper applications that MAY launch if you click on one.
>

I believe I would rethink the above or perhaps do a little more research
before making such a broad statement.




--
Colonel Flagg
http://www.internetwarzone.org/

Privacy at a click:
http://www.cotse.net

Q: How many Bill Gates does it take to change a lightbulb?
A: None, he just defines Darkness? as the new industry standard..."

"...I see stupid people."

Colonel Flagg

In alt.computer.security, Msg ID: <>
Colonel Flagg <>, wrote:

>In article <>,
> says...
>
>> A file with JPG or GIF will not be executed on ANY OS, but there are
>> helper applications that MAY launch if you click on one.
>>
>
>I believe I would rethink the above or perhaps do a little more research
>before making such a broad statement.

The thrust of the OP stands?
>Doesn't that mean that merely browsing the Internet
>poses unavoidable security exposures..

Just the facts.. Not who said what to whom..

>? Not from jpg files.

>?> http://www.geocrawler.com/archives/3.../7/50/4082223/
>?>http://www.securiteam.com/securitynews/5KP0O0K3FE.html

>? I stand corrected, and am impressed at the gross stupidity of MS
>? on that one, however they have fixed it.

Further..
- Only ONE example of gross stupidity?
- How about intentional gross neglect.
- Deriving from the belief that it's THEIR OS not yours..
- And selling access to YOU?, Who you are, and what you like, and do?
- What software you use... need I go on?

IE is so tightly linked to windows OSs,
And all windows OSs take over ownership of the hardware..
How does one defeat an attack thru "their " OS ?


Ray

mchiper

In article <>,
says...
> In article <>,
> says...
>
> > A file with JPG or GIF will not be executed on ANY OS, but there are
> > helper applications that MAY launch if you click on one.
>
> I believe I would rethink the above or perhaps do a little more research
> before making such a broad statement.

As a GIF and JPG are image files, are not executable files on any OS
that I know of, please feel free to tell us how a GIF or JPG can be
executed without the aid of a helper application.


--
--

(Remove 999 to reply to me)

Leythos

In article <>,
says...
> In article <>,
> says...
> > In article <>,
> > says...
> >
> > > A file with JPG or GIF will not be executed on ANY OS, but there are
> > > helper applications that MAY launch if you click on one.
> >
> > I believe I would rethink the above or perhaps do a little more research
> > before making such a broad statement.
>
> As a GIF and JPG are image files, are not executable files on any OS
> that I know of, please feel free to tell us how a GIF or JPG can be
> executed without the aid of a helper application.
>
>
>

"that I know of" is the key element.

Your statement is very broad by saying "any" OS. The filename extension
doesn't determine whether it's executable or not in *nix. just about
_any_ file may be set executable in a unix-like system.

I would suspect your statement is the result from a lack of experience
in a unix-like environment. If you have access to a unix box where
you're free to "test" things, simply:

# touch filename.jpg
# ls -al filename.jpg
-rw-r--r-- 1 flagg 4077 0 Sep 15 19:41 filename.jpg

notice the above -rw-r--r--

read here for an explanation of unix file permissions:

http://www.ctssn.com/linux/lesson6.html

# chmod 700 filename.jpg
# ls -al filename.jpg
-rwx------ 1 flagg 4077 0 Sep 15 19:41 filename.jpg

now notice the -rwx------

whereas "x" == "executable". see above URL.

Also, stating it isn't executable doesn't resolve the possibility of a
..jpg containing malicious code, I believe elsewhere in this thread,
someone posted a link to bugtraq reports of jpgs and how browsers on
Microsoft Operating Systems mishandling them. True, they need a third
party product to mishandle the code, however, the jpg not being
executable has nothing to do whether they can cause harm or not, simply
opening the file in it's associated program *could* cause ill affects.

..jpg's and .gif's, once thought to be safe, haven't been for a number of
years.





--
Colonel Flagg
http://www.internetwarzone.org/

Privacy at a click:
http://www.cotse.net

Q: How many Bill Gates does it take to change a lightbulb?
A: None, he just defines Darkness? as the new industry standard..."

"...I see stupid people."

Colonel Flagg

Colonel Flagg" <> wrote in
message news:.. .
> In article <>,
> .jpg's and .gif's, once thought to be safe, haven't been for a number of
> years.

Im with the coloenl, i have an executable jpg on my xp box.

--
Mimic

"Without Knowledge you have fear, With fear you create your own nightmares."
"There are 10 types of people in this world. Those that understand Binary,
and those that dont."
"C makes it easy to shoot yourself in the foot. C++ makes it harder, but
when you do, it blows away your whole leg"

Mimic