Gmail Will Soon Block JavaScript File Attachments

Starting February 13, 2017, Google will not allow JavaScript files to be sent as an attachment via Gmail in an effort to reduce malicious attacks. Android Police reports: Malicious emails often attach various forms of executable programs and trick users into running them. These include standard Windows executables (.exe), batch files (.bat), and even JavaScript files (.js). If you're not familiar with web development, JavaScript is a common language used when developing web applications, and JS files are often loaded as part of web pages. However, opening an unknown JS file on Windows can be dangerous, as it runs inside Windows Script Host by default. From there, the script can easily run Windows executables. While blocking .js attachments is a step in the right direction, it is unclear if any warnings will be shown when receiving emails with JS files attached. Source: G Suite Updates

WTF

Why did this ever work?!

Re:WTF

[Cajun+Hell]

It's right there in the summary: because Windows executes the script, rather than just opening it in an editor or something like that. Or if you were asking why Windows does that.. well, I guess it's just trying to remain the top platform for malware. Microsoft doesn't want their top claim to fame to be overtaken.

Re:WTF

[BarbaraHudson]

He's asking "since when did GMail allow javascript"? Used to be that if you wanted to send some javascript source to someone else, you had to zip it with a password ir it wouldn't be allowed.

Re:WTF

[thegarbz]

Or if you were asking why Windows does that.. well, I guess it's just trying to remain the top platform for malware.

God forbid the default action for a script is to execute it. I mean personally I just like scripts for the bed time reading with their riveting plots and all, but I guess there's probably some people who would prefer scripts to actually do what they claim to do.

Malware unfriendliness is user unfriendliness. The weakest link is always the user, and you generally have three choices: Piss them off with frustrating defaults, burry them under an endless string of confirmation boxes, or just trust them to break their computer if they so chose.

Re:WTF

[gweihir]

Because most software developers do not understand security at all and are under the mistaken impression that more functionality is always better. Or in other words, because incompetent idiots implemented it.

Re:WTF

[Gordo_1]

> Malware unfriendliness is user unfriendliness

Really? So in your version of email utopia, people should just be able to send executable code to other people and have the code just run because any other option would be user-unfriendly? Blocking executable code is the right thing to do 99.9% of the time. Developers can bloody well use password protected zips and whatnot to share code. Boo hoo, the geek 1% is *so* inconvenienced by the dumb 99.

Re:WTF

A sensible alternative is for the default action for source code files such as these to be "edit". Running scripts could be accomplished by right-clicking on the file and selecting "Execute". Far more convenient, and far less dangerous at the same time.

User-friendly and malware-friendly are mutually exclusive whenever the user doesn't intend to run malware.

Re:WTF

[Cajun+Hell]

God forbid the default action for a script is to execute it.

Agreed. It's not 1988 anymore, so people generally shouldn't be running whatever random code somebody on the Internet sends them. It's forgiveable for OSes to have lagged a bit, but by the late 1990s it's pretty fucking stupid for an OS to do that.

I mean personally I just like scripts for the bed time reading with their riveting plots and all, but I guess there's probably some people who would prefer scripts to actually do what they claim to do.

Those other people can easily be accomodated. After they read the script or otherwise determine that it's something they'd like to run, they can indicate to the OS when they want to run it. chmod +x or however it works for their platform.

Malware unfriendliness is user unfriendliness.

Wait, I don't agree with you anymore. One of the things that makes my computer so friendly, is that it runs software for me, rather than for someone else (especially adversaries). Malware and users are in zero-sum: what's unfriendly for malware is friendly for the user, and vice-versa.

Piss them off with frustrating defaults, burry them under an endless string of confirmation boxes, or just trust them to break their computer if they so chose.

Yeah, and the last option is the friendliest. If someone wants to execute a script, they should totally be able to, and easily. But in such an exceptional and rare situation as wanting to treat a freshly-downloaded file as executable, they're going to have to tell the computer at least once, "This is an unusual situation. I want to execute this, rather than what I normally do 99% of the time with unvetted scripts (look at them in my editor)."

Re:WTF

There's a bigger problem. Javascript by itself can't do a lot of damage. But it CAN launch some other arbitrary executable file, which then does the actual dirty work. Javascript should be solely for manipulation of content on a web page. Allowing Javascript the ability to launch some other arbitrary executable file is a HUGE design flaw.

Re:WTF

[JThundley]

I'm sure if you email yourself a bash script on your Linux machine, it'll open in a text editor or at least confirm that you want to run it.

Windows is double stupid on this since they hide file extensions by default, making it easy to fool users.

Re:WTF

[dfghjk]

"Malware and users are in zero-sum..."

I know you think this makes you seem intelligent...but it does not. Communicating clearly is a sign of intelligence, not using clever phrases incorrectly along with grammatical errors.

Re:WTF

[Blaskowicz]

Windows Scripting Host is basically your bash + perl + awk environment, so to speak. So it IS supposed to launch executables, delete your data, break your computer, make your house catch on fire etc.

That it supports "JScript" perhaps is evil. Like it has to do with the era of ActiveX.

Re:WTF

[Gr8Apes]

So the OS should block any executable that is obtained through the internet? Perfect!

By default? Um, yes?

Re: WTF

[Gr8Apes]

You shouldn't be able to run a script in anything other than a sandbox designed to run scripts (ie browsers) or from files explicitly set to be executable. Random shit coming through an internet connection? No. Windows is scrapware, people should just say no.

Re:WTF

[Gr8Apes]

Because most software developers do not understand security at all and are under the mistaken impression that more functionality is always better. Or in other words, because incompetent idiots implemented it.

Actually, it's windows that's the major problem there, not JS, JS attached to email, or anything else. Windows. You know, that super secure can't be cracked OS brought to you by that uber coder and architect, Bill Gates. Castles built on sand.

Re: WTF

It's equivalent to a umask of 00nn on *nix platforms. If a user wants the shell to "execute" something, the shell should do what the user wants. Also, I use JScript quite a bit, and it's getting harder and harder to use Gmail to exchange information without onfuscation of some sort.

Re: WTF

Well, #! me.

Re:WTF

[gweihir]

And windows is not made by "software developers"?

Incidentally, you are wrong. The problem is the mail-client and that is not necessarily a part of windows. Execution of mail attachments cannot be made secure and should hence never be the default.

Re: WTF

[fisted]

she bang you?

with a strap-on?

Re:WTF

I don't think you understand. Javascript is a language that is used primarily on the web, but programming languages can be used for anything. Javascript running in a web browser can't arbitrarily execute files. Javascript run from a shell can.

Re:WTF

[fisted]

I'm sure if you email yourself a bash script on your Linux machine, it'll open in a text editor or at least confirm that you want to run it.

This totally isn't up to the MUA, yeah. Get a clue and realize this has nothing to do with Linux.

Re:WTF

God forbid the default action for a script is to execute it. I mean personally I just like scripts for the bed time reading with their riveting plots and all, but I guess there's probably some people who would prefer scripts to actually do what they claim to do.

As a developer, systems that remove scripts and executables are a pain in the ass. Outlook does the same, and has been the e-mail client of choice in every company I've worked for. Sending something to a colleague results in said colleague receiving the mail with the description of the code in question with "attachment removed".

At least for Outlook there is a registry key that changes this behavior, but of course you can't receive a .REG file either until you have changed the registry key, and not all developers know how to use regedit.

Re:WTF

[thegarbz]

You were with me until you missed the point. Computers run software for the user. You're talking about running someone else's software? How many programs do you use on your computer right now which you alone wrote? I'm guessing you didn't write Chrome and your expectation was that when you downloaded it you were either able to simply run it, or given the option to run it, not jump through a massive amount of loops to attempt to get it started.

You lost the plot when you said users can be accommodated all they need to do is {insert command here that most users couldn't figure out}, and then complained about unfriendliness.

Your computer can either run software or not. That decision is left up to the user with varying forms of unfriendliness. The alternative is pre-identification of malware, nothing more nothing less. So we're in a world of code signing and user warnings.

The problem is this is not a solvable situation. I would agree with you on your last statement, a user warning for fresh code is what we need. Unfortunately we all know how well UAC prompts have ended all windows malware, or how warnings on freshly downloaded executables means no one executes them anymore right?

Re:WTF

[thegarbz]

No my version of utopia is sandboxing and intelligent pre-analysis of code to determine a threat level and then react accordingly.

Unfortunately we're not in utopia, we're in a world where we can either allow a user to execute code, or get in the way of a user executing code. I'm advocating for a computer to do what the user asks. You're advocating for a walled garden made of bubblewrap to protect the user. The middle ground is code signing (you can look through history of Windows 7 and 8 articles on slashdot to see how popular this is), or user prompts (you can look to how little UAC prompts did to eliminate malware to see how effective this is).

You can make it hard to execute code, easy to execute code, or you can have some third party curate your experience.

Re:WTF

That it supports "JScript" perhaps is evil.

Not much different from Node.js. Besides, programming languages shouldn't be locked to a specific use. Imagine having to speak German when stopped by the police, French when contacting the DMV, Italian to the IRS and Swedish when going to the hospital...

No, the problem is that Windows STILL considers running random stuff downloaded from the internet to be runnable by default.

Re:WTF

But in such an exceptional and rare situation as wanting to treat a freshly-downloaded file as executable, they're going to have to tell the computer at least once, "This is an unusual situation. I want to execute this, rather than what I normally do 99% of the time with unvetted scripts (look at them in my editor)."

What people really need is an option to say "Execute this file, but don't let it touch any permanent storage, nor access any network connection.".

Re:WTF

Malware and users are in zero-sum: what's unfriendly for malware is friendly for the user, and vice-versa.

Completely formatting/breaking the computer is certainly unfriendly for malware. If it can't run, it can't do anything; essentially the global minimum for malware-unfriendliness. I suppose this can be counted as the global maximum for user-friendliness, too, assuming that the user hates computers.

Re: WTF

onfuscate [on-fuhs-keyt] verb
To make a method of activation obscure or unclear.

Re:WTF

[tepples]

A sensible alternative is for the default action for source code files such as these to be "edit". Running scripts could be accomplished by right-clicking on the file and selecting "Execute". Far more convenient, and far less dangerous at the same time.

Applied consistently across the board, your "sensible alternative" would have the following effect: "I just installed Calibre to put my e-books on my reader. But now when I open Calibre, instead of showing the Calibre window, Windows keeps trying to open Calibre's source code in Notepad, and it's all on one line." How would the least astonishing behavior be restored under your "sensible alternative"?

Re:WTF

[Gr8Apes]

That's somewhat true, except for the fact that the mail client, also likely written by the OS vendor, is able to run a file in the core OS, and not within its own process (unlike a browser, where it is executed within the browser's process) Why is this not a problem with other OSes? Because apparently no one else is stupid enough to default execute a downloaded file with no checks. Most reasonable systems won't allow that without setting the file to executable, which, again, no reasonable client would do without explicit instructions from a user. So again, we're down to the stupidity and insecurity of Windows. There's no getting around the core problem. Everything else is just a bandaid.

Re:WTF

"people generally shouldn't be running whatever random code somebody on the Internet sends them" ... What do you think your browser just did when you accessed this page? It ran random JavaScript, some of it from advertisers, some of whom may have had malicious intent.

Re:WTF

[DarkOx]

The default action for a script should be execute it. It should be determined to be a script based on the execute permission. The default create mode for a file pulled from an untrusted source (e-mail/www/etc) should not include the execute permission.

It should be up to the user to either pass it to the argument of their trusted interpreter,

$cscript evil.js

or change the permissions on evil.js to explicitly tell the system yes treat this a script and use the associated interpreter. The sane model should always be "its data unless I say its a program." which is where the web gets into so much trouble the ability to embed programmatic behavior in a data document is fundamentally risky. It hard to deliver the functionality wanted out of modern applications with purely server side templating, so browser sandbox has to be a somewhat acceptable compromise but that does not mean stuff that is pulled out of that sandbox should suddenly become 'live' without some manual vetting.

Re:WTF

[DarkOx]

I think the least astonishing thing would be treat everything as a document until *I* say its program. That *I* can be somewhat transitive, that is to say after I download the Calibre installer if I double click it, yes its going to show it to me in whatever the document viewer for the mime-type suggests, for a binary or other unknown content that is probably the systems hex editor.

If that isn't what I want and I trust the thing I can say "no this a program" by doing something like chmod +x or right click -> properties -> permissions -> scroll scroll scroll -> execute check -> ok. Than the installer can run and set the application binaries as executable for me.

What really should not happen is I download Install_Calibre.exe or Install_Calibre.shar etc and it just executes because I accidentally clicked it or worse while trying to copy some of other file into the same directory drop it on the Calibre icon and the system decides to execute it with my file as an argument. It would similarly be ok if I explicitly had to pass Calibre.txz to my package manager, installpkg calibre-arch-ver-build.txz or something; again not going to happen by accident.

Re:WTF

[thegarbz]

The default create mode for a file pulled from an untrusted source (e-mail/www/etc) should not include the execute permission.

So precisely what I was saying. Either you make it execute or you take a user-unfriendly step.

However, I realise talking to a crowd which has no problem with typing chmod a+x script.js is like telling a bunch of gym junkies that there are people in the world who don't exercise.

Re:WTF

[JThundley]

It's not up to the MUA, Outlook asks Windows what to open .js files with. Windows decides that the Windows Scripting Host is the best program to open this file with and the script gets executed. I used Linux as an example, but I'm sure other operating systems wouldn't replicate this retarded behavior, not even OSX.

Work on your reading comprehension, dolt.

Re:WTF

[fisted]

It's not up to the MUA, Outlook asks Windows

First, you were talking about what "Linux" does

Then, you do realize that Outlook is an MUA, right? And that it *choses* to ask Windows.

I don't see how your reply does anything than underlining my point, that it's completely up to the MUA.

And it has still nothing to do with Linux, and that's not only because it's only a kernel, but simply because there is no universally agreed upon standard on how to ask the OS with which "application" to open a file "on Linux" in the first place. (Shebang is different.)

Re:WTF

[JThundley]

You fail to see a lot of things, I'm not sure how much clearer I can make this.

When a MUA defers all its decisions to the underlying OS, it technically is making a decision, but in essence it isn't. This distinction doesn't matter if your only option is to open it they way windows wants to open it or to not open it at all. Windows does things the wrong way, other operating systems handle this kind of situation better.

Have you heard of xdg-open? That's what many distros use. I just ran it on a shell script and it opened in kwrite rather than execute in bash. This is the workaround I've had to manually implement for my Windows clients so that they don't click on .js files and run them.

I'd just like to interject for a moment. What you’re referring to as Linux, is in fact, GNU/Linux, or as I’ve recently taken to calling it, GNU plus Linux. Linux is not an operating system unto itself, but rather another free component of a fully functioning GNU system made useful by the GNU corelibs, shell utilities and vital system components comprising a full OS as defined by POSIX.
Many computer users run a modified version of the GNU system every day, without realizing it. Through a peculiar turn of events, the version of GNU which is widely used today is often called “Linux”, and many of its users are not aware that it is basically the GNU system, developed by the GNU Project. There really is a Linux, and these people are using it, but it is just a part of the system they use.
Linux is the kernel: the program in the system that allocates the machine’s resources to the other programs that you run. The kernel is an essential part of an operating system, but useless by itself; it can only function in the context of a complete operating system. Linux is normally used in combination with the GNU operating system: the whole system is basically GNU with Linux added, or GNU/Linux. All the so-called “Linux” distributions are really distributions of GNU/Linux.

Re:WTF

[fisted]

<)))><

Re:WTF

[gweihir]

Sorry, but if you feed emails automatically to the shell in Mutt on Linux, no such protection happens. Of course you would need to configure this yourself, but it is entirely possible to do. And for sure any mail-program can make a file executable after writing it to disk.

I do agree that the _mindset_ at work here is that of Windows though, but for once it is not directly the OS that is at fault. Which is rare under Windows. Indirectly, with Windows promoting stupidity and insecurity in general and hence promoting making email-clients in stupid and insecure ways (for example, giving emails to a web-browser for display...) Windows is very much at fault.

Re:WTF

[knorthern+knight]

> Sorry, but if you feed emails automatically to the shell in Mutt on Linux, no such protection happens.
> *** Of course you would need to configure this yourself,***
> but it is entirely possible to do.

My emphasis. "Clicking on an email attachment" should ***NOT*** default to running an executable. Showing my age here, but I remember a "kinder gentler" time when WFWG (Windows For Work Groups) was not generally connected to the internet. There was no such thing as "group policy", to reconfigure an entire work group, either. But MS had a hack for that. Microsoft ***BRAGGED*** that an admin could send an "all-subscribers" email, and that when the individual users clicked on an attachment, it would re-configure their Windws PC as desired by the admin. YES!!!

That was a quarter of a century ago, and MS hasn't changed. What also doesn't help is hiding extensions. So "my-naked-wife.jpg.js" shows up as "my-nake-wife.jpg".

Re:WTF

[gweihir]

Ah, I see. Well, I never used WFWG, and I only use Windows for gaming and the occasional Word document for work. If the behavior you describe is what you were referring to, then yes, Windows is to blame as far as Outlook and all that emulate its behavior are concerned. I never thought of the email-client as something provided by the OS vendor, but you are right that for many Windows users that is the reality.

attached or embedded?

An attached file is one clearly purposely trying to be sent, javascript is just regular ascii text and won't fire or do anything as a normal attachment.

Embedded however...well I've never tried it really, but based on how mangled combined HTML and text gets via email I doubt it would do anything anyways.

This all seems ridiculous, why block a person from attaching a text file?

Meh, I'm probably getting worked up over nothing, these "stories" are inflamatory click bait and bear little resemblance to reality more often than not. If true however, their service will end up (for me anyways) going the same direction as apple and microsoft did the second I didn't feel comfortable dealing with them, which was right into the trash

-linux mint forever (or until something better comes along)

VBScript

Well then... *cracks the ol knuckles* ... time to get the dusty VBScript out.

But seriously:
What does Powershell use?
Does Win10 still run .com files?
Did they finally kill VBScript and that other one? JScript I think it was?
What about .jars and .swf?
Or .py or .pl, or any other scripted language?
Any others I am missing? Think that covers most of the regular ones at least.

Shit, people sending viruses will just rar the files and tell people to unrar them instead.
Just like file hosts that blocked .exe but not archive containers. (or worse, not check the file header, so you can just call it program.mp4 and tell them to rename it)
Sure it will cut situations down a bit, but people BLINDLY follow e-mail instructions to the T! For no real reason other than "bored", some times.

Re: VBScript

COM files. Sigh. I miss single segment coding joy. And I miss NTVDM.

How about this:

Stop trying to send me malicious ads --> google bastards.

Please review the attached HTML file

[decipher_saint]

data:text/html,HELLO<script>alert('BOOP!')</script>, WORLD!

Thank you

Re:Please review the attached HTML file

help my mouse is moving by itself

The end of Slashdot being for geeks

If you're not familiar with web development, JavaScript is a common language used when developing web applications, and JS files are often loaded as part of web pages.

Really?

Really?

Really?

Really?

Really?

Really?

Re:The end of Slashdot being for geeks

Wrong wrong wrong wrong wrong.

Web applications can function just fine without javascript.

Re:The end of Slashdot being for geeks

[tepples]

I agree that some web applications can work without script, particularly comment sections, forums, and the like, where the primary interaction is following links and submitting forms.

But others can't. Say you have a web-based drawing program. With JavaScript, a web application can represent your image as an SVG or a canvas, with both click and drag gestures doing what the user expects in a reasonable response time. Without JavaScript, it'd have to do all the rendering server-side, with each click activating a client-side image map and reloading the entire document. Drags wouldn't work at all, as the browser would instead attempt to drag-and-drop your image to another program running on the local computer.

"Just use a native application instead." That works only if you use the same operating system that the developer uses.

Secure the download directory, not the file

How about if Windows prevented execution of anything from the designated Download directory and all browsers were forced to download to there by default? You could launch some software and then open a file from the directory (e.g. to view in an editor) or move/initially save it somewhere else for execution. Either way it would then require a deliberate action to execute.