Gmail Will Soon Block JavaScript File Attachments

Starting February 13, 2017, Google will not allow JavaScript files to be sent as an attachment via Gmail in an effort to reduce malicious attacks. Android Police reports: Malicious emails often attach various forms of executable programs and trick users into running them. These include standard Windows executables (.exe), batch files (.bat), and even JavaScript files (.js). If you're not familiar with web development, JavaScript is a common language used when developing web applications, and JS files are often loaded as part of web pages. However, opening an unknown JS file on Windows can be dangerous, as it runs inside Windows Script Host by default. From there, the script can easily run Windows executables. While blocking .js attachments is a step in the right direction, it is unclear if any warnings will be shown when receiving emails with JS files attached. Source: G Suite Updates

Re:WTF

[Cajun+Hell]

It's right there in the summary: because Windows executes the script, rather than just opening it in an editor or something like that. Or if you were asking why Windows does that.. well, I guess it's just trying to remain the top platform for malware. Microsoft doesn't want their top claim to fame to be overtaken.

Re:WTF

[BarbaraHudson]

He's asking "since when did GMail allow javascript"? Used to be that if you wanted to send some javascript source to someone else, you had to zip it with a password ir it wouldn't be allowed.

Re:WTF

[thegarbz]

Or if you were asking why Windows does that.. well, I guess it's just trying to remain the top platform for malware.

God forbid the default action for a script is to execute it. I mean personally I just like scripts for the bed time reading with their riveting plots and all, but I guess there's probably some people who would prefer scripts to actually do what they claim to do.

Malware unfriendliness is user unfriendliness. The weakest link is always the user, and you generally have three choices: Piss them off with frustrating defaults, burry them under an endless string of confirmation boxes, or just trust them to break their computer if they so chose.

Re:WTF

[Cajun+Hell]

God forbid the default action for a script is to execute it.

Agreed. It's not 1988 anymore, so people generally shouldn't be running whatever random code somebody on the Internet sends them. It's forgiveable for OSes to have lagged a bit, but by the late 1990s it's pretty fucking stupid for an OS to do that.

I mean personally I just like scripts for the bed time reading with their riveting plots and all, but I guess there's probably some people who would prefer scripts to actually do what they claim to do.

Those other people can easily be accomodated. After they read the script or otherwise determine that it's something they'd like to run, they can indicate to the OS when they want to run it. chmod +x or however it works for their platform.

Malware unfriendliness is user unfriendliness.

Wait, I don't agree with you anymore. One of the things that makes my computer so friendly, is that it runs software for me, rather than for someone else (especially adversaries). Malware and users are in zero-sum: what's unfriendly for malware is friendly for the user, and vice-versa.

Piss them off with frustrating defaults, burry them under an endless string of confirmation boxes, or just trust them to break their computer if they so chose.

Yeah, and the last option is the friendliest. If someone wants to execute a script, they should totally be able to, and easily. But in such an exceptional and rare situation as wanting to treat a freshly-downloaded file as executable, they're going to have to tell the computer at least once, "This is an unusual situation. I want to execute this, rather than what I normally do 99% of the time with unvetted scripts (look at them in my editor)."

Re: WTF

[Gr8Apes]

You shouldn't be able to run a script in anything other than a sandbox designed to run scripts (ie browsers) or from files explicitly set to be executable. Random shit coming through an internet connection? No. Windows is scrapware, people should just say no.

Re:WTF

[gweihir]

And windows is not made by "software developers"?

Incidentally, you are wrong. The problem is the mail-client and that is not necessarily a part of windows. Execution of mail attachments cannot be made secure and should hence never be the default.