Re:Why does Outlook allows to open executable file
on
Yet Another Windows Worm
·
· Score: 2, Informative
The answer is quite simple: because the operating system allows it. In the explorer, when you click on an exe, it runs. So in a mailer, when you click on an exe, it runs. That is the same handler.
Of course, it is insecure. So in later versions, extra checks are installed that at least present some dialogue box (or in even later versions completely prevent running executables from mail).
Unfortunately, the whole mapping from "type of file" to "handler" in Windows is a big mess, and thus many bugs have existed in this area. (the most famous one is the specification of an audio file in the mime-type and then passing a.exe file as the data. the mailer checks, it is an audio file, so fine, pass it to the OS, this sees the extension, knows it is a program not an audio file, and just runs it. BOOM!!)
>For what it's worth, our network admin does block email attachments with most executable extensions. (I don't suppose you'd be willing to provide a complete, unabridged list of these, which is also kept up to date with new windows patches? There are a hell of a lot more than just exe, bat, pif.)
Then go explain him that what he is doing is risky. Don't check the extension, it is too variable and may even be insecure over time. More executable extensions can be added to the system.
Check the actual type of the file. By examining the first block.
That can even be done by a text pattern match! You will be surprised how little bad stuff goes past this simple pattern:
TV?QAA?AAAAEAA?A//8AALgAAAAAAAAAQAAAAAAAAAA*
When this pattern appears in the raw e-mail body, just drop it.
There must be different versions then. The one 1 saw, which was caught by the scanner because it was a Windows executable which we all block, was simply a blank messages with almost no headers and one single attachment with a double extension. No exploit of iframe vulnerability anywhere in sight, just the stupid user that doubleclicks it!
> re: looking at linux - i (and many others) have:) i stopped running linux pretty early on, back when rpm still sucked completely. package managmeent back then was
>tar xfvz slackware_package.tgz
Well, *a lot* has changed since then. Now you do "rpm -U package.rpm" at that level, and the rpm program will tell you if that would break your system or the program because the newly installed program would conflict with another installed program (e.g. you install qmail AND sendmail), or the new program needs another package that you have not installed yet.
Furthermore, user interfaces have been developed for this, where you select a package by browsing your CD or the Internet, tag it for installation or update, and the program will handle the above conditions automatically or with limited user interaction (like "would you like to remove the conflicting package or abandon the new installation")
This really works well. And there is no collection of OS updates in all the.RPM files, like there is in many Microsoft application packages (and even in third-party application packages). Thus there is less risk of a "DLL Hell".
W.r.t. the RPM-MSI comparison, there is a lot that RPM stores and checks, and you can query that information. You can also repair files and packages. It even tries to deal with updates to packages that you have modified yourself (configuration changes). But it has no permission-magic. I.e. all installations are to be done as root. The abovementioned user interfaces normally allow you to start the installer application as any user, then enter the administrator password. I have not done any study of the network installation/update environment that is now offered by some distributions. I guess that there is some way for an administrator to roll out packages to workstations where only users log on, e.g. by a daemon run on those workstations.
>Incidentally, i think the primary reason that OS and App patching are separate is that the OS packaging/patch system sort of works in a bootstrap environment, i.e. the full functionality you need to do good app patching isn't available at OS install time.
Maybe you should look at Linux. All the modern Linux distributions install the OS from a running copy of the OS. There is no "install time environment" that is in any way different from the normal running OS. Usually the install CD boots a standard kernel, loads a file into a ramdisk, mounts that ramdisk as root, and starts the system. The files on the ramdisk include a startup script that mounts the existing disks (in case it is an upgrade) and uses the standard app install tools to install everything required to run the system.
I have always wondered why MS does not do it this way, at least not in the products I have hands-on experience with (up to Windows 2000). Stupid limitations like 8.3 filenames still affect the installation of that system. And it takes ages while disks are being formatted in FAT then converted to NTFS, files are being copied and being copied and being copied and... ad infinitum, it sometimes seems. When the whole installation is finished the disk is a big mess and in dire need of defragmentation.
In Windows XP things seem to be more streamlined, at least it installs faster so probably less unnecessary steps are taken.
Interestingly, products like the Dell Server Assistent CD, which installs an OS of choice on a Dell Server, uses the same method. It boots NT into a ramdisk, and uses that NT environment to put the OS installation files on the disk. Of course it then still goes through the normal installer, but this product shows that it is no problem to boot Windows from a CD into ramdisk and run it. No need for a "bootstrap environment" with limited functionality.
What doe you mean, doesn't usually work? This works nearly all the time.
Of course the documents are on technet, but those suggest that it is always the same, which it isn't. SO every time I download a fix, I start it with/? and find what switches it supports.
>btw, I find it so very amusing that whenever western sources refer to the chinese space program, they just HAVE to add phrase like "secret, military linked," as if NASA is completely independent of the military, or something...
That is similar to certain presidents always mentioning "weapons of mass destruction" linked to certain countries, while having stockpiles of those in their own yard... (even more amusing when they fail to come up with evidence about them)
Many GPS receivers can calculate a fix from 3 satellites, assuming the height did not change from the previous fix, or is zero (sealevel).
In fact, you are intersecting the spheres from the satellites with the (nearly) sphere of the earth surface. When there is no single intersection, the clock can be corrected until there is, and the position is then known.
This can be used to continue tracking in situations where 3 (or only two) satellites are visible, as is often required for car navigation systems in "urban canyon" circumstances.
But that is part of the problem. It is only slightly related to the patch problem, but it was the reason Microsoft needed to develop "Windows file protection", as all those developers were really messing up the integrity of the system with their (sometimes) lame installers!
Had they kept this under their own control a bit earlier (with a centralized dependency check and resolve system like Yast+RPM or the equivalent on other systems, there would be no need for "Windows file protection" and all Windows 2000 systems in the world would boot faster. Think of the gains that would bring to end-users...
I have always wondered why each patch is distributed as a standalone executable... Why is there no standard program on the Windows system, that installs a patch that is distributed in a file that contains only the update? When I patch my Linux system, I retrieve a.RPM and it is installed using the rpm program already on the system. Windows even has that "MSI" stuff, then why is a Microsoft patch not distributed as a.MSI file?
This is already possible, although it is cumbersome. You can, when writing your unattend.txt, specify a batchfile that is to be run after the install. In that batchfile you can put the patches, with the correct switches to install them silently and without reboot.
Unfortunately, and this is where the patch program mess comes in, not all patches have the same set of switches and not all of them can be run silently. For those, you need to use a script (kix, vbscript, whatever) to send the keypresses needed to proceed with the installation.
>Interestingly, the really new HP LaserJet's have this feature, only slightly renamed
Of course I know that. But it is not the solution, it is only a dirty workaround. It skips you past the prompt to load the letter-sized paper, but the page layout is still LETTER instead of A4, so your footers appear 2cm too high on the paper (and the bottom 2cm is always unused)
> It almost sounds like you missed the sarcasm. I had a similar thought when I first saw your command string,
It is not a command string, it is a printcap entry. And it is not for CUPS, it is for berkeley lpd. So it is for BSD geeks.
> It almost sounds like you missed the sarcasm. I had a similar thought when I first saw your command string,
I have not yet had it to work well enough on CUPS to know what happens there, but with berkeley lpd this may actually be possible! Use a postscript printer on Windows, let it print to the lpd spooler on Linux, and examine the first few lines of the postscript output. The name may actually be there as part of a comment. Easy to extract using perl.
In the example I gave, the handler is actually a perl program that extracts information like that, for inclusion on the webpage. (like "what program sent this output")
What I said: set to A4, user specifies nothing, still printer says "LOAD LETTER". There seems to be a wired-in default of LETTER somewhere. This may be perfectly OK for the home market, but it upsets us Europeans.
Ok please answer this question about your favorite system:
All printers are setup defaulting to A4 paper. Users often complain that printout defaults to LETTER format. Nowhere in the system (except maybe in its American origins) it is indicated that LETTER should ever be the papersize. It can be fixed by setting a per-user preference of "fit the printing to A4" but where is the easy-to-set "we want to print on A4 DAMMIT!!"?
I think a book has to be read to find this out. It is at least not obvious from the dialogs in the printing system.
This example (formatting was lost) is for the old system, with CUPS it is slightly better. But also seems less powerful. That is what you often see with userfriendly systems: they are newbyfriendly, but not very friendly to the user with some special requirement.
sap|write documents to sap-out:\:sd=/var/spool/lpd/sap:\:if=/usr/local/lib/print-sap-out:\:af=/var/spool/lpd/sap/acct:\:lp=/dev/null:\:bk:sh:mx#0:
This sets an input filter on an otherwise dummy printer, which can be a shellscript or whatever executable. It will receive your request data on stdin, and gets args that specify the source host and loginname of the user submitting the request. The above was in real-life use on a Linux system, the script took the input file and put it on an Intranet website directory as a PDF file. grouped by source system and user.
Now, update the Linux system and we got CUPS insted of lpd. But this simple way of input-filtering printers seems to be gone.... We can still write a backend, but it does not get the originating hostname as a parameter!
Oh but that is quite normal these days. The news channels are not about covering the things as they happen, they are mainly bringing studio chit-chat.
Last saturday there was an annular eclipse of the sun. The coverage on BBC NEWS 24 consisted of many, many announcements that there would be coverage, numerous questions to the on-site reporter before the event, and when it actually happened they were running a recorded item. After the maximum they went to the reporter for 15 seconds and then chatted with a studio guest, showing the reporter in the background and the tiny sun in the background behind that...
I'd say, when you are not interested in reasonable coverage then spare your reporter the trip and the viewer the illusion that they get something to view...
I think about 7 kosmonauts died in space (or during their return from space). However, much more than one hundred people have died in ground accidents there.
In China, thousands died on the ground in a big launch accident.
You can probably find info about US and European accidents on space websites.
How is that relevant? More people die on the ground in such projects than in space. Because way more are working on the ground. Only they often get a little less news coverage.
Slashdot Mirror
The answer is quite simple: because the operating system allows it. In the explorer, when you click on an exe, it runs. So in a mailer, when you click on an exe, it runs. That is the same handler.
.exe file as the data. the mailer checks, it is an audio file, so fine, pass it to the OS, this sees the extension, knows it is a program not an audio file, and just runs it. BOOM!!)
Of course, it is insecure. So in later versions, extra checks are installed that at least present some dialogue box (or in even later versions completely prevent running executables from mail).
Unfortunately, the whole mapping from "type of file" to "handler" in Windows is a big mess, and thus many bugs have existed in this area.
(the most famous one is the specification of an audio file in the mime-type and then passing a
Why are you waiting for that?
Do you think that waiting, instead of installing it, will help you?
>For what it's worth, our network admin does block email attachments with most executable extensions. (I don't suppose you'd be willing to provide a complete, unabridged list of these, which is also kept up to date with new windows patches? There are a hell of a lot more than just exe, bat, pif.)
Then go explain him that what he is doing is risky.
Don't check the extension, it is too variable and may even be insecure over time. More executable extensions can be added to the system.
Check the actual type of the file. By examining the first block.
That can even be done by a text pattern match!
You will be surprised how little bad stuff goes past this simple pattern:
TV?QAA?AAAAEAA?A//8AALgAAAAAAAAAQAAAAAAAAAA*
When this pattern appears in the raw e-mail body, just drop it.
There must be different versions then.
The one 1 saw, which was caught by the scanner because it was a Windows executable which we all block, was simply a blank messages with almost no headers and one single attachment with a double extension.
No exploit of iframe vulnerability anywhere in sight, just the stupid user that doubleclicks it!
> re: looking at linux - i (and many others) have :) i stopped running linux pretty early on, back when rpm still sucked completely. package managmeent back then was
.RPM files, like there is in many Microsoft application packages (and even in third-party application packages). Thus there is less risk of a "DLL Hell".
>tar xfvz slackware_package.tgz
Well, *a lot* has changed since then.
Now you do "rpm -U package.rpm" at that level, and the rpm program will tell you if that would break your system or the program because the newly installed program would conflict with another installed program (e.g. you install qmail AND sendmail), or the new program needs another package that you have not installed yet.
Furthermore, user interfaces have been developed for this, where you select a package by browsing your CD or the Internet, tag it for installation or update, and the program will handle the above conditions automatically or with limited user interaction (like "would you like to remove the conflicting package or abandon the new installation")
This really works well. And there is no collection of OS updates in all the
W.r.t. the RPM-MSI comparison, there is a lot that RPM stores and checks, and you can query that information. You can also repair files and packages. It even tries to deal with updates to packages that you have modified yourself (configuration changes).
But it has no permission-magic. I.e. all installations are to be done as root.
The abovementioned user interfaces normally allow you to start the installer application as any user, then enter the administrator password.
I have not done any study of the network installation/update environment that is now offered by some distributions. I guess that there is some way for an administrator to roll out packages to workstations where only users log on, e.g. by a daemon run on those workstations.
Interesting reply.
>Incidentally, i think the primary reason that OS and App patching are separate is that the OS packaging/patch system sort of works in a bootstrap environment, i.e. the full functionality you need to do good app patching isn't available at OS install time.
Maybe you should look at Linux. All the modern Linux distributions install the OS from a running copy of the OS. There is no "install time environment" that is in any way different from the normal running OS.
Usually the install CD boots a standard kernel, loads a file into a ramdisk, mounts that ramdisk as root, and starts the system. The files on the ramdisk include a startup script that mounts the existing disks (in case it is an upgrade) and uses the standard app install tools to install everything required to run the system.
I have always wondered why MS does not do it this way, at least not in the products I have hands-on experience with (up to Windows 2000).
Stupid limitations like 8.3 filenames still affect the installation of that system. And it takes ages while disks are being formatted in FAT then converted to NTFS, files are being copied and being copied and being copied and... ad infinitum, it sometimes seems. When the whole installation is finished the disk is a big mess and in dire need of defragmentation.
In Windows XP things seem to be more streamlined, at least it installs faster so probably less unnecessary steps are taken.
Interestingly, products like the Dell Server Assistent CD, which installs an OS of choice on a Dell Server, uses the same method. It boots NT into a ramdisk, and uses that NT environment to put the OS installation files on the disk. Of course it then still goes through the normal installer, but this product shows that it is no problem to boot Windows from a CD into ramdisk and run it. No need for a "bootstrap environment" with limited functionality.
Like "they might start a war"?
What doe you mean, doesn't usually work?
/? and find what switches it supports.
This works nearly all the time.
Of course the documents are on technet, but those suggest that it is always the same, which it isn't.
SO every time I download a fix, I start it with
>btw, I find it so very amusing that whenever western sources refer to the chinese space program, they just HAVE to add phrase like "secret, military linked," as if NASA is completely independent of the military, or something...
That is similar to certain presidents always mentioning "weapons of mass destruction" linked to certain countries, while having stockpiles of those in their own yard...
(even more amusing when they fail to come up with evidence about them)
Many GPS receivers can calculate a fix from 3 satellites, assuming the height did not change from the previous fix, or is zero (sealevel).
In fact, you are intersecting the spheres from the satellites with the (nearly) sphere of the earth surface. When there is no single intersection, the clock can be corrected until there is, and the position is then known.
This can be used to continue tracking in situations where 3 (or only two) satellites are visible, as is often required for car navigation systems in "urban canyon" circumstances.
Ok, here is the way I solve it:
/N /Z /M
/Q
/Q' ...")0)
1. "most" fixes can be silently installed using:
Qxxxxxxx.exe
2. the ones that don't accept this syntax can often be started using:
Qxxxxxxx.exe
However, these will ask for additional confirmation. When that is not acceptable, use a script that sends the confirmation keys. I use Kixstart:
RUN 'Qxxxxxxx.exe
WHILE (Setfocus("Microsoft
SLEEP 1
LOOP
$X=SendKeys("{ENTER}")
This will usually work. Also with the Java update. However, it is a mess... I agree.
But that is part of the problem. It is only slightly related to the patch problem, but it was the reason Microsoft needed to develop "Windows file protection", as all those developers were really messing up the integrity of the system with their (sometimes) lame installers!
Had they kept this under their own control a bit earlier (with a centralized dependency check and resolve system like Yast+RPM or the equivalent on other systems, there would be no need for "Windows file protection" and all Windows 2000 systems in the world would boot faster. Think of the gains that would bring to end-users...
I have always wondered why each patch is distributed as a standalone executable... .RPM and it is installed using the rpm program already on the system. .MSI file?
Why is there no standard program on the Windows system, that installs a patch that is distributed in a file that contains only the update?
When I patch my Linux system, I retrieve a
Windows even has that "MSI" stuff, then why is a Microsoft patch not distributed as a
This is already possible, although it is cumbersome.
You can, when writing your unattend.txt, specify a batchfile that is to be run after the install. In that batchfile you can put the patches, with the correct switches to install them silently and without reboot.
Unfortunately, and this is where the patch program mess comes in, not all patches have the same set of switches and not all of them can be run silently.
For those, you need to use a script (kix, vbscript, whatever) to send the keypresses needed to proceed with the installation.
Thanks, I will (have to) do further study and get it back into working order.
>Interestingly, the really new HP LaserJet's have this feature, only slightly renamed
Of course I know that. But it is not the solution, it is only a dirty workaround. It skips you past the prompt to load the letter-sized paper, but the page layout is still LETTER instead of A4, so your footers appear 2cm too high on the paper (and the bottom 2cm is always unused)
> It almost sounds like you missed the sarcasm. I had a similar thought when I first saw your command string,
It is not a command string, it is a printcap entry.
And it is not for CUPS, it is for berkeley lpd. So it is for BSD geeks.
> It almost sounds like you missed the sarcasm. I had a similar thought when I first saw your command string,
I have not yet had it to work well enough on CUPS to know what happens there, but with berkeley lpd this may actually be possible!
Use a postscript printer on Windows, let it print to the lpd spooler on Linux, and examine the first few lines of the postscript output. The name may actually be there as part of a comment. Easy to extract using perl.
In the example I gave, the handler is actually a perl program that extracts information like that, for inclusion on the webpage.
(like "what program sent this output")
What I said: set to A4, user specifies nothing, still printer says "LOAD LETTER".
There seems to be a wired-in default of LETTER somewhere. This may be perfectly OK for the home market, but it upsets us Europeans.
Ok please answer this question about your favorite system:
All printers are setup defaulting to A4 paper. Users often complain that printout defaults to LETTER format. Nowhere in the system (except maybe in its American origins) it is indicated that LETTER should ever be the papersize. It can be fixed by setting a per-user preference of "fit the printing to A4" but where is the easy-to-set "we want to print on A4 DAMMIT!!"?
I think a book has to be read to find this out. It is at least not obvious from the dialogs in the printing system.
This example (formatting was lost) is for the old system, with CUPS it is slightly better. But also seems less powerful. That is what you often see with userfriendly systems: they are newbyfriendly, but not very friendly to the user with some special requirement.
With Berkeley LPD you can do:
:sd=/var/spool/lpd/sap:\ :if=/usr/local/lib/print-sap-out:\ :af=/var/spool/lpd/sap/acct:\ :lp=/dev/null:\ :bk:sh:mx#0:
sap|write documents to sap-out:\
This sets an input filter on an otherwise dummy printer, which can be a shellscript or whatever executable. It will receive your request data on stdin, and gets args that specify the source host and loginname of the user submitting the request.
The above was in real-life use on a Linux system, the script took the input file and put it on an Intranet website directory as a PDF file. grouped by source system and user.
Now, update the Linux system and we got CUPS insted of lpd. But this simple way of input-filtering printers seems to be gone.... We can still write a backend, but it does not get the originating hostname as a parameter!
How is this solved or worked around?
Oh but that is quite normal these days.
The news channels are not about covering the things as they happen, they are mainly bringing studio chit-chat.
Last saturday there was an annular eclipse of the sun. The coverage on BBC NEWS 24 consisted of many, many announcements that there would be coverage, numerous questions to the on-site reporter before the event, and when it actually happened they were running a recorded item. After the maximum they went to the reporter for 15 seconds and then chatted with a studio guest, showing the reporter in the background and the tiny sun in the background behind that...
I'd say, when you are not interested in reasonable coverage then spare your reporter the trip and the viewer the illusion that they get something to view...
No, it is ok.
Going up now.
I think about 7 kosmonauts died in space (or during their return from space). However, much more than one hundred people have died in ground accidents there.
In China, thousands died on the ground in a big launch accident.
You can probably find info about US and European accidents on space websites.
How is that relevant? More people die on the ground in such projects than in space. Because way more are working on the ground. Only they often get a little less news coverage.