RFI: [LINK] The ZIP email and the PDF email

Rick Welykochy rick at praxis.com.au
Mon Jul 2 12:59:15 AEST 2007


Roger Clarke wrote:

> I've always assumed that:
> (1)  the squillions of .zip attachments to spam (and the recent trickle
>      of .pdf attachments) contain .exe content mis-labelled;  and
> (2)  those machines with settings that allow auto-invocation of
>      attachments process them based on what they contain, rather
>      than on what the suffix says they're supposed to contain.
> 
> But, in my ignorance and laziness, I've never actually checked how the 
> various (mal)configured Windows environments actually work.
> 
>  From what Rick's saying, have I been wrong? i.e. does the suffix 
> actually determine what Windows environments do with incoming attachments?

Ah, I hadn't even pursued that line of thought.

This is how the filename extension scam works on Windows (NO OTHER OS
has this problem!)

By default, Windows is configured as follows: DO NOT SHOW FILENAME EXTENSIONS.
Thus, if a file named rick.zip.exe is sent to me, I will see rick.zip. When
I double-click or let Windows auto-open, it will indeed RUN AN EXECUTABLE.

This is a very old style of exploit that sadly still works on millions of
Windows boxes. It is an example of "ease of use" causing a huge problem
once Windows migrated to a networked environment.

Repeat after me: Windows never was and never will be suitable for use on
an open and hostile public network.

That said, in the case of the PDF and ZIP emails I am talking about,
the files are actually PDF and ZIPs respectively. Example:

$ file rick at praxis.com.au.zip
rick at praxis.com.au.zip: Zip archive data, at least v1.0 to extract

$ file Invoice_d241674c10.pdf
Invoice_d241674c10.pdf: PDF document, version 1.3


I am disinclined to open either file, although they do appear to be what
they advertise. There is a (remote) possibility that either of these
file exploits known vulnerabilities in ZIP and PDF handling on any OS.


cheers
rick


-- 
_________________________________
Rick Welykochy || Praxis Services

Our enemies are innovative and resourceful, and so are we. They never stop thinking
about new ways to harm our country and our people, and neither do we.
      -- George W Bush, Washington DC, 20040805 (http://www.dubyaspeak.com/)



More information about the Link mailing list