Monday, February 3, 2003 |
12:05 - Filename Extension Depth Arms Race
http://www.theregister.co.uk/content/56/29137.html
|
(top) |
Have I mentioned lately how much I hate filename extensions?
How the New Exploit Works
The exploit relies on especially crafted email headers, creating an attachment with three file-extensions. Standard email packages will not generate these headers; these emails must either be created by hand, or using hacker tools (many of which are freely available, MessageLabs warns). The first extension (e.g. .jpg) is visible to the email user, and is intended to persuade them that the attachment is "safe". The final extension (also, for example, .jpg) is used by Outlook Express to set the icon to represent the application for opening the attachment. However, the unusual middle extension (.EXE) is used by Outlook Express to determine how to launch the attachment, therefore an .EXE file will be executed if a user double clicks on an infected attachment. Other examples may include .COM, .PIF, .SCR, or .VBS.
Die... diiiie... <teeth cracking>
Thanks to Kris for the link.
UPDATE: John Poole did some experimentation and found that OS X's Mail.app is not susceptible to filename-extension trickery. I too am curious as to how it keeps track of the executable bit, and I wonder how it would handle a Classic-style monolithic-file executable (one that isn't a folder "package"). There's also the question of whether Apple intends to try to encapsulate OS X's per-file extension-hiding bit, and what implications that would have for virus.gif.pkg kinds of exploits...
|
|