>-----Original Message----- >From: Russ [mailto:Russ.Cooper@rc.on.ca] >Sent: 26 February 2002 21:35 >Its also foolish to suggest that security be based on file extensions, >Windows has been interpreting file types based on content for years and >anyone who thinks they can safely run their system by excluding some >file types is just plain dumb. AV products all have the ability to scan >all files, and this should be the setting on your system. Well, file extensions *used* to be a valid way for a user to know that a file either contained a given type of content, or was invalid. (That's a separate issue from whether or not a given file viewer will correctly reject an invalid file of a given type, or perhaps be exploitable through cleverly malformed data.) Remember, there isn't a virus in the file in question: the vulnerability arises because there's no way for the user to know what type of content is in the file, and therefore no way for them to adopt different handling procedures appropriate to the different content. For security's sake, there ought to be *some* way for an end user to know what kind of content is in a file without having to inspect it in a hex editor. The file extension would be a valid way to convey that information to the user *if* the extension was guaranteed to be respected by the viewer apps. Or have I overlooked something? DaveK -- Burn your ID card! http://www.optional-identity.org.uk/ Help support the campaign, copy this into your .sig! ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com **********************************************************************
