"Dylan Smith" wrote in message
...
In article , Peter Duniho wrote:
architectural problem that just giving your file an .exe extension
makes
them executable, and therefore if you find another bug like the MIME
bugs OE suffered from, you can leverage it to make executables attached
to email run automatically.

As opposed to Unix where you can attempt to run ANY file, regardless of
extension? I'm not sure what your point here is.

My point is that since under Unix, when email arrives, attachments don't
have the execute bit. They can't. They aren't on the filesystem. You
therefore can't double-click an executable attachment to run it from
your email client which is a GOOD thing. A bug in the email client that
automatically opens attachments can't be leveraged to run executables,
as it has with Outlook Express. MIME type bugs can't be exploited to
trick the mail client into automatically running executables - because
the file never has execute permission when it's sitting in your inbox.

That's not so. There is nothing stopping an email client from saving the
file, and setting the execute bit, if it finds (say by examining magic
words) that it is being asked to open an executable. In the environment of
trust backed up by knowledge that was briefly envisioned in the early 90's
it would have been the right thing to do, but there was few UNIX GUI mail
clients around. In the shadow of well-publicized Windows attacks, I doubt
there are any UNIX mail clients that do so, but you're not talking about a
fundamental difference in OS design.

What should a UNIX mail client do when you doubleclick an attachment with a
..sh extension? Whether you pipe a stream to the interpreter os save a temp
file, a shell script can screw you just as badly as an executable. IIRC,
dtmail would have done this while it was alive.


-- David Brooks