Re: Plain text files in internet explorer

From: Eric Rostetter (eric.rostetter@physics.utexas.edu)
Date: 09/03/02 

Date: Mon,  2 Sep 2002 22:11:23 -0500
From: Eric Rostetter <eric.rostetter@physics.utexas.edu>
To: dan@doxpara.com

Quoting Dan Kaminsky <dan@doxpara.com>:

> Mozilla will occasionally render downloads from a scripted backend as
> plain text. It's really pretty annoying, correct behavior or not.

Granted. And the solution is to either fix the backend (best) or prompt
the user if they would like to take a non-standard action.
 
> All things being equal, I'll go with correct behavior being first that
> which matches what is presented to the user in the title bar, using
> standard (Microsoftian!) in-band filename notation, then if nothing
> usable is there, use the MIME-type as a hint. In such a circumstance:

This is just plain wrong. Just because it works for microsoft users
doesn't mean it works for the rest of the world. At least until microsoft
really does take over the world and the rest of us go away.

> foobar.txt is always read as text.

Okay. So what is foobar.text read as?

> foobar.html is always read as html.

But what if I don't want it read as html?

> foobar.php and foobar.php, which really *should* be foobar.html because
> -- dear god, they contain html -- can use the MIME-type to hint
> themselves into HTML parsing.

But what if -- dear god -- it contains php and not html?

> foobar.gif is always read as gif.

Okay.

> a javascript virus is always obviously either javascript(foo.js) or
> parsed as a gif(foo.gif).

But what if I don't want it parsed at all?

> Importantly, I cannot concieve of a circumstance in which this can be
> described incorrect behavior.

Okay, here's the crux of the problem. Microsoft MSIE thinks that when a web
page wants to download a file called sample.com it must be an Microsoft (DOS)
executable and tries to execute it as such, even though I told it that it
was a text/plain or application/octet-stream file. The problem is, it is
really a OpenVMS command file, which is a text/plain file, or at best
an OpenVMS executable, and Microsoft/MSIE file. So executing it (which MSIE
does) is not only inappropriate/undesirable, but it could be totally
disasterous!

Same for Microsoft thinking that *.doc is a word document, when other
operating systems have been using *.doc for other purposes for years.
Same for *.dir, *.exe, etc.

Point is, not all OS platforms use the same file extensions, so if one decides
to force its file extensions on the user, it will cause problems with people
who use multiple OS platforms.

> to view the previous format, not the latter. GIFs can't exploit your
> system. Flash files can, just like any executable.

That is pure fud.
 
> We're seeing a reasonably steady stream of "x posing as y to get around
> z restriction" attacks made available specifically because filetype
> handling is being hidden behind a user-opaque format standard that
> places the type of a file far outside the file itself.

So? How is this different that the exploits/viruses/restriction-bypasses
by using filename extensions (like something.xls.txt or something.exe.txt)?

> I expect the exploit stream will eventually lead to MIME-type
> deprecation.

I seriously doubt it. And it surely won't be replaced by file extensions
which suffer most all the same problems and additional problems also.

> Yours Truly,
>
> Dan Kaminsky
> DoxPara Research
> http://www.doxpara.com 

-- 
Eric Rostetter
The Department of Physics
The University of Texas at Austin

"TAD (Technology Attachment Disorder) is an unshakable, impractical devotion
to a brand, platform, product line, or programming language. It's relatively
harmless among the rank and file, but when management is afflicted the damage
can be measured in dollars. It's also contagious -- someone with sufficient
political clout can infect an entire organization."

--"Enterprise Strategies" columnist Tom Yager.

Relevant Pages

  • Notes on MS02-068, extensive downplaying of severity
    ... Microsoft has released yet another cumulative patch for Internet ... The sole vulnerability that MS02-068 patches is the "external object ... "Exploiting the vulnerability could enable an attacker to read, ... Since we can already create and execute arbitrary command scripts on the ...
    (NT-Bugtraq)
  • Notes on MS02-068, extensive downplaying of severity
    ... Microsoft has released yet another cumulative patch for Internet ... The sole vulnerability that MS02-068 patches is the "external object ... "Exploiting the vulnerability could enable an attacker to read, ... Since we can already create and execute arbitrary command scripts on the ...
    (Bugtraq)
  • Re: Wheres the Bock?
    ... they attempt to make that distinction using Microsoft software. ... it means to execute a different ... terminals have only a limited number of things they can do, ... useful piece of code has had those bugs even after Bill Gates was born. ...
    (rec.arts.sf.fandom)
  • Re: Important...Interesting...Danger behind some file types ??
    ... and .URL files I can´t understand what malicious code they can carry. ... case of the URL the maximum they could do is execute a local file via 'file:' ... this issue on some security forums but no one was able to reply. ... no good documentation the only things Microsoft provide on SCF files are IE ...
    (microsoft.public.security)
  • CERT Advisory CA-2001-36 Microsoft Internet Explorer Does Not Respect Content-Disposition and Conten
    ... CERT Advisory CA-2001-36 Microsoft Internet Explorer Does Not Respect ... vulnerability may allow an attacker to execute arbitrary code on the ... web page or email message. ...
    (Cert)