| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3FBE236B.10381.392157D0@localhost> From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: .hta virus analysys Jelmer <jkuperus@...net.nl> wrote: > There's nothing wrong with .hta files, ... As local content, agreed -- they are just as "safe" as such other things as .EXE files, .VBS files and so on... > ... but that it has an associated mime > type boggles the mind Agreed, but what boggles my mind even more is that I have been told that in the past MS has said it will not remove support for this (and related extreme stupidities) "because some major customers actually _want_ _AND USE_ this functionality". That's right folk -- TCI means that if a couple of pea-brained, slack- arsed "system administrators" at a couple of major MS accounts (think the "big three" (or is it still four?) accounting/consulting firms, really large defense, aerospace, etc manufacturers to get an idea of the size of operation your security is competing with here), who are too stupid to work out a couple of registry tweaks to shoot off both their feet in the pursuit of making their own lives marginally easier, MS will roll the desired "feature" into the default install so as to inflict several hundred million machines worldwide with the associated problems should there be any flaws elsewhere in its products. It's long past time Windows' attack surface was dramatically reduced through the removal of all kinds of stupid and dangerous MIME type mappings, CLSID as file extension tricks, and other such nonsenses. I'm sure these gave wet dreams to the pimply-faced geeks that dreamed them up as yet another cool way to "just make things work" if the only "skill" some yokel user knows is "double-click it and see". However, as those geeks were neither trained in, nor charged with having, the vaguest clue about or concern for security, it's time that a lot of those design decisions were re-considered. It's at least half- pointless having better security-trained programmers (if you believe Redmond's hype) if they are baby-sitting code that is still intended to implement functionality dreamed up when "security-ignorant featuritis" and "everything enabled by default so everything just works" were the driving forces behind the design ideal... > It's been the source of many an issue in the past. Microsoft would be better > of disabling it entirely Yep, couldn't agree more. Maybe in XP SP2??? And if so, will they "back-port" it to the next W2K SP?? Regards, Nick FitzGerald
Powered by blists - more mailing lists