Fog Creek Software
Discussion Board

Click on a....

Typical quote from the press today, concerning the initial spread of SoBig.F via usenet:

"The posting had the title "Nice, who has more of it? DSC-00465.jpeg" and contained a photo which, when clicked on, infected the browser's computer with the worm, said Easynews."

So if it is a photo, can someone explain how the infection occurs?  How dangerous is a .jpeg anyway?  Or is the press as tech-savy as ever?

Monday, August 25, 2003

They were probably talking about a link contained in the message, not the JPG itself.

Flamebait Sr.
Monday, August 25, 2003

In most of the cases I've heard of, you have a file with two extensions, like "foo.jpg.exe". Unfortunately, the vast majority of Windows machines out there are configured to hide the extension of files (for "known" types), so the file appears to be named "foo.jpg". I don't know if SoBig is similar.


Mark Bessey
Monday, August 25, 2003

Have since found a reference that said it was a link.

Which makes more sense.

Monday, August 25, 2003

Internet Explorer likes to disregard content types sent in headers and try to make it's own determination about content type.  This leads to interesting issues where a file can be sent with a JPEG content type and extension that contains nothing but malicious Javascript and IE will determine that it should run it.  Since Outlook uses IE's rendering engine for HTML email this becomes an issue with email as well.  I admit that I have not looked into how MS has dealt with this issue recently.

Monday, August 25, 2003

>> Unfortunately, the vast majority of Windows machines out there are configured to hide the extension of files (for "known" types), so the file appears to be named "foo.jpg".

I usually don't jump on the anti-MS bandwagon, but I do on this issue.  I think that this is the single stupiest configuration default in Windows, ever (yes, I'm elevating this conversation up to the name-calling level).

What was the I Love You virus file - something like ILoveYou.txt.vbs.  I knew people who opened that one who normally aren't stupid since it showed up as ILoveYou.txt.

Even worse are corporate IT admins who configure new PC's and don't change this.  I got a new PC 3 weeks after the I Love You virus hit and the extensions were hidden.  It's such a simple change that would prevent a lot of people from clicking on potentially harmful files.

Monday, August 25, 2003

I agree with Nick - if Microsoft wants to do *something* to patch windows and fix the problem, they could patch it to completely remove the option of hiding extensions.
At the very least, turn the "hide extensions" option off and make that the default setting.

#2 on my hit/hate list is IE's attempt to guess content. MIME types exist for a reason, and vulnerabilities exist both ways (trusting the MIME type or guessing based on filename/content). So since neither method is absolutely safe, stick with the standard behavior.

Don't get me started on IE caching. It's not a security issue, but it's another one that makes me want to hunt down the IE team and make them watch a Showgirls/Ishtar marathon...


Monday, August 25, 2003

Yes, but MS targets their software to the Doby B. Dumb crowd, and for them, it's a lot easier not to see the extensions!

Monday, August 25, 2003

IE guesses content by MIME content-type, extension, and actual data. I'm not sure which overrules the other.
Many bugs come when the MIME type says "this is a foobar document", and IE passes it to foobar, which says "nah, this is really an executable, so I'll be nice and execute it for the user".

They really need to extend the document sandbox, use the IE cache, make apps use it for zone trust information.

True story: at one time, had a jpeg with a MIME content-type of jpeg. But the actual data was  GIF.  Was this intentional to make other browsers look bad? Or someone being lazy and swapping the actual bits on the website without updating everything which pointed to the bits?

Monday, August 25, 2003

I agree that extensions should be visible by default but the idea that it makes tricking users easier because of the two extensions trick is a little silly if you think about it for a second.  If they don’t have visible extensions, how is adding a false one going to trick them any more than just using the executable one?  If someone sees “Image” in their mailbox for “Image.jpg”, they’ll also see “Image” for “Image.exe”.  How is seeing “Image.jpg” going to trick them anymore than seeing “Image”? 

I doubt that the typical user who doesn’t know to make extensions visible would know what a “bad” extension is anyway.  Do you really expect the typical user to know what .exe, .com, .bat, .cmd, .pif, .wsh, .js, .vbs, etc. are? 

All of this is moot with the latest versions of Outlook and Outlook Express because they block opening or saving potentially dangerous attachments by default (I’m assuming this means executable attachments).  Even if you disable the blocking, I believe you still get a warning message.

Monday, August 25, 2003

You can't disable the file blocking unless you're using Exchange. Also annoying -- a savvy user can't insist on being able to receive EXE files. Baby, meet bathwater.

Monday, August 25, 2003

Outlook Express has a checkbox in the Security settings to disable blocking.  Outlook 2002 requires a registry tweak:;en-us;290497

Monday, August 25, 2003

RH, yes, a "data" file can be a virus. If the data reader (image viewer for ex.)  has a bug, it can be exploited. Search for "buffer overflow". This forum had a duscussion about this a few days ago.

Opera freak
Monday, August 25, 2003

re: preventing executable attachments being saved, Outlook 2000 does this after a SP upgrade.  I couldn't find a registry tweak that re-enabled it.

Another solution is to patch the file extension list Outlook uses to block attachments:

Navigate to your Office program directory
Open up "outllib.dll" in your favourite hex editor
Search for "exe;"
Move the null terminator to the start of the filter string (or otherwise edit to your taste)

Of course this probably violates some license agreement...

Tuesday, August 26, 2003

Coincidentally I sent a client a foxpro source file today and their Outlook blocked it so I had to zip it up and resend it.

Simon Lucy
Tuesday, August 26, 2003

I sent an attachement to a customer in a zip file. I got an automated response from their system saying that my email might be spam and they were blocking the zip file because it might have a virus.

Stupid system. I renamed the zip file to ?dotzip.morons and it went through. All he had to do is rename the file to get it.

Then I felt bad for being unprofessional and using morons instead of something bland.

Tuesday, August 26, 2003

>> I doubt that the typical user who doesn’t know to make extensions visible would know what a “bad” extension is anyway.  Do you really expect the typical user to know what .exe, .com, .bat, .cmd, .pif, .wsh, .js, .vbs, etc. are?  <<

No, I doubt the typical user would know all these extensions.  I didn't even know that a .pif extension was an executable until reading it here on JoS last year.

There are many users who are idiots, but I think they are a smaller percentage than many developers think.  They are the few that give the rest a bad rep. But many users are savvy enough to know *not* to click on a file with an extension that they don't recognize - making a big difference in the rate that a virus proliferates.

Tuesday, August 26, 2003

I think the motivation to hide the extension came from a few years back as part of meeting "usability guidelines" as defined by, at that stage, Macintosh zealots.

Macs didn't trouble the user with anything as complicated as file extensions, so neither should Windows, was the argument. Of course, there were lots of things Macs didn't trouble users with, generally in a contemptuous fashion.

Tuesday, August 26, 2003

File extensions should be hidden by default. Anything else causes no end of problems when people rename the file and of course the extension disappears.

I receive a couple of emails a week with attachments with no extension at all because the person was working on a computer with file extensions visible and got rid of the extension when he renamed the file.

As usual this thread contains a majority of "tech savvy" people quite incapable of putting themselves in anybody else's shoes.

Stephen Jones
Wednesday, August 27, 2003

*  Recent Topics

*  Fog Creek Home