http://www.google.com/groups?threadm=slrn8j2cen.pns.heretic@
localhost.localdomain
QUOTE
Human nature being as it is, relying on users to follow a strict protocol when dealing with incoming email[, web pages] or other Office documents via the internetis doomed to failure. Love letter from whom? The temptation to open the attachments is too great even for the most security conscious person. To quote Mark Twain "You can fool some of the people all of the time, and all of the people some of the time ...". When presented with a dialog window with Yes/No buttons, a LOT of users click yes without even reading the dialog.
UNQUOTE

Any application used for viewing Email, web pages and documents that can invoke embedded or linked scripted code and executable code must have an obligation to safely view the content without it putting the system and user at risk from hostile code.

People in business tend to send each other email's, links to wepgages and attached Microsoft Office documents all the time. It's often part of their every day business. Sending native executables back and forth is not. Why should any such email,browser or other client viewers run an untrusted unrestricted executable?

Downloading and/or extracting and installing executables on the local system should be performed by a dedicated client. This can insure that all the executable are pre-scanned before use and that the origin of the file is not on a hostile blacklist.


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/236/26000#26000