In my last entry, I suggested that the press and security experts should condemn WinZip and Microsoft for allowing users to run executable files contained in zip files without first extracting them to a file in the file system. I also suggested that making a file executable by setting a certain file extension (.exe, .pif, .scr, and so on) is a bug in Windows that anti-virus tools should correct, and that eventually Microsoft should fix. The bug is, that this allows the sender of a file to determine if it is executable, rather than the receiver. On Linux systems, it's always the receiver who decides if a file is executable.
Some people in the press may be catching on to this. From Paul Roberts, we get this article from InfoWorld: ZIPs putting the zap on antivirus products. Paul is almost there. He points out that zip files are a way to protect .exe files from being blocked by email virus scanners. However, he stops short of condemning Microsoft and WinZip for making it so easy to open the .exe files inside of zip files.
Does it really make a difference if it's harder to run an executable file that comes in a zip file? What if it takes thirty seconds instead of five seconds? Does that make a difference? A friend of mine once unleashed a worm that came in an email attachment. He knows better than to do that. He just wasn't thinking when he did it, and it all happened so fast. So, yes, a "waiting period" can be effective, as it forces users to think about what they are doing before they do it.
As the article points out, while blocking .exe files in attachments is a good idea, blocking zip files is not wise, because so many other types of files are sent inside of zip files. And there are legitimate reasons to send an executable file in email (inside a zip file). It just shouldn't be so easy to run the executable file.
Posted by Doug Sauder at February 6, 2004 09:24 AM