This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Support
Support
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Reducing security issues of wrong extensions of attachments

AlexanderK
New member
‎01-07-2024 07:57 AM
Status: New idea

Dear Mozilla-Team, the past has shown that not all users are always aware of the risk by attachments.
A significant attack vector are wrong labeled attachments (file extension wrong).
You can still rename a virus.exe to readme.pdf and it is shown as PDF-Symbol in Thunderbird.
( yes you could find some addons, but most of thunderbird users do not have them - it needs to be buildin )
It would be easy to check for the magic-number (first 4 bytes) if it is matching the extension, at least for the top ten dangerous file types (e.g. EXE, PDF, ZIP, COM, BAT, CMD, MSI, etc) plus the most often used ones (e.g. JPG, MP3, etc). I dont suggest to implement the full linux "file" database, but to recognize the most important kinds. Any time the extension is misleading, it should be blocked or warning-fenced. Of course this sould be possible to disable in settings, but I cannot imagine a case where someone would be unhappy about this hint. Especially belong to the 99.99% of users that do not like virus-infections or ransomware on their computer. A tool that is intended to be used by everyone should concider everyone using it (and prevent dangerous "presents"). Sometimes its only a wrong click by someone being in a hurry...

Thanks for reading.

See more ideas labeled with:
Comment
5 Comments
Status changed to: New idea
Jon
Community Manager
Community Manager
‎01-07-2024 06:20 PM
‎01-07-2024 06:20 PM

Thanks for submitting an idea to the Mozilla Connect community! Your idea is now open to votes (aka kudos) and comments.

MattAuSupport
Familiar face
‎01-07-2024 07:10 PM
‎01-07-2024 07:10 PM

Just to see what would happen, I renamed an image file,  that would normally open in photos to a PDF.  Then I attached and emails it to myself.  This is what I got when I tried to open it.

MattAuSupport_0-1704682555140.png

I am sure it will have exactly the same issue with anything not a PDF.

So because I was on a role,  I tried renaming an EXE as an image and sending it thorough Google.  This was the result

MattAuSupport_1-1704683040705.png

so I tried opening the attachment from my draft and got the following.

MattAuSupport_2-1704683116358.png

So I can't send the EXE,  if it arrives as an image photos can't open it.

I think the truth is windows has largely closed that gap in their launch methodologies, since windows XP and as Thunderbird uses media types to identify the application to launch the attachment it becomes even more problematical.

I can see how having Thunderbird examine the content when attaching to determine the media type, instead of relying on the host system to identify the media type, would be a good idea.  But I doubt there are significant security issues in not doing so.

 

 

AlexanderK
New member
‎01-08-2024 05:08 AM
‎01-08-2024 05:08 AM

A list of magic numbers for file headers can be found here:
https://en.wikipedia.org/wiki/List_of_file_signatures

Linux/Posix "#!" scripts and elf executables "ELFMAG" should be included. Windows default scripts (.bat + .cmd) have no magic number (and could be ignored in the first implementation).

The comparision should be bi-directional, meaning:  e.g. a .pdf file without "%PDF-" or a file with "%PDF-" but another extension as .PDF or .pdf should be concidered strange/dangerous.

AlexanderK
New member
‎01-08-2024 06:19 AM
‎01-08-2024 06:19 AM

Hi MattAuSupport,

the decision to block .exe files depends on mail-server not Thunderbird, and depends on you mail-provider or admin your company/organization, and therefore depends on random luck.

The Adobe-Reader-message depends on the tool you use to open the file, which in windows only depends on the file extension, and later on the individual implementation of whatever tool you decided to handle such files. Th consequences are somehow again random luck.

If you get an executable file (.exe, .elf, .bash, etc) and your mailserver did not block it (I think only exe is often blocked) then it would be started in e.g. windows using the start.exe (windows internal) to decide what to do and would send it (without further question) to another tool (tool=OS in case of windows got .exe).

Regards, Alexander

AlexanderK
New member
‎01-08-2024 06:27 AM
‎01-08-2024 06:27 AM

AlexanderK_0-1704723811002.png

Windows 10 + Thunderbird 115.6.0 (up to date) present the wrong file (orginally a pdf) as zip (by extension), not by "media types" as you suggest. At least the misleading symbol could cause someone to be misleaded.

Copyright © 2024 Khoros, LLC