Untrusted File Risks
This cluster focuses on the security dangers of opening files from untrusted sources, such as embedded malware in documents, zips, images, and other formats, with debates comparing risks to direct executable downloads and calls for safer practices like sandboxing or avoiding proprietary software.
Activity Over Time
Top Contributors
Keywords
Sample Comments
Remind me why it's more "insecure" than downloading a zip from a website and blindly running an executable inside it?
exactly. the lesson could even be "don't open * from anyone, especially strangers."you can get code to execute in all sorts of presumably innocuous file types.
That sounds like a terrible idea - especially if you don't know if you can trust the source of the file.
This is a neat hack, but is there a practical use case here for everyday software developers? I sincerely hope that even novice users have better sense than to download a text file from a web site, find a sketchy ZIP file inside the text file, and then follow directions in the text file. It's like downloading a movie from a sketchy web site and in the package you see a RunMe.exe file. The whole thing reeks of red flags that should tell even moderately sophisticated users "This is malwa
If you opened it in LibreOffice still same vulnerability? I usually at least try vm's if dealing with something potentially unsafe ha.
How is this any less secure than handing the customer a zip file containing arbitrary binary files and asking them to execute them with admin privileges?
Yes, but on the other hand it's a good reminder for everyone processing user provided files to sanity check or convert them to a canonical format in a sandboxes and resource limited process.
or: don't open proprietary formats from strangers in proprietary operating systems, especially outside of virtual machines/containers
He's worried about embedded viruses in .doc files but has no qualms about adding tracking code to .html!?
No. It’s safer to download the file, inspect it manually, and then run it.