2009/11/12 Ian Fette (イアンフェッティ) <[email protected]>: > 2009/11/12 Jonas Sicking <[email protected]> >> >> 2009/11/12 Ian Fette (イアンフェッティ) <[email protected]>: >> > This is really getting into fantasy-land... Writing a file and hoping >> > that >> > the user actually opens up explorer/finder/whatever and browses to some >> > folder deep within the profile directory, and then double clicks >> > something? >> > Telling a user "click here and run blah to get a pony" is so much >> > easier. >> >> So first off that only addresses one of the two attacks I listed. >> > > Fair > >> >> But even that case I don't think is that fantasy-y. The whole point of >> writing actual files is so that users can interact with the files, >> right? In doing so they'll be just a double-click away from running >> arbitrary malicious code. No warning dialogs or anything. Instead the > > Why do you assume this? On Windows, we can write the MotW identifier, which > would lead to windows showing a warning. On linux, we could refuse to chmod > +x.
Ah, don't know enough about this feature so can't really comment. All the information I found was regarding MotW on webpages, not on executables. / Jonas
