Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Google Java Communications Network Networking Privacy Security The Internet

Gmail Will Soon Block JavaScript File Attachments (androidpolice.com) 53

Starting February 13, 2017, Google will not allow JavaScript files to be sent as an attachment via Gmail in an effort to reduce malicious attacks. Android Police reports: Malicious emails often attach various forms of executable programs and trick users into running them. These include standard Windows executables (.exe), batch files (.bat), and even JavaScript files (.js). If you're not familiar with web development, JavaScript is a common language used when developing web applications, and JS files are often loaded as part of web pages. However, opening an unknown JS file on Windows can be dangerous, as it runs inside Windows Script Host by default. From there, the script can easily run Windows executables. While blocking .js attachments is a step in the right direction, it is unclear if any warnings will be shown when receiving emails with JS files attached. Source: G Suite Updates
This discussion has been archived. No new comments can be posted.

Gmail Will Soon Block JavaScript File Attachments

Comments Filter:
  • by Anonymous Coward

    Why did this ever work?!

    • Re: (Score:3, Insightful)

      by Cajun Hell ( 725246 )
      It's right there in the summary: because Windows executes the script, rather than just opening it in an editor or something like that. Or if you were asking why Windows does that.. well, I guess it's just trying to remain the top platform for malware. Microsoft doesn't want their top claim to fame to be overtaken.
      • He's asking "since when did GMail allow javascript"? Used to be that if you wanted to send some javascript source to someone else, you had to zip it with a password ir it wouldn't be allowed.
      • Or if you were asking why Windows does that.. well, I guess it's just trying to remain the top platform for malware.

        God forbid the default action for a script is to execute it. I mean personally I just like scripts for the bed time reading with their riveting plots and all, but I guess there's probably some people who would prefer scripts to actually do what they claim to do.

        Malware unfriendliness is user unfriendliness. The weakest link is always the user, and you generally have three choices: Piss them off with frustrating defaults, burry them under an endless string of confirmation boxes, or just trust them to break t

        • by Gordo_1 ( 256312 )

          > Malware unfriendliness is user unfriendliness

          Really? So in your version of email utopia, people should just be able to send executable code to other people and have the code just run because any other option would be user-unfriendly? Blocking executable code is the right thing to do 99.9% of the time. Developers can bloody well use password protected zips and whatnot to share code. Boo hoo, the geek 1% is *so* inconvenienced by the dumb 99.

          • No my version of utopia is sandboxing and intelligent pre-analysis of code to determine a threat level and then react accordingly.

            Unfortunately we're not in utopia, we're in a world where we can either allow a user to execute code, or get in the way of a user executing code. I'm advocating for a computer to do what the user asks. You're advocating for a walled garden made of bubblewrap to protect the user. The middle ground is code signing (you can look through history of Windows 7 and 8 articles on slashdo

        • Re:WTF (Score:5, Informative)

          by Cajun Hell ( 725246 ) on Wednesday January 25, 2017 @07:00PM (#53739309) Homepage Journal

          God forbid the default action for a script is to execute it.

          Agreed. It's not 1988 anymore, so people generally shouldn't be running whatever random code somebody on the Internet sends them. It's forgiveable for OSes to have lagged a bit, but by the late 1990s it's pretty fucking stupid for an OS to do that.

          I mean personally I just like scripts for the bed time reading with their riveting plots and all, but I guess there's probably some people who would prefer scripts to actually do what they claim to do.

          Those other people can easily be accomodated. After they read the script or otherwise determine that it's something they'd like to run, they can indicate to the OS when they want to run it. chmod +x or however it works for their platform.

          Malware unfriendliness is user unfriendliness.

          Wait, I don't agree with you anymore. One of the things that makes my computer so friendly, is that it runs software for me, rather than for someone else (especially adversaries). Malware and users are in zero-sum: what's unfriendly for malware is friendly for the user, and vice-versa.

          Piss them off with frustrating defaults, burry them under an endless string of confirmation boxes, or just trust them to break their computer if they so chose.

          Yeah, and the last option is the friendliest. If someone wants to execute a script, they should totally be able to, and easily. But in such an exceptional and rare situation as wanting to treat a freshly-downloaded file as executable, they're going to have to tell the computer at least once, "This is an unusual situation. I want to execute this, rather than what I normally do 99% of the time with unvetted scripts (look at them in my editor)."

          • by dfghjk ( 711126 )

            "Malware and users are in zero-sum..."

            I know you think this makes you seem intelligent...but it does not. Communicating clearly is a sign of intelligence, not using clever phrases incorrectly along with grammatical errors.

          • You were with me until you missed the point. Computers run software for the user. You're talking about running someone else's software? How many programs do you use on your computer right now which you alone wrote? I'm guessing you didn't write Chrome and your expectation was that when you downloaded it you were either able to simply run it, or given the option to run it, not jump through a massive amount of loops to attempt to get it started.

            You lost the plot when you said users can be accommodated all the

        • I'm sure if you email yourself a bash script on your Linux machine, it'll open in a text editor or at least confirm that you want to run it.

          Windows is double stupid on this since they hide file extensions by default, making it easy to fool users.

          • by fisted ( 2295862 )

            I'm sure if you email yourself a bash script on your Linux machine, it'll open in a text editor or at least confirm that you want to run it.

            This totally isn't up to the MUA, yeah. Get a clue and realize this has nothing to do with Linux.

            • It's not up to the MUA, Outlook asks Windows what to open .js files with. Windows decides that the Windows Scripting Host is the best program to open this file with and the script gets executed. I used Linux as an example, but I'm sure other operating systems wouldn't replicate this retarded behavior, not even OSX.

              Work on your reading comprehension, dolt.

              • by fisted ( 2295862 )

                It's not up to the MUA, Outlook asks Windows

                First, you were talking about what "Linux" does

                Then, you do realize that Outlook is an MUA, right? And that it *choses* to ask Windows.

                I don't see how your reply does anything than underlining my point, that it's completely up to the MUA.

                And it has still nothing to do with Linux, and that's not only because it's only a kernel, but simply because there is no universally agreed upon standard on how to ask the OS with which "application" to open a file "on Linux" in the first place. (Shebang is different.)

                • You fail to see a lot of things, I'm not sure how much clearer I can make this.

                  When a MUA defers all its decisions to the underlying OS, it technically is making a decision, but in essence it isn't. This distinction doesn't matter if your only option is to open it they way windows wants to open it or to not open it at all. Windows does things the wrong way, other operating systems handle this kind of situation better.

                  Have you heard of xdg-open? That's what many distros use. I just ran it on a shell script a

        • by Anonymous Coward

          God forbid the default action for a script is to execute it. I mean personally I just like scripts for the bed time reading with their riveting plots and all, but I guess there's probably some people who would prefer scripts to actually do what they claim to do.

          As a developer, systems that remove scripts and executables are a pain in the ass. Outlook does the same, and has been the e-mail client of choice in every company I've worked for. Sending something to a colleague results in said colleague receiving the mail with the description of the code in question with "attachment removed".

          At least for Outlook there is a registry key that changes this behavior, but of course you can't receive a .REG file either until you have changed the registry key, and not all devel

        • by DarkOx ( 621550 )

          The default action for a script should be execute it. It should be determined to be a script based on the execute permission. The default create mode for a file pulled from an untrusted source (e-mail/www/etc) should not include the execute permission.

          It should be up to the user to either pass it to the argument of their trusted interpreter,

          $cscript evil.js

          or change the permissions on evil.js to explicitly tell the system yes treat this a script and use the associated interpreter. The sane model should a

          • The default create mode for a file pulled from an untrusted source (e-mail/www/etc) should not include the execute permission.

            So precisely what I was saying. Either you make it execute or you take a user-unfriendly step.

            However, I realise talking to a crowd which has no problem with typing chmod a+x script.js is like telling a bunch of gym junkies that there are people in the world who don't exercise.

    • by gweihir ( 88907 )

      Because most software developers do not understand security at all and are under the mistaken impression that more functionality is always better. Or in other words, because incompetent idiots implemented it.

      • by Gr8Apes ( 679165 )

        Because most software developers do not understand security at all and are under the mistaken impression that more functionality is always better. Or in other words, because incompetent idiots implemented it.

        Actually, it's windows that's the major problem there, not JS, JS attached to email, or anything else. Windows. You know, that super secure can't be cracked OS brought to you by that uber coder and architect, Bill Gates. Castles built on sand.

        • by gweihir ( 88907 )

          And windows is not made by "software developers"?

          Incidentally, you are wrong. The problem is the mail-client and that is not necessarily a part of windows. Execution of mail attachments cannot be made secure and should hence never be the default.

          • by Gr8Apes ( 679165 )
            That's somewhat true, except for the fact that the mail client, also likely written by the OS vendor, is able to run a file in the core OS, and not within its own process (unlike a browser, where it is executed within the browser's process) Why is this not a problem with other OSes? Because apparently no one else is stupid enough to default execute a downloaded file with no checks. Most reasonable systems won't allow that without setting the file to executable, which, again, no reasonable client would do wi
            • by gweihir ( 88907 )

              Sorry, but if you feed emails automatically to the shell in Mutt on Linux, no such protection happens. Of course you would need to configure this yourself, but it is entirely possible to do. And for sure any mail-program can make a file executable after writing it to disk.

              I do agree that the _mindset_ at work here is that of Windows though, but for once it is not directly the OS that is at fault. Which is rare under Windows. Indirectly, with Windows promoting stupidity and insecurity in general and hence pr

              • > Sorry, but if you feed emails automatically to the shell in Mutt on Linux, no such protection happens.
                > *** Of course you would need to configure this yourself,***
                > but it is entirely possible to do.

                My emphasis. "Clicking on an email attachment" should ***NOT*** default to running an executable. Showing my age here, but I remember a "kinder gentler" time when WFWG (Windows For Work Groups) was not generally connected to the internet. There was no such thing as "group policy", to reconfigure an en

                • by gweihir ( 88907 )

                  Ah, I see. Well, I never used WFWG, and I only use Windows for gaming and the occasional Word document for work. If the behavior you describe is what you were referring to, then yes, Windows is to blame as far as Outlook and all that emulate its behavior are concerned. I never thought of the email-client as something provided by the OS vendor, but you are right that for many Windows users that is the reality.

  • data:text/html,HELLO<script>alert('BOOP!')</script>, WORLD!

    Thank you

  • by Anonymous Coward

    If you're not familiar with web development, JavaScript is a common language used when developing web applications, and JS files are often loaded as part of web pages.

    Really?

    Really?

    Really?

    Really?

    Really?

    Really?

    • by Anonymous Coward

      Wrong wrong wrong wrong wrong.

      Web applications can function just fine without javascript.

      • by tepples ( 727027 )

        I agree that some web applications can work without script, particularly comment sections, forums, and the like, where the primary interaction is following links and submitting forms.

        But others can't. Say you have a web-based drawing program. With JavaScript, a web application can represent your image as an SVG or a canvas, with both click and drag gestures doing what the user expects in a reasonable response time. Without JavaScript, it'd have to do all the rendering server-side, with each click activating

You know you've landed gear-up when it takes full power to taxi.

Working...