Gmail Will Soon Block JavaScript File Attachments (androidpolice.com) 53
Starting February 13, 2017, Google will not allow JavaScript files to be sent as an attachment via Gmail in an effort to reduce malicious attacks. Android Police reports: Malicious emails often attach various forms of executable programs and trick users into running them. These include standard Windows executables (.exe), batch files (.bat), and even JavaScript files (.js). If you're not familiar with web development, JavaScript is a common language used when developing web applications, and JS files are often loaded as part of web pages. However, opening an unknown JS file on Windows can be dangerous, as it runs inside Windows Script Host by default. From there, the script can easily run Windows executables. While blocking .js attachments is a step in the right direction, it is unclear if any warnings will be shown when receiving emails with JS files attached. Source: G Suite Updates
WTF (Score:1)
Why did this ever work?!
Re: (Score:3, Insightful)
Re: (Score:3)
Re: (Score:3)
Or if you were asking why Windows does that.. well, I guess it's just trying to remain the top platform for malware.
God forbid the default action for a script is to execute it. I mean personally I just like scripts for the bed time reading with their riveting plots and all, but I guess there's probably some people who would prefer scripts to actually do what they claim to do.
Malware unfriendliness is user unfriendliness. The weakest link is always the user, and you generally have three choices: Piss them off with frustrating defaults, burry them under an endless string of confirmation boxes, or just trust them to break t
Re: (Score:2)
> Malware unfriendliness is user unfriendliness
Really? So in your version of email utopia, people should just be able to send executable code to other people and have the code just run because any other option would be user-unfriendly? Blocking executable code is the right thing to do 99.9% of the time. Developers can bloody well use password protected zips and whatnot to share code. Boo hoo, the geek 1% is *so* inconvenienced by the dumb 99.
Re: (Score:2)
Windows Scripting Host is basically your bash + perl + awk environment, so to speak. So it IS supposed to launch executables, delete your data, break your computer, make your house catch on fire etc.
That it supports "JScript" perhaps is evil. Like it has to do with the era of ActiveX.
Re: (Score:2)
No my version of utopia is sandboxing and intelligent pre-analysis of code to determine a threat level and then react accordingly.
Unfortunately we're not in utopia, we're in a world where we can either allow a user to execute code, or get in the way of a user executing code. I'm advocating for a computer to do what the user asks. You're advocating for a walled garden made of bubblewrap to protect the user. The middle ground is code signing (you can look through history of Windows 7 and 8 articles on slashdo
Re: (Score:2)
A sensible alternative is for the default action for source code files such as these to be "edit". Running scripts could be accomplished by right-clicking on the file and selecting "Execute". Far more convenient, and far less dangerous at the same time.
Applied consistently across the board, your "sensible alternative" would have the following effect: "I just installed Calibre to put my e-books on my reader. But now when I open Calibre, instead of showing the Calibre window, Windows keeps trying to open Calibre's source code in Notepad, and it's all on one line." How would the least astonishing behavior be restored under your "sensible alternative"?
Re: (Score:2)
I think the least astonishing thing would be treat everything as a document until *I* say its program. That *I* can be somewhat transitive, that is to say after I download the Calibre installer if I double click it, yes its going to show it to me in whatever the document viewer for the mime-type suggests, for a binary or other unknown content that is probably the systems hex editor.
If that isn't what I want and I trust the thing I can say "no this a program" by doing something like chmod +x or right click
Re:WTF (Score:5, Informative)
Agreed. It's not 1988 anymore, so people generally shouldn't be running whatever random code somebody on the Internet sends them. It's forgiveable for OSes to have lagged a bit, but by the late 1990s it's pretty fucking stupid for an OS to do that.
Those other people can easily be accomodated. After they read the script or otherwise determine that it's something they'd like to run, they can indicate to the OS when they want to run it. chmod +x or however it works for their platform.
Wait, I don't agree with you anymore. One of the things that makes my computer so friendly, is that it runs software for me, rather than for someone else (especially adversaries). Malware and users are in zero-sum: what's unfriendly for malware is friendly for the user, and vice-versa.
Yeah, and the last option is the friendliest. If someone wants to execute a script, they should totally be able to, and easily. But in such an exceptional and rare situation as wanting to treat a freshly-downloaded file as executable, they're going to have to tell the computer at least once, "This is an unusual situation. I want to execute this, rather than what I normally do 99% of the time with unvetted scripts (look at them in my editor)."
Re: (Score:1)
So the OS should block any executable that is obtained through the internet? Perfect!
By default? Um, yes?
Re: (Score:1)
"Malware and users are in zero-sum..."
I know you think this makes you seem intelligent...but it does not. Communicating clearly is a sign of intelligence, not using clever phrases incorrectly along with grammatical errors.
Re: (Score:2)
You were with me until you missed the point. Computers run software for the user. You're talking about running someone else's software? How many programs do you use on your computer right now which you alone wrote? I'm guessing you didn't write Chrome and your expectation was that when you downloaded it you were either able to simply run it, or given the option to run it, not jump through a massive amount of loops to attempt to get it started.
You lost the plot when you said users can be accommodated all the
Re: (Score:2)
Re: (Score:2)
she bang you?
with a strap-on?
Re: (Score:2)
I'm sure if you email yourself a bash script on your Linux machine, it'll open in a text editor or at least confirm that you want to run it.
Windows is double stupid on this since they hide file extensions by default, making it easy to fool users.
Re: (Score:2)
I'm sure if you email yourself a bash script on your Linux machine, it'll open in a text editor or at least confirm that you want to run it.
This totally isn't up to the MUA, yeah. Get a clue and realize this has nothing to do with Linux.
Re: (Score:2)
It's not up to the MUA, Outlook asks Windows what to open .js files with. Windows decides that the Windows Scripting Host is the best program to open this file with and the script gets executed. I used Linux as an example, but I'm sure other operating systems wouldn't replicate this retarded behavior, not even OSX.
Work on your reading comprehension, dolt.
Re: (Score:2)
It's not up to the MUA, Outlook asks Windows
First, you were talking about what "Linux" does
Then, you do realize that Outlook is an MUA, right? And that it *choses* to ask Windows.
I don't see how your reply does anything than underlining my point, that it's completely up to the MUA.
And it has still nothing to do with Linux, and that's not only because it's only a kernel, but simply because there is no universally agreed upon standard on how to ask the OS with which "application" to open a file "on Linux" in the first place. (Shebang is different.)
Re: (Score:2)
You fail to see a lot of things, I'm not sure how much clearer I can make this.
When a MUA defers all its decisions to the underlying OS, it technically is making a decision, but in essence it isn't. This distinction doesn't matter if your only option is to open it they way windows wants to open it or to not open it at all. Windows does things the wrong way, other operating systems handle this kind of situation better.
Have you heard of xdg-open? That's what many distros use. I just ran it on a shell script a
Re: (Score:2)
<)))><
Re: (Score:1)
God forbid the default action for a script is to execute it. I mean personally I just like scripts for the bed time reading with their riveting plots and all, but I guess there's probably some people who would prefer scripts to actually do what they claim to do.
As a developer, systems that remove scripts and executables are a pain in the ass. Outlook does the same, and has been the e-mail client of choice in every company I've worked for. Sending something to a colleague results in said colleague receiving the mail with the description of the code in question with "attachment removed".
At least for Outlook there is a registry key that changes this behavior, but of course you can't receive a .REG file either until you have changed the registry key, and not all devel
Re: (Score:2)
The default action for a script should be execute it. It should be determined to be a script based on the execute permission. The default create mode for a file pulled from an untrusted source (e-mail/www/etc) should not include the execute permission.
It should be up to the user to either pass it to the argument of their trusted interpreter,
$cscript evil.js
or change the permissions on evil.js to explicitly tell the system yes treat this a script and use the associated interpreter. The sane model should a
Re: (Score:2)
The default create mode for a file pulled from an untrusted source (e-mail/www/etc) should not include the execute permission.
So precisely what I was saying. Either you make it execute or you take a user-unfriendly step.
However, I realise talking to a crowd which has no problem with typing chmod a+x script.js is like telling a bunch of gym junkies that there are people in the world who don't exercise.
Re: (Score:2)
Because most software developers do not understand security at all and are under the mistaken impression that more functionality is always better. Or in other words, because incompetent idiots implemented it.
Re: (Score:1)
Because most software developers do not understand security at all and are under the mistaken impression that more functionality is always better. Or in other words, because incompetent idiots implemented it.
Actually, it's windows that's the major problem there, not JS, JS attached to email, or anything else. Windows. You know, that super secure can't be cracked OS brought to you by that uber coder and architect, Bill Gates. Castles built on sand.
Re: (Score:3)
And windows is not made by "software developers"?
Incidentally, you are wrong. The problem is the mail-client and that is not necessarily a part of windows. Execution of mail attachments cannot be made secure and should hence never be the default.
Re: (Score:1)
Re: (Score:2)
Sorry, but if you feed emails automatically to the shell in Mutt on Linux, no such protection happens. Of course you would need to configure this yourself, but it is entirely possible to do. And for sure any mail-program can make a file executable after writing it to disk.
I do agree that the _mindset_ at work here is that of Windows though, but for once it is not directly the OS that is at fault. Which is rare under Windows. Indirectly, with Windows promoting stupidity and insecurity in general and hence pr
Re: (Score:2)
> Sorry, but if you feed emails automatically to the shell in Mutt on Linux, no such protection happens.
> *** Of course you would need to configure this yourself,***
> but it is entirely possible to do.
My emphasis. "Clicking on an email attachment" should ***NOT*** default to running an executable. Showing my age here, but I remember a "kinder gentler" time when WFWG (Windows For Work Groups) was not generally connected to the internet. There was no such thing as "group policy", to reconfigure an en
Re: (Score:2)
Ah, I see. Well, I never used WFWG, and I only use Windows for gaming and the occasional Word document for work. If the behavior you describe is what you were referring to, then yes, Windows is to blame as far as Outlook and all that emulate its behavior are concerned. I never thought of the email-client as something provided by the OS vendor, but you are right that for many Windows users that is the reality.
Please review the attached HTML file (Score:2)
Thank you
The end of Slashdot being for geeks (Score:1)
If you're not familiar with web development, JavaScript is a common language used when developing web applications, and JS files are often loaded as part of web pages.
Really?
Really?
Really?
Really?
Really?
Really?
Re: (Score:1)
Wrong wrong wrong wrong wrong.
Web applications can function just fine without javascript.
Re: (Score:2)
I agree that some web applications can work without script, particularly comment sections, forums, and the like, where the primary interaction is following links and submitting forms.
But others can't. Say you have a web-based drawing program. With JavaScript, a web application can represent your image as an SVG or a canvas, with both click and drag gestures doing what the user expects in a reasonable response time. Without JavaScript, it'd have to do all the rendering server-side, with each click activating