Re: Another confusable security hole

From: Philippe Verdy (
Date: Wed Nov 02 2005 - 22:40:39 CST

  • Next message: Erkki Kolehmainen: "Re: Re: Åland"

    From: "Marc Bruguières" <>
    > Elliotte Harold:
    >> Paul Battley found an issue involving Unicode characters that look like
    >> periods used to disguise executables on Mac OS X:
    >> I think if I were Apple I'd probably just ban these characters in file
    >> names.
    > Which characters? Different from those that ICANN will want to ban? How
    > many ways of plugging the holes? Shouldtn't his be solved *as much as
    > possible* in Unicode, rather looks like there are more and more
    > confusables being encoded (for example Ancient Greek Musical Signs,
    > Arabic diacritics, etc.).

    For Apple, it is simple to solve: it must just signal along with all icons,
    if this is really a safe thumbnail, or if it is a runnable bundled
    application (a directory with a hidden ".add" extension, or with a
    executable resource fork). I think that any email agent for Mac should
    perform this check without problem, including Safari and Firefox (and I'm
    quite sure that a patch is available if there are old versions that still
    don't have it).

    So Apple does not need to ban this character from filenames even if this
    disguises an apparently inoccuous extension like ".jpg", with a pseudo-dot,
    and even if files have multiple extension with regular ASCII dots (there are
    many of such files on Mac, if you just consider the case where version
    numbers or dates and other numbers or abbreviations and people names are
    often present in explicit names).

    This archive was generated by hypermail 2.1.5 : Wed Nov 02 2005 - 22:43:24 CST