Re: Hypothetical design question

[Andreas Saurwein <saurwein () uniwares com>]

At 28/1/2004 14:05 Wednesday, you wrote:

On 1/27/04 10:20 PM, "Andreas Saurwein" <[EMAIL PROTECTED]> wrote:
> Its the client which OFFERS this functionality as a feature for the user.
> So, instead of needing to save the attachment to disk and executing it from
> there as you would do with any other application (and where control is
> possible), you just click on a feature provided by the email client and,
> bang, there goes your system.

I disagree. I don't think there is *more* control if you save to disk and
execute versus clicking an attachment in email. The two are exactly the
same. Clicking the attachment in the email client is basically a macro. It
saves to a temporary file, then executes the temporary file. The result is
exactly the same as if the user saved the attachment to a file and then
clicked on the file they made.  Any controls possible in one context are
possible in the other. The problem is the OS: there are very few controls
available.


When you take for example a properly set up NTFS installation, then the 
user does not have execute permission in folders where he has write 
permissions. So, saving an executable to disk WILL prevent that it is executed.
On the other hand, a file which is executed from the mail client is 
probably written to the default temp folder, which in 99% of all cases HAS 
execute permissions becouse otherwise ActiveX (when we talk about Windows 
and OE/IE here) controls would not run after downloading.

For Power Users or admins the story is of course completely different.

Andreas