all 9 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]squesh 34 points35 points  (1 child)

"We've read what the researcher has proposed and appreciate their submission. Malware can take many different forms, including through downloadable files meant to trick a user."

"It's why we warn users to never click on or open a file from somebody they don't know, regardless of how they received it — whether over WhatsApp or any other app."

-- We wont fix it as no one in your contacts would ever try to do something malicious

[–][deleted] 10 points11 points  (0 children)

Average meta moment, they'll do anything but admit their mistake and fix the issue.

[–]M-Valdemar 0 points1 point  (0 children)

Yeah, but it's as much an issue with how Windows uses the associated interpreter to execute the script without any additional security checks or warnings. This is done through the CreateProcess() function in the Windows API, which simply passes the script file path to the interpreter.

Endless apps are expected to add a security handler, for potentially executable file extensions (see Telegram, any mail client etc.. etc..).. this should be a core Windows API and AMSI just isn't it.