love worm (was RE: TBTF Log, weeks of 2000-04-23 and 2000-04-30)

Date view Thread view Subject view Author view

From: Dan Kohn (dan@dankohn.com)
Date: Tue May 09 2000 - 00:18:50 PDT


>If you receive an email titled ILOVEYOU, don't click on it. Depending
>on how you have Outlook's preview pane set up, merely selecting the
>message can trigger the worm.

I don't believe this is correct. I've seen MSFT repeatedly criticized for
Outlook's lack of security, but I believe it is simply targeted by the worm
because it is so popular, and therefore there's more value to reading its
address book than Eudora's.

There was a bug several months ago in IE that caused Outlook's Preview Pane
to render the HTML in the message, including any malicious JavaScript.
However, if I remember correctly, Eudora was also susceptible to this, as
was any other application that used IE to render the HTML (since IE was
really the problem).

I don't know if Outlook pops up a dialog box when you run a .vbs saying that
this content may be dangerous, as it does for .exe files, post-Melissa.
And, I don't feel the urge to find out. But, I always suspected that 99% of
users didn't understand those messages anyway.

I think the most interesting aspect of the worm is how it relies on trust
among groups of users who list each other in their address books, and the
dominance of an OS and mail application, rather than any specific, easily
fixable security holes in either the OS or mailer.

In fact, other than digital signing of outgoing messages and attachments
(and I expect I could still design a trojan that would intercept my
passphrase and change the attachment before signing), there do not seem to
be obvious fixes to these kind of worms.

                - dan

--
Daniel Kohn <mailto:dan@dankohn.com>
tel:+1-425-602-6222  fax:+1-425-602-6223
http://www.dankohn.com


Date view Thread view Subject view Author view

This archive was generated by hypermail 2b29 : Tue May 09 2000 - 00:33:35 PDT