From: Eugene Leitl (eugene.leitl@lrz.uni-muenchen.de)
Date: Tue May 09 2000 - 16:06:51 PDT
Dan Kohn writes:
> I don't believe this is correct. I've seen MSFT repeatedly criticized for
> Outlook's lack of security, but I believe it is simply targeted by the worm
> because it is so popular, and therefore there's more value to reading its
> address book than Eudora's.
While ILOVEYOU iirc doesn't exploit the "simply select to activate
attachement" hole, it is certainly there, read BUGTRAQ archives. A
mail should not know anything about the addressbook, for obvious
reasons. A mail is just plain text, after all. No one but the user
should be able do actions on addressbook entries. And certainly the OS
should have no clue about the addressbook, other than it is a
(encrypted) file.
> There was a bug several months ago in IE that caused Outlook's Preview Pane
> to render the HTML in the message, including any malicious JavaScript.
> However, if I remember correctly, Eudora was also susceptible to this, as
> was any other application that used IE to render the HTML (since IE was
> really the problem).
HTML in mail is insecure, period. People have been telling that for
years. Invisible tracer tags (which not only reveal that the mail has
been read from a certain machine at a certain time, but also reveal
your IP in realtime, if online), crasher tags, embedded, buggy
scripting languages implementations. In a corporate setting, only
trusted (by the admin, that is) users should be able to select HTML
rendering of mail. Mail should be mail: plain ASCII. Type of
attachements invocable by the individual users should be regulated, as
default, the mail gate should strip all mail attachements to any users
but trusted ones.
> I don't know if Outlook pops up a dialog box when you run a .vbs saying that
> this content may be dangerous, as it does for .exe files, post-Melissa.
> And, I don't feel the urge to find out. But, I always suspected that 99% of
> users didn't understand those messages anyway.
Indeed. Because of this, users should never be confronted with that
choice. Normal users should just have ASCII, and that's it.
> I think the most interesting aspect of the worm is how it relies on trust
> among groups of users who list each other in their address books, and the
> dominance of an OS and mail application, rather than any specific, easily
> fixable security holes in either the OS or mailer.
Dan, this is simply untrue. A mail should not be able to initiate any
kind of actions. To rich mail clients with not enough fine grained
securety model plus insane defaults are to be blamed. There are indeed
specific, fixable securety hole in OS and/or mailer. Or did you ever
hear of any *nix mail worm, i.e. a worm spreading via embedded
scripting, sending copies of itself to addressbook entries?
> In fact, other than digital signing of outgoing messages and attachments
> (and I expect I could still design a trojan that would intercept my
> passphrase and change the attachment before signing), there do not seem to
> be obvious fixes to these kind of worms.
I wonder what makes you say that. It's simply untrue.
Attitudes like these simply boggle my mind.
This archive was generated by hypermail 2b29 : Tue May 09 2000 - 16:10:52 PDT