Is Outlook Express immune to this or does it execute VB script too?
If you have VBS installed (Windows Scripting Host) and you execute the attachment you will be in big trouble. This applies to all Windows mailers, whether it be Eudora or Communicator or whatever. AFAIK, the only mailer that automatically executes VBS is Outlook. The real culprit here is the power that Microsoft apps (Outlook in particular) give to VB Script. On the one hand, it's nice that Microsoft gives companies workflow management capabilities over e-mail through the use of a generic scripting service (VBS lets you do some pretty neat things with client-side scripting). On the other hand, this is way too much power to be providing to an Internet-connected user base. The Java sandbox model is much more appropriate for that specific context, given that the basic (non-NT) Windows PC doesn't have any concept of system security. Even JavaScript is much less harmful, but that's mostly because it has a failry limited command structure, not because its inherently "more secure." I think that Microsoft really needs to evaluate their security model for mail in general. The simplest approach would be to do Zones like they have for Web content, where mails from certain sites are "trusted" and mails from other sites have varying degrees of distrust. Determining "trust" with e-mail is hard though. Do I "trust" somebody in my Address Book, even though that's where most of these viruses are coming from? Maybe users should disable whatever Scripting Host services they have installed. This isn't entirely possible since a lot of Microsoft apps and services depend on Windows Scripting Host in order for them to even function (the Windows Update service requires it, for example). Obviously not everybody can do this. Firewall filters that cull VBS attachments are another option, but of course the same problems show up with EXE attachments (or with LNK attachments as we saw with Eudora last week). AppleScript attachments for Mac users could easily be just as deadly given the access they have. The only reason they're relatively safe is that nobody wants to waste time writing scripts that only affect 10% of the user base. And of course, any of the Unix mailers will gladly accept malicious attachments too, so as a platform it's certainly no safer (although if you're running a limited-rights account you won't be able to do as much damage by running an untested attachment than if you run a highly privileged account; I'm sure nobody here does that, right?). It's just very hard to make e-mail secure, unless you're doing virus scans on every message at every way-station. In the meantime, don't open unknown attachments, and don't run Outlook. -- Eric A. Hall ehall@ehsco.com +1-650-685-0557 http://www.ehsco.com
"Eric A. Hall" wrote:
Is Outlook Express immune to this or does it execute VB script too?
If you have VBS installed (Windows Scripting Host) and you execute the attachment you will be in big trouble. This applies to all Windows mailers, whether it be Eudora or Communicator or whatever. AFAIK, the only mailer that automatically executes VBS is Outlook.
Many mail programs (including Netscape Communicator) have no VBS support in them, so they can not execute virusses like this one. Netscape Communicator has another feature which is especially good for fighting e-mail virusses. It is impossible to execute an executable attachment (VBS, EXE, whatever) directly from a mail message, news message or web page. The user must explicitly save the attachment to disk and execute it by hand. This eliminates all the cases of people accidentally executing attachments, thinking that they are actually document files of some kind. I don't know if Eudora has similar safeguards or not. I have not used it. I know that Microsoft's mail programs (Outlook and Outlook Express) are both lacking in such safeguards. It is possible for these programs to launch executable attachments. They can also auto-launch them when the message is opened. One of them (I think Outlook) can also auto-launch attachments when the message is selected (and displayed in the preview window) and not even opened. This is a _BIG_ security hole that Microsoft has not fixed, despite other virusses (like Melissa) which have already taken advantage of it. -- David
Many mail programs (including Netscape Communicator) have no VBS support in them, so they can not execute virusses like this one.
Netscape relies on MIME type mappings. If there's a type defined (which there is if you have Windows Scripting Host installed) then it's an executable attachment. Right-click, "open in new window."
Netscape Communicator has another feature which is especially good for fighting e-mail virusses. It is impossible to execute an executable attachment (VBS, EXE, whatever) directly from a mail message, news message or web page. The user must explicitly save the attachment to disk and execute it by hand.
See the attached screen shot. You would have to be an idiot to proceed past that, but that in itself is not much. You can idiot-proof all you want, but as my brother says "They can always make a better idiot." Whatever. It is easy to launch VBS from with Netscape. -- Eric A. Hall ehall@ehsco.com +1-650-685-0557 http://www.ehsco.com
[ On Thursday, May 4, 2000 at 18:56:15 (-0400), David Charlap wrote: ]
Subject: Re: Virus Update
Many mail programs (including Netscape Communicator) have no VBS support in them, so they can not execute virusses like this one.
Well I don't know about NS and such, but I do know that the relative size of the impact of this particular virus was both predicted, and is due almost entirely to the business practices of Microsoft and the sometimes sheep-like user-base they've fooled into following them to wherever Bill wants to go today.... -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
At 06:56 PM 5/4/00 -0400, David Charlap wrote:
One of them (I think Outlook) can also auto-launch attachments when the message is selected (and displayed in the preview window) and not even opened. This is a _BIG_ security hole that Microsoft has not fixed, despite other virusses (like Melissa) which have already taken advantage of it.
There are instructions for disabling ActiveScripting in Outlook on the MS website. It's enabled by default. That'll stop the attachements from being auto-executed. Remember, according to their TV ads, MS exists to help the consumer! "Microsoft is not a monopoly!" - Bill Gates "HA!" - Judge Jackson Dean Robb Owner, PC-EASY (757) 495-EASY [3279] On-site computer services Member, ICANN @Large
Apparently, this is just another example where M$ ignored reports of the security vulnerability for years, and now everyone else has to pay. Lloyd's of London is estimating the cost at $8,000,000,000 and rising. There's a report of another security hole that Netscape fixed years ago, but still exists in Outlook: http://news.cnet.com/news/0-1005-200-1820959.html Are any of our bigger ISPs willing to initiate a class action to recover the costs? Dean Robb wrote:
At 06:56 PM 5/4/00 -0400, David Charlap wrote:
One of them (I think Outlook) can also auto-launch attachments when the message is selected (and displayed in the preview window) and not even opened. This is a _BIG_ security hole that Microsoft has not fixed, despite other virusses (like Melissa) which have already taken advantage of it.
There are instructions for disabling ActiveScripting in Outlook on the MS website. It's enabled by default. That'll stop the attachements from being auto-executed. Remember, according to their TV ads, MS exists to help the consumer!
WSimpson@UMich.edu Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
On Tue, May 09, 2000 at 10:56:33AM -0400, William Allen Simpson wrote:
Apparently, this is just another example where M$ ignored reports of the security vulnerability for years, and now everyone else has to pay. Lloyd's of London is estimating the cost at $8,000,000,000 and rising.
actually, i don't think this is strictly microsoft's fault. the companies that "lost" that $8,000,000,000 are responsible for their own actions. they ignored the vulnerability reports as well. how long would they keep a voice mail system that automatically dialed the return number, regardless of local or long distance charges? one would hope that incidents like this would help educate the decision makers, but, alas, they are just sheep being gobbled up by the microsoft wolf. -- [ Jim Mercer jim@reptiles.org +1 416 506-0654 ] [ Reptilian Research -- Longer Life through Colder Blood ] [ Don't be fooled by cheap Finnish imitations; BSD is the One True Code. ]
Jim Mercer wrote:
actually, i don't think this is strictly microsoft's fault.
the companies that "lost" that $8,000,000,000 are responsible for their own actions. they ignored the vulnerability reports as well.
I don't accept this argument. You are saying that we need to sue our customers for using a faulty product, rather than the vendor of the faulty product. My understanding of product liability doesn't jibe with that illogic. Very few customers follow security digests, and fewer have the resources to enforce installation of patches and non-default setup. The product is functioning as delivered. The only recourse for our customers would have been to use a non-M$ product. M$ has been using a monopoly position to leverage Internet services. While we encourage our customers to use better products, time and time again, we find that they install M$ anyway. Their accounting runs on 98+NT, their patient record system run on 98+NT, heck, their constituent mail tracking package runs on 98+NT.... They use NT for "firewall", NAT, etc.
how long would they keep a voice mail system that automatically dialed the return number, regardless of local or long distance charges?
Speaking from past experience, they would keep a Rolm PBX that fails to record such things -- because it's too expensive to replace the system in lost time and business -- then sue Rolm for the consequential damages (resulting in near bankruptcy for Rolm, which was bailed out by IBM). But, this case is even worse, the equivalent of incurring a long-distance conference call to every previous caller, upon picking up the phone without dialing anything!
one would hope that incidents like this would help educate the decision makers, but, alas, they are just sheep being gobbled up by the microsoft wolf.
Your BSD signature reveals your bias. While I may agree with the sentiment, suing our customers for ignorance would likely be counter-productive for regaining lost revenues.... WSimpson@UMich.edu Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
On Tue, May 09, 2000 at 12:24:23PM -0400, William Allen Simpson wrote:
Jim Mercer wrote:
the companies that "lost" that $8,000,000,000 are responsible for their own actions. they ignored the vulnerability reports as well.
I don't accept this argument. You are saying that we need to sue our customers for using a faulty product, rather than the vendor of the faulty product. My understanding of product liability doesn't jibe with that illogic.
nope, you need to eat the loss. the product is not faulty. the product works as designed. it may be a poor design, but it is fairly evident that it works as intended. why blame your customers, or anyone else for that matter, if your email system executed the enclosed virus? if your email system didn't execute the virus, what exactly represents the loss that you would sue for?
The only recourse for our customers would have been to use a non-M$ product. M$ has been using a monopoly position to leverage Internet services.
M$ has a monopoly because big business (and a large number of consultants) do not have the guts to migrate their systems away from M$.
While we encourage our customers to use better products, time and time again, we find that they install M$ anyway. Their accounting runs on 98+NT, their patient record system run on 98+NT, heck, their constituent mail tracking package runs on 98+NT.... They use NT for "firewall", NAT, etc.
yep, and when they whine and complain about all the money they "lost" because they used those products, it is their own problem. i have no sympathy for them or their "loss".
how long would they keep a voice mail system that automatically dialed the return number, regardless of local or long distance charges?
Speaking from past experience, they would keep a Rolm PBX that fails to record such things -- because it's too expensive to replace the system in lost time and business -- then sue Rolm for the consequential damages (resulting in near bankruptcy for Rolm, which was bailed out by IBM).
But, this case is even worse, the equivalent of incurring a long-distance conference call to every previous caller, upon picking up the phone without dialing anything!
but if they bought the phone system because they thought this "feature" was useful, then they have no grounds to sue.
While I may agree with the sentiment, suing our customers for ignorance would likely be counter-productive for regaining lost revenues....
the best way to regain lost revenues is not to "lose" them in the first place. -- [ Jim Mercer jim@reptiles.org +1 416 506-0654 ] [ Reptilian Research -- Longer Life through Colder Blood ] [ Don't be fooled by cheap Finnish imitations; BSD is the One True Code. ]
Let me first point out that I do not know what exact service or product Mr. Simpson offers to his clients and whether or not he's posing an academic or real argument here, but I'd like the reader to assume that I'm treating this as a mostly academic argument.... [ On Tuesday, May 9, 2000 at 12:24:23 (-0400), William Allen Simpson wrote: ]
Subject: Re: product liability (was: Virus Update)
I don't accept this argument. You are saying that we need to sue our customers for using a faulty product, rather than the vendor of the faulty product. My understanding of product liability doesn't jibe with that illogic.
Wait a minute here -- you're saying that you've suffered as much or more than your customers have? Why is that? Did you somehow accept responsibility for their actions by virtue of selling them your own product? Or did your offering somehow imply or otherwise indicate that your customers were required to run M$ software and if so did you not then assume the responsibility to educate your customers as to the potential pitfalls of running M$ software? Personally speaking I don't have a whole lot of sympathy for anyone who's business it is to sell e-mail services or anything related if their systems are somehow damaged in some measurable way due to an event like this. I am very sorry if anyone's systems might have suffered such damages in an event like this, but in the end it is their responsibility to accept the risks that the load on their systems might skyrocket for any number of reasons, such as the distribution of an e-mail based virus, and it is their responsibility to deal with those risks appropriately. In this case neither M$, nor their customers, are at fault for any damages suffered by the service operator so far as I can see.
Very few customers follow security digests, and fewer have the resources to enforce installation of patches and non-default setup. The product is functioning as delivered.
True enough, unfortunately. However the folks in this forum though should be at least peripherally aware of the security-related forums and perhaps in many circumstances they should be made responsible for making sure their customers are in fact practising safe computing and networking. Let us not forget that this is a true Internet still and that network operators are indeed responsible in part for the activities of their customers, at least so far as those activities can impose upon the ability of other network operators and their customers to use this Internet.
The only recourse for our customers would have been to use a non-M$ product. M$ has been using a monopoly position to leverage Internet services.
Yes, absolutely. Obviously.
While we encourage our customers to use better products, time and time again, we find that they install M$ anyway. Their accounting runs on 98+NT, their patient record system run on 98+NT, heck, their constituent mail tracking package runs on 98+NT.... They use NT for "firewall", NAT, etc.
OK, so you're saying you didn't ship any M$ software to your customers as part of your own product offering? If to then that's wise and good. On the other hand ISPs, in particular, who ship M$ software as a bundled part of their product offering are indeed very strongly encouraging their customers to use M$ software and are indeed aiding and abetting M$ at furthering their goal of maintaining a monopoly control over desktop software, regardless of whether they're aware they are doing so or indeed whether or not they were coerced into doing so.
one would hope that incidents like this would help educate the decision makers, but, alas, they are just sheep being gobbled up by the microsoft wolf.
Your BSD signature reveals your bias.
I don't think that it's necessary for you to apologise indirectly in the way that you seem to be doing for M$'s faults by pointing out which side of the fence anyone's sitting on at this point. At least that's how your comment appears to me, regardless of which side of the fence you're actually on.
While I may agree with the sentiment, suing our customers for ignorance would likely be counter-productive for regaining lost revenues....
Indeed. Seems that some people aren't beyond doing that kind of thing though! ;-) -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>
all of this browbeating, chest thumping and popular lambasting of microsoft is a socialist sham. stop using legal action brought by penny ante pretender companies crying at their inability to leverage their products as a justification for a microsoft jihad. microsoft doesn't hold a gun to anyone's head, microsoft seems to provide patches for their software when bugs are found. and this is off topic, so i will stop. its just hard not to vomit at this bandwagon ignorance. BR
On Tue, 9 May 2000, brad reynolds wrote:
microsoft doesn't hold a gun to anyone's head, microsoft seems to provide patches for their software when bugs are found.
Yes, they certainly do 'provide patches for their software when bugs are found'. The page below details how long it took Microsoft to fix a simple web page of theirs after a bug was found in it: http://www.uq.edu.au/~suter/microsoft/ --==-- Bruce.
brad reynolds wrote:
microsoft doesn't hold a gun to anyone's head, microsoft seems to provide patches for their software when bugs are found.
I find that in general this is true. However, what makes MS Internet client software dangerous is not bugginess (most of the time) but instead MS's stubborn refusal to admit that there are certain basic security procedures that software authors should follow to help ensure safe surfing for their users. That having been said, I agree with Brad that all the talk about lawsuits is pointless.
and this is off topic, so i will stop.
and this is the only thing I will post on this topic. -- North Shore Technologies, Cleveland, OH http://NorthShoreTechnologies.net Steve Sobol, BOFH - President, Chief Website Architect and Janitor Spammers and Net-abusers: Don't bother asking me for service. See http://NorthShoreTechnologies.net/go/policy/ for my opinion on abusive actions.
On Tue, 09 May 2000 19:16:52 EDT, brad reynolds <brad@cow.org> said:
microsoft doesn't hold a gun to anyone's head, microsoft seems to provide patches for their software when bugs are found.
The problem is not that they provide or don't provide patches when a bug is found. The problem is that although the MIME working group *SAW* the danger of executable attachments in 1991, a decade later, we still have software that ignores the specific recommendations the original MIME spec made (namely, the default setting is to allow execution). The biggest problem is that although it can be a pain in some assorted body parts to fix a bug in the implementation of a secure design, the pain of trying to patch a broken design is worse - that's just simple Software Design 101. The earlier in the design cycle a problem is found, the easier it is to fix. Case in point: How many Java security bugs have there been? And how many JavaScript security bugs? Which package was designed from the ground up to be secure and sand-box-able? In today's Internet, there is no excuse for trying to substitute patch-upon-patch as a valid security model instead of starting from a known secure design. No Excuse. None. Zip. And for the record, a federal court judge has ruled that Microsoft *did* in fact hold a gun to somebody's head. That's what the entire anti-trust suit was about.... We now return you to your regularly scheduled backhoe or misconfigured router incident.... Valdis Kletnieks Operating Systems Analyst Virginia Tech
participants (10)
-
brad reynolds
-
Bruce Campbell
-
David Charlap
-
Dean Robb
-
Eric A. Hall
-
Jim Mercer
-
Steve Sobol
-
Valdis.Kletnieks@vt.edu
-
William Allen Simpson
-
woods@weird.com