Misplaced flamewar... WAS: RE: in case nobody else noticed it, there was a mail worm released today
: They rate of it is quite surprising. By the description, the trick / : method of infection does not seem all that different than past worms : viri. Makes me wonder how many people in a room would reach into
their
: purse/pocket on hearing, "Wallet inspector"
Every single person that still opens these damn attachments! :-( IN WINDOWS!
So? Had the virii been an application compiled for RedHat and everyone ran RedHat instead of Windows and they downloaded it using Evolution and double clicked on it, it would suddenly be RH's fault instead of MIcrosoft's? Or is it sendmail's fault because it was listening on port 25 and allowed the worm to connect to it? Newsflash: Even those using Netscape Mail, Lotus Notes, etc. on the PC were still potentially infected due to the nesting of the virii. The worm was not spread through any vulnerability in the operating system, unlike NIMDA/SQLSlammer/etc. This worm was propogated through pure user stupidity, and that'll follow any operating system that Dell/Gateway pre-installs for them. If everyone wants to flame MS, at least do it in a way that doesn't show your own ignorance. -Dave
Dave Temkin wrote: <snip>
So? Had the virii been an application compiled for RedHat and everyone ran RedHat instead of Windows and they downloaded it using Evolution and double clicked on it, it would suddenly be RH's fault instead of MIcrosoft's? Or is it sendmail's fault because it was listening on port 25 and allowed the worm to connect to it? Newsflash: Even those using Netscape Mail, Lotus Notes, etc. on the PC were still potentially infected due to the nesting of the virii.
The worm was not spread through any vulnerability in the operating system, unlike NIMDA/SQLSlammer/etc. This worm was propogated through pure user stupidity, and that'll follow any operating system that Dell/Gateway pre-installs for them. If everyone wants to flame MS, at least do it in a way that doesn't show your own ignorance.
-Dave
<OT> to me the problem is one of a mono culture. Too much of the same stuff everywhere. doesn't matter if it's MS-Windows. MacOS X or Debian GNU/Linux or bacon and eggs - too much of the same is bad for you.. </OT> -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **********************************************************************
: So? Had the virii been an application compiled for RedHat and : everyone ran RedHat instead of Windows and they downloaded it using : Evolution and double clicked on it, it would suddenly be RH's fault : instead of MIcrosoft's? I suspect the skill set/clue of RH users is at least an order higher that windows users. The main problem I see is many e-mail readers default to having the preview plain open and this will then run any app it finds. No clicking required. James Edwards Routing and Security Administrator jamesh@cybermesa.com At the Santa Fe Office: Internet at Cyber Mesa Store hours: 9-6 Monday through Friday 505-988-9200 SIP:1(747)669-1965
On Jan 28, 2004, at 11:56 AM, james wrote:
: So? Had the virii been an application compiled for RedHat and : everyone ran RedHat instead of Windows and they downloaded it using : Evolution and double clicked on it, it would suddenly be RH's fault : instead of MIcrosoft's?
I suspect the skill set/clue of RH users is at least an order higher that windows users.
The main problem I see is many e-mail readers default to having the preview plain open and this will then run any app it finds. No clicking required.
Not sure why that is the case. Web browsers know better than to execute things, or at least to execute them in a sandbox, and there seems to be much more "abuse" capabilities in IE / Netscape than $RandomMailReader. How hard is it to tell a mail reader "NEVER execute a binary"? If someone really wants to run a program that was e-mailed to them, they can save the attachment and run it outside the mail reader or something. So things like "virus.doc.exe" won't get executed by $luser who thinks it was a word doc. There are ways around this (copy/paste an executable into a word doc, then type "Click here!" in the Word doc), but it might help. Might.... :) -- TTFN, patrick
On Wed, Jan 28, 2004 at 12:07:36PM -0500, Patrick W.Gilmore said something to the effect of:
On Jan 28, 2004, at 11:56 AM, james wrote: Not sure why that is the case. Web browsers know better than to execute things, or at least to execute them in a sandbox, and there seems to be much more "abuse" capabilities in IE / Netscape than $RandomMailReader.
How hard is it to tell a mail reader "NEVER execute a binary"? If
w00t.
someone really wants to run a program that was e-mailed to them, they can save the attachment and run it outside the mail reader or something. So things like "virus.doc.exe" won't get executed by $luser who thinks it was a word doc.
I don't think it's that it's hard, so much as inconvenient. C-level-officer types ;) want point-and-click to open and launch, not to be ordered to port and manipulate attachments to access them. And since that might be too much effort...heck...why not give users a peep-hole preview function that allows them to split the screen and peak into the email without clicking on anything at all? Back-office IT heads would roll if that went away... We _can_ thank M$ for setting the bar on this one; no one expected irresponsible features like instant access to attached goodies until the Internet-for-Idiots and SMTP-for-the-generally-challenged revolutions were ushered in to the sounds of "Where do you want to go today, and how much do you want to break/spend/consume while you're there?" I wish I could end this with "Friends don't let friends use Outlook," but I have to agree that the fault still lies primarily in the users that continually refuse to heed the warnings of A) shut that preview pain^N^Nne shee-yit off B) don't execute attachments in email, even/especially if it looks like it might be a really k00l screen saver... Long live mutt. ;) ymmv, --ra -- K. Rachael Treu, CISSP rara@navigo.com ..this email has been brought to you by the letters 'v' and 'i'..
There are ways around this (copy/paste an executable into a word doc, then type "Click here!" in the Word doc), but it might help.
Might.... :)
-- TTFN, patrick
Unfortunately, Microsoft products seem to have a default which is set to hide file extensions and to make it very difficult to see 'multiple extensions' like the '.doc<many spaces>.pif' in the current worm, it is somewhat easier to dress a vampire in gerbil clothing in these systems than in others. -- -=[L]=-
I suspect the skill set/clue of RH users is at least an order higher that windows users.
really, based on experience that would be surprising, rh is now so easy to get and install, securing it is still problematic for most users
The main problem I see is many e-mail readers default to having the preview plain open and this will then run any app it finds. No clicking required.
hmm i've not checked, i thought this virus came as executables so you need to click a couple boxes before it will run,..... Steve
James Edwards Routing and Security Administrator jamesh@cybermesa.com At the Santa Fe Office: Internet at Cyber Mesa Store hours: 9-6 Monday through Friday 505-988-9200 SIP:1(747)669-1965
It's not completely the fault of anything except the end-user. It's like the Jimmy Buffet song says: Evolution is mean, there's no dumbass vaccine scott On Wed, 28 Jan 2004, Dave Temkin wrote: : >>> : They rate of it is quite surprising. By the description, the trick : >>> : method of infection does not seem all that different than past worms : >>> : viri. Makes me wonder how many people in a room would reach into : >> : their purse/pocket on hearing, "Wallet inspector" : >>> : >>> Every single person that still opens these damn attachments! :-( : > : >IN WINDOWS! : : So? Had the virii been an application compiled for RedHat and : everyone ran RedHat instead of Windows and they downloaded it using : Evolution and double clicked on it, it would suddenly be RH's fault : instead of MIcrosoft's? Or is it sendmail's fault because it was : listening on port 25 and allowed the worm to connect to it? Newsflash: : Even those using Netscape Mail, Lotus Notes, etc. on the PC were still : potentially infected due to the nesting of the virii. : : The worm was not spread through any vulnerability in the operating system, : unlike NIMDA/SQLSlammer/etc. This worm was propogated through pure user stupidity, and : that'll follow any operating system that Dell/Gateway pre-installs for : them. If everyone wants to flame MS, at least do it in a way that doesn't : show your own ignorance. : : : -Dave :
RedHAT do not allow to run an attachment, even if attachment wish to be runned - it uses 'x' flag which is not attachment's attribute. Linus useers are niot Administrator's, so virus can not infect the whole system,... Etc etc.... (Why RedHAT? It is the worst Lunux amongs all. Use SuSe or Mandrake).
: They rate of it is quite surprising. By the description, the trick / : method of infection does not seem all that different than past worms : viri. Makes me wonder how many people in a room would reach into
their
: purse/pocket on hearing, "Wallet inspector"
Every single person that still opens these damn attachments! :-( IN WINDOWS!
So? Had the virii been an application compiled for RedHat and everyone ran RedHat instead of Windows and they downloaded it using Evolution and double clicked on it, it would suddenly be RH's fault instead of MIcrosoft's? Or is it sendmail's fault because it was listening on port 25 and allowed the worm to connect to it? Newsflash: Even those using Netscape Mail, Lotus Notes, etc. on the PC were still potentially infected due to the nesting of the virii.
The worm was not spread through any vulnerability in the operating system, unlike NIMDA/SQLSlammer/etc. This worm was propogated through pure user
stupidity, and
that'll follow any operating system that Dell/Gateway pre-installs for them. If everyone wants to flame MS, at least do it in a way that doesn't show your own ignorance.
-Dave
On Wednesday 28 January 2004 08:37, Dave Temkin wrote:
So? Had the virii been an application compiled for RedHat and everyone ran RedHat instead of Windows and they downloaded it using Evolution and double clicked on it, it would suddenly be RH's fault instead of MIcrosoft's?
If RedHat, by default had you running as root rather than an unprivledged user, it sure would be. Most Windows boxes are running with administrative privledges. That makes Windows a willing accomplice. The issue isn't that people click on attachments, but that there are no built in safeguards from what happens next. -- Robin Lynn Frank | Director of Operations | Paradigm-Omega, LLC Cry havoc, and let slip the dogs of war! Email acceptance policy: http://paradigm-omega.com/email_policy.php
Most Windows boxes are running with administrative privledges. That makes Windows a willing accomplice. The issue isn't that people click on attachments, but that there are no built in safeguards from what happens next.
This is problem #1. Unfortunately, Windose is too complex and have too much legacy, so everyone must run as a administrator (try to install Visio without admin privileges...). Problem #2 - using extentions to select an application - may be, it's a very good idea, but it complicates virus (worm) problem. Problemm #3 - Monoculture.
On Wed, 28 Jan 2004, Alexei Roudnev wrote:
Most Windows boxes are running with administrative privledges. That makes Windows a willing accomplice. The issue isn't that people click on attachments, but that there are no built in safeguards from what happens next.
This is problem #1. Unfortunately, Windose is too complex and have too much legacy, so everyone must run as a administrator (try to install Visio without admin privileges...).
The whole point of the infamous *.DLL was to provide local libraries for applications like unix *.lib.so files. This was corrupted by app vendors who were too deadline focused to install their DLL's in the application directory. Of course this was abetted by the ability of an application to write into the system directories. When NTFS came out an ordinary user could not write the system directory tree Hence most users are running as Administrator or equivalent so that they can write into the system tree. This was a bad design decision by MS _and_ application developers. This _is_ fixable by MS by simply not allowing apps to write into the system tree. This of course is a "small matter of programming" but it would really improve the overall security posture of Windows. Now there are well written applications which do install their DLL's into their own tree these apps can usually be recognized by _not_ requiring a reboot after installation.
Problem #2 - using extentions to select an application - may be, it's a very good idea, but it complicates virus (worm) problem.
Problemm #3 - Monoculture. This greatly exacerbates problems 1 and 2 but is not so much of a
Agreed However magic numbers in the header or having the execute permission bit set bring the same problem to the table. problem on its own. i.e. Apache which has over 75% of the webserver market and is infrequently compromised. Problem #4 MS applications have an unfortunate predilection to run any bit of executable code they find. i.e. a WMA file can contain executable code which media player will happily execute. This is a perfect example of just because you can do something it does not necessarily follow that you _should_ do something. This dates back to [*]BASIC and the RUN command. It was somewhat useful 10+ years ago not so much today.
On Thu, 29 Jan 2004 07:41:20 -0500 (EST), you wrote:
... When NTFS came out an ordinary user could not write the system directory tree Hence most users are running as Administrator or equivalent so that they can write into the system tree. This was a bad design decision by MS _and_ application developers. This _is_ fixable by MS by simply not allowing apps to write into the system tree. This of course is a "small matter of programming" but it would really improve the overall security posture of Windows.
Now there are well written applications which do install their DLL's into their own tree these apps can usually be recognized by _not_ requiring a reboot after installation. ...
Actually, it's more of an issue in the registry than the file system; older apps tend to want to write the global HKLM, rather than the user-specific HKCU. But, regardless, Win2K and WinXP do have restricted-user modes that tie this stuff down quite well. They tend to be used in corporate environments. But for home users, it gets to be a pain in the butt, because it prevents a lot of things users want to do, like installing games, multimedia apps and spyware. You can't really have it both ways; if you can install apps, you can install viruses and trojans. I don't see this being much different regardless of the OS you run. And until you have earned some battle scars, you're not afraid of the pretty toys. It would be nice, though, if there were a legitimate 'su' analog in Windows -- sorry, "runas" doesn't cut it. Makes it hard to normally run restricted, and explicitly enable temporary privs sometimes... /kenw Ken Wallewein K&M Systems Integration Phone (403)274-7848 Fax (403)275-4535 kenw@kmsi.net www.kmsi.net
participants (12)
-
Alexei Roudnev
-
Dave Temkin
-
james
-
kenw@kmsi.net
-
Lou Katz
-
Martin Hepworth
-
Patrick W.Gilmore
-
Rachael Treu
-
Robin Lynn Frank
-
Scott McGrath
-
Scott Weeks
-
Stephen J. Wilcox