[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Outlook Express makes email dangerous
Apparently Outlook Express changes the old truism that you can't
infect your computer with a virus just by opening email. This was
published in the new issue of RISKS:
On 14 Apr 98 about RISKS DIGEST 19.67, risks@csl.sri.com
<risks@csl.sri.com> had this to say:
> From: "A. Padgett Peterson Information Security" <PADGETT@hobbes.orl.lmco.com>
> Subject: Ruminations on MS security
>
> Before I launch this commentary, I need to make a couple of things clear:
> 1) Speaking for myself only as a private individual
> 2) Think the wizards at Redmond have produced some marvelous products but that
> like the certain letter agencies, their agenda is not necessarily the same
> as mine. At least letter agencies seem to have fewer lawyers.
>
> Do have some experience with the second since 1990 when sent a letter to the
> software giant that a simple routine placed into IO.SYS would eliminated all
> known MBR and boot sector viruses. The response was that it was not in their
> business interest.
>
> (Routine was simple - check the byte at 0000:004F for a value equal to or
> greater than C0 - if below, "Redmond, we have a problem". I generally use
> something a bit more sophisticated but was all that was needed. Note: this
> works only before the operating system - any operating system - loads.)
>
> Since then we have been granted such features as the ability to create word
> macro viruses and a server operating system that was rated NCSC C2 so long
> as it was not connected to a network. However the new crop of offerings are
> even more innovative.
>
> Suffice it to say that for years we have been able to tell users that "you
> cannot get a virus just by opening E-Mail". Well, that bug is being fixed.
>
> It seems that with the default installation of the just-released mail-reader
> product coupled with the 98 version of the operating system (at least the
> current beta which contains a necessary .DLL), all of the factors needed to
> accomplish the above are present.
>
> In fact, in recent days I have been able to drop an executable file both on
> c:\ and into the startup directory just by opening the mail reader
> ("preview", which includes script execution for some reason, is a default
> feature),
>
> True, a warning screen is presented if the applet is unsigned (have heard
> that signatures are already floating around the internet), but the same
> screen is presented if word is opened as well, so I suspect it may become as
> quickly ignored as other such mechanisms have been in the past (like all
> security annoyances, there is an easy way to turn it off).
>
> I have little expectation that the manufacturer will see the error of their
> ways and remove the single necessary construct. It is probably required for
> PUSH. It is entertaining though to find in the on-line language reference
> the statement that the scripting language has no File I/O. I'm sure that in
> some obscure legal language, that must be syntactically correct or it would
> not be there; however, I found it remarkably simple to drop an executable
> file on the hard disk that executed on the next boot. Times are about to
> become "interesting". Caveat Y'all.
>
> Padgett
>
Kris Shapar
____________________________________________________________________
To doubt everything or to believe everything
are two equally convenient solutions; both
dispense with the necessity of reflection.
- Jules Henri Poincaré
____________________________________________________________________