New Virus Can Strike Via HTML E-Mail 334
cmeans and lots and lots of others have pointed us to this MSNBC article article about yet another e-mail virus. Quote from the story: "The virus can only run if Internet
Explorer 5.0 with Windows Scripting Host is
installed (standard in Windows 98 and
Windows 2000 installations). If security
settings for Internet Zone in IE5 are set to
High, the worm will not be executed. It does
not run on Windows NT." ZDNet also has a story about this "Bubbleboy" virus. Update: McAfee weighs in too. (Thanks, Jade.) Consider yourself warned.
Gloat (Score:1)
Outlook Express Settings (Score:2)
Two obvious fixes, disabling scripting in the 'Internet Zone' for IE, and setting Outlook Express to use the 'Restricted Zone' for all content to start with. Anyone using those products should probably be doing both to start with.
-Blake
Micro$haft security (Score:1)
Isn't there something like this going on constantly on windows machines? A new email, virus, thingy every week. Why is this even here? Most
Which is worse? Virii or their names? (Score:3)
At this rate, when some genetic mutagen is released that destroys all of mankind, it'll probably be called the Pokemon virus.
[/tongue in cheek]
- JoeShmoe
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Re:Gloat (Score:2)
Even a well-maintained Windows system is not going to be attacked by a virus very easily. I have been running Microsoft software for going on 15 years now and have never had a problem. This is because I take good care and I know how things work. If Windows users were educated about how to properly manage a system, there would be few successful attacks.
one word (Score:1)
A security flaw in Microsoft software????? (Score:3)
Um, how about ASKING the user if they REALLY want to send all of those emails??? Web pages can't do any real damage by themselves (except by replicating), unless of course they use java to do something nasty.
Of course this begs the question, who _needs_ html email? I mean, do you actually spend hours designing a page to send to someone? HTML emails are big downloads and irritating. Email readers should only look at basic tags (a la slashdot), and not "embed" tags.
Oh, I'm sorry, the users _requested_ that feature bloat for IE 5.0! How silly of me!
Re:Outlook Express Settings (Score:2)
You neglect to mention a third, which will immediately occur to most
--
It's October 6th. Where's W2K? Over the horizon again, eh?
Re:Gloat (Score:1)
I don't run anything that I haven't compiled, or any binary that came from a reputable source/mirror. And because I use Linux, if another user on this system decides to compile and run crap they don't understand, they're the only ones affected.
Maybe it's a practice left over from the good old days of MS-DOS and the virus paranoia associated with it.
Bart.
Active content in emails. (Score:3)
READING email can actually spread a virus. Remember the big scare when people realized that Eudora would open up Java applets without asking permission ? I always wondered how netscape mail or Eudora would handle Meta refresh tags...
Anyway, I avoid the whole thing by sticking to good old-fashioned ASCII-mail. Now if only all my co-workers could do the same... *sigh*
on NT... (Score:1)
I guess that Bubbleboy isn't exploiting it for NT, though.
NAI's page on Bubbleboy is here [nai.com].
I read a news story which said that the author emailed the worm to Antivirus companies. So I guess that it was more of a demonstration of a serious problem than something malicous.
It comes back to Micro$oft's incompedence... (Score:2)
----------
The virus can only run if Internet Explorer 5.0 with Windows Scripting Host is installed (standard in Windows 98 and Windows 2000 installations).
This is one of those "advantages" M$ talk about in the anti-trust case. Because the OS already comes with a browser, security flaws such as this are built in!
----------
If security settings for Internet Zone in IE5 are set to High, the worm will not be executed.
And IE 4/5 default to medium setting. Wonderful work, Micro$oft! You really know your stuff....
----------
The virus actually takes advantage of a security flaw in Microsoft's ActiveX technology that was discovered in August.
August?!? AUGUST! Why the hell wasn't a patch to repair the error relased in August then? When a monopoly has no competition, they have no motivation to repair errors until they become huge issues for their software....
----------
This is what we get with M$ winning the "browser wars", software with security holes that don't get fixed until they are a real risk. Fortunatly, most sane PC don't use IE, and don't have to worry about ActiveX flaws. However this is one more reason why M$ should not be ruler of the browsers...
err (Score:1)
Re:A security flaw in Microsoft software????? (Score:1)
I don't know who came up with that, MS or Netscape... either way, it is stupid. Next thing you know we'll have HTML ping.
At least this evil genius is anti-MS (Score:2)
Re:Micro$haft security (Score:2)
Several reasons. For one, it's "News for Nerds. Stuff that matters." Hard as it may be to believe, some /.ers actually do use windoze. Others use *BSD, or other operating systems. Maybe Linux is the majority, maybe not (still almost certainly the major minority then).
Even for those of us who don't use Windows, we all know people who do. Coworkers, friends, family, lusers on our systems. If we know about this potential problem with windows, perhaps we can help them avoid falling for it, or at least be quicker on cleaning up afterwards...
i'd guess that most of us are the curious sort, who'll learn something interesting (New email worm? How's it work, what does it affect, and what could be done to stop it?) even if it has no practical application in our lives. Why else do we so love nanotech, quantum computing, good fiction, and all the other things posted on /.?
And finally, don't neglect the gloat factor ;)
-----
Not again (Score:2)
Now we have time and time again exploits against IE due to its extreme integration with Windows and such. How long until one of these gets really nasty? How long until someone gets bitted a little too hard, and then they want to bite back?
WSH (Score:1)
What's a real shame is that, in the world of Windows, the Windows Scripting Host has never really taken off. I mean, it's been around since the introduction of Memphis... Before WSH, any automated scripting had to be done through batch files. Batch files were nice in DOS, but they didn't have a world of flexibility under Windows, and they couldn't interact with the rest of the GUI. WSH fixed all that, and I don't think many windows programmers took advantage of it.
Oh well - Now it's a security issue and will get a bum rap because of it. It's a real waste...
-----------
"You can't shake the Devil's hand and say you're only kidding."
Re:Gloat (Score:1)
Why is this called a virus? (Score:1)
There are thousands of pieces of code out there that exploit security flaws such as buffer overruns right now and most of them are labled as pieces of code that expose programming flaws in the targeted application/server.
How is this any different and why is it being branded as a 'virus'? It uses a security flaw in Microsoft code to introduce unexpected/unwanted behavior.
I don't see this as furthering the viewpoint of "Well, the day has come when people can catch a virus from reading their email" any more than web servers having buffer overrun probelms furthers the viewpoint of "the day has come when people can catch a virus from running a web server". If a piece of software is poorly written, it will be exploited.
Do you think perhaps it is because a good majority of computer users use email, but a very small number run server software susceptable to typical server attacks? Though if you remember the WinNuke exploit exposed in Win95 several years back, that is an example of a security flaw that could attack any Win95 machine attacked to the Internet.
Re:pine (Score:1)
IIRC, it's "Pine Is No longer Elm."
At least that was what the Slackware installation said.
virus in unixen? (Score:1)
This brings up a question I was wondering about the other day, and I think that I know the answer.
Is it possible for a virus to execute on a unix machine and do any damage?
I know that the same effect as the "bubbleboy" virus could be achieved by targeting pine users or something, if their were those sorts of weaknesses in pine.
In my opinion, though, a malicious virus, that did things such as deleting files, or whatever would have to have the ability to obtain root privileges, or it basically would only be able to delete or change files that the dummy user had access to in the first place.
I assume this is correct, since I have never seen any Virii targeted towards say an i386 Linux system, or any virus scanners for Linux.
One other fact. (Score:1)
Happily, Emacs Doesn't Suffer from this... (Score:2)
The above is, seriously, the big potential security hole in GNU Emacs. It is documented as such, in the documentation, and users are given suitable warning not to do so...
It seems reasonably likely that the only way to make "executable email" safe is the implementation of some sort of capabilities-based system that can strictly lock down what particular programs are permitted to do. Of course, as we learn more about capabilities, it is also likely that its powers of protection will prove quite finite...
E-Mail viruses (Score:1)
This shouldn't be true, in fact until now, it hasn't been. But hopefully this "feature" will be "fixed" by Microsoft. Until then, i'll just stick to pine.
Oh, can't this ALSO affect Hotmail or any other web based E-mail, since they ALL use IE to display the formatting?
Official Virus Information and Security Patch (Score:4)
Symantec posted this advisory of the VBS.BubbleBoy here
http://www.symantec.c om/avcenter/venc/data/vbs.bubbleboy.html [symantec.com].
It contains details of what the virus does, where it goes into the registry and how to protect yourself.
If you already do not have that security patch from Windows Update [windowsupdate.com], you can download the patch from
http://www.microsoft.com/s ecurity/Bulletins/ms99-032.asp [microsoft.com].
This is kinda scary... as we have always taught people that you cannot get a virus by reading mail, only opening attachments. I hope this doesn't become a growing trend.
"Freedom to innovate..." (Score:1)
What kind of world would that be, and where do I sign up for it?
Poor ISP support people. (Score:1)
I feel for you support boys, just keep your favorite UserFriendly strip on the screen to keep you from snapping.
-Al-
Fine how-do-you-do (Score:1)
The fact is, if Netscape supported Windows Scripting Host, it would probably be succeptible to the same flaw. I don't care for MS anymore than the rest of us, but I can't stand baseless garbage.
-----------
"You can't shake the Devil's hand and say you're only kidding."
A simple solution exists, of course (Score:2)
Now, how do you turn off HTML? Lemme see here, I'll show you...
Hang on, this is the first time I've ever opened up Outlook.
*rummage*
*rummage, rummage*
*dead end*
*thwack!*
Well how about that, the boneheads won't let you turn off mail formatting. Slick guys, good thinking.
Well I'm sorry folks, it looks like you're going to have to switch to a more sensible mail client. Try Eudora or Pine, both of which have Windows ports, or Mutt or Elm or something if they're available (not sure if they exist on Windows -- don't see why not but don't really want to bother verifying that at the moment).
It's funny how a scare like this comes along every few weeks ...and I find myself completely immune to it. "The Humdinger virus abuses your Outlook addressbook, eh? How tragic. Good thing I don't have one nor ever will. Keep safe though, try not to accept any infected mails there, pal!". heh heh
In the immortal words of the venerable Montgomery Burns, "Look at all these idiots!" Hahahaha
True, but still... (Score:1)
Re:virus in unixen? (Score:1)
Re:Why is this called a virus? (Score:1)
Yes, I do agree it is exploiting a security flaw... but in this case it is exploiting a security flaw to create a worm.
Re:It comes back to Micro$oft's incompedence... (Score:1)
Please keep slashdot a nice place by posting your ideas (which were good) in a clear (started good), sane (not so good), and non-hostile manner. Everyone will love you for it, and you'll get better Karma guaranteed.
Re:one word::Mutt (Score:1)
Mutt,
Barks like a puppy,
Bites like a Dog.
geach
(mutt user)
(mutt is an E-mail client for the Enlightened)
(mutt is a productivity device)
(mutt is the end all be all)
(mutt is truly open)
(mutt is good for chasing of bad cat>'s)
(mutt is man's best friend)
(mutt it does a body good)
Get Your fix for Win98 Here: (Score:1)
YOUR BRAIN IS _small_!! (Score:1)
It sure sounds like you're confused boy! Answer me this question: do you need root privileges to create or delete files?
The reason you don't see viruses on linux is not because they need root privileges but because it's a fairly well designed system...
I can just see it... (Score:1)
Gee- What a suprise for Microsoft- A buggy insecure product.
IE5 was made for Micro$oft by the devil.
Re:A simple solution exists, of course (Score:1)
And it's a freakin' good client too. I don't care if it's a MS product, if there was a version of Outlook for Linux (that was as good as the Windows one) I would use it in a heartbeat. KMail just isn't cutting it for me, and I really hate using an xterm for my email.
So you happen to be immune to these attacks because you're using software that less than 10% of the consumer desktop market uses. Believe me, Netscape under Linux has it's fair share of bugs -- they abound. You may not be succeptible to these attacks, but you're not invulnerable...
-----------
"You can't shake the Devil's hand and say you're only kidding."
This is *not* just another email virus (Score:5)
That is, it runs on its own, without the recipient having to open any attachments. All they have to do is open the email itself (or, in Outlook Express, just point at the email so that it shows up in the preview pane), and they're infected.
This is a big deal.
Melissa made it so that we couldn't just tell our less tech-minded brethren/co-workers, "for the last time, you'll be ok if you just don't open any frickin' attachments from people you don't frickin' know!" This one means we can't even tell them "you'll be ok if you don't open any attechments."
Now, this particular virus (well, technically it's more of a worm) isn't too malicious (except that, like Melissa, it could clog the hell out of mail servers), and mails itself under a goofy subject line so that you can be on the lookout for it. (Of course, I'm not sure what being on the lookout for it would accompish if you're running Outlook Express, since there's really no way to delete it from your inbox without first selecting it...which is enough to run the virus.)
But it's a proof-of-concept, and a scary one at that. It just changes the name and organization your computer is registered to and forwards itself to your address book, but the point is that it was screwing around with your registry, and it could have done whatever the hell it wanted to.
Now...there is some good news here.
Namely, this is perhaps the first time in history when Microsoft actually had a patch for a new exploit *before it was released to the public*!! Yes, that's right, this email virus works in exactly the same manner as one of those web-page exploits a couple months back, for which MS has had a critical update patch on Windows Update for several weeks now. Essentially what it does is take advantage of some very very stupidly permissioned ActiveX commands that lets an untrusted source save a certain type of file (.HTA) to your Startup directory...thus allowing them to run arbitrary code upon reboot (shouldn't have to wait too long...ok, so that was a cheap shot).
So, the good news is that my Win98 partition was already immune from this exploit, and hopefully so are many other people's. Of course, I can understand people not wanting to be on the bleeding edge of MS's security patches, because running everything MS throws at you can get you burned as well.
As for what I'm sure the mainstream
On the other hand, I have very little doubt that, as we expand into XML and all these other new technologies, short-sided security permissions are going to bite us (especially those of us that use MS products) in the ass again and again and again, probably with no end in sight until we stop coming up with new features. It's a rather scary trade-off to have to make, and even scarier that 95% of the world has Microsoft making all the decisions for them...
lol (Score:1)
MS = Monolopy != Good For You
Outlook 2K Instructions - Step by Step (Score:2)
Actually it can be done.
Open Outlook
From the memu go to Tools | Options
Click on Mail Format tab in the dialogue box
Change message format to Plain text
Click OK then OK
You should be back at the normal screen - Problem solved
Re:It comes back to Micro$oft's incompedence... (Score:2)
Actually, they have released a patch to repair the error. Here's [microsoft.com] the security bulletin detailing the problem; it was last updated on October 12, which I'm pretty sure is the day the patch to fix this problem was considered safe enough to be released for download at the Windows Update site, where it was indeed marked a critical update. (IIRC, they released a beta patch a couple days after the flaw was discovered.)
Now, there's no question that someone at MS was insanely stupid to give untrused sources permissions to use ActiveX controls that could write to the Startup directory (that's how this sucker works), and you can argue that the fact that it took 6 weeks before their fix was trusted enough to get on Windows Update is pretty shady as well. But it has been fixed by now.
Feature Vs. Bloat (Score:2)
Well, I think the point is really:
Does an app need to be bloated to have features?
Obviously, 90% of the people who read this will exclaim "NO!". So the quesion remains "why is software bloated?" This is the thing that is addressed in the Programmer's Stone [ftech.net] as well as many books. Everyone on this site should read The UNIX Philosophy [amazon.com] for a dissussion of the stages of software development as well as lots of discussion on why unix has developed into what it is. Only in the second growth stage of development does software become bloated. This is due to the addition of all of the requests for more features being implemented. They all are added withought thought until the software becomes too big and the app just about breaks. The UNIX Philosophy of code reuse and small applications still allow features to be added. An example would be the ability to pipe information from one app to another to gain more functionality. This same philosophy of code reuse still holds true in today's GUI world and is why I find KDE so interesting.
The problem comes when code has to be churned out on a deadline without planning or thought. This is usually driven by coporations and Marketing/management. Without artificial deadlines Open Source/*n*x apps can stay small and elegant.
They can also be trimmed back and restructured by anyone. As a community it is important to always grow as fast as possible by adding features but to also look back and take out the features that only benefit a small group of users. That part might hurt a little, but is very important to get the software into the 3rd stage of life. So look back thorough your code and rewrite some stuff every now and then. It makes your code smaller and you will be able to work faster. You get a net gain in the end.
-pos
The truth is more important than the facts.
NEWS:email breakthru! (Score:2)
In an amazing technological breakthrough, a hoard of new email programs have rendered themselves invulnerable to every concievable computer virus. By rendering email in plain text, ignoring worthless html formatting instructions and pesky attatchments which clog up the internet with unwanted and useless files, these programs, known by such arboreal names as pine and elm, sidestep the entire issue of computer viruses. Stay tuned for more details!
activex (Score:2)
msnbc, as i'm sure a lot of other news sources will be doing, are centering really big on the word "VIRUS!" despite the fact the virus isn't the important part at _all_. the important part is that the activex exploit which allowed web pages to install arbitrary code on the person's computer now run in HTML e-mail. If you accept that, the idea "you could write a virus with this" is so obvious as to be totally irrelivant.
The page kinda implied to anyone who doesn't know what they're talking about that this problem is there because someone "wrote a virus", not because MS shipped a product with bad security.
Meanwhile i want to know why microsoft is getting away with this. Despite the fact that a piece of HTML running an activex (or any other kind of applet or script or anything) that can TOUCH your hard drive, much less install, say, Backorifice (or a program that downloads and installs backorifice..) is to me the most terrifying thing a web browser could do. And yet what kind of attention has this little exploit gotten in the couple of months since it's been found? NOTHING. There was like one article on PCWeek months ago and that was IT.
You can, of course, put activex on high, or even disable it, but that shouldn't be _neccicary_. Something like activex that allows something like this SHOULD NOT BE RUNNING BY DEFAULT, since it targets people who don't know enough about their computers to go to the bother of understanding what this "activex" thing that MS put on their computers along with windows is. Let things like this, or the little "feature" that let remote web pages view the contents of your copy/paste clipboard, be turned _off_ until the user needs to use them, not left on until the user finds out they're there? Even if in theory ActiveX had perfect security in every way, i still don't like the idea of a web page touching anything on your hard disk besides your cache. (but then, hell, i'm also an old-timey purist who doesn't think an interpreted language like Javascript should contain things that are reliably able to crash the machine of the person who runs them.. but that's another rant altogether. "while(1)alert('!')"..)
How is MS getting _away_ with this? They should be in HUGE trouble for this whole activex thing; this is the most pathetic/deadly security exploit i think i've ever heard of. Yet they're barely getting any attention for it. WHY is this happening?
Still i think it's awful funny that apparently the _only_ use for ActiveX-- at least, the only time i've ever heard of someone doing anything with ActiveX-- is a security exploit.
-mcc-baka
why web browsers suck: http://home.earthlink.net/~mcclure111/cyberleary.
Patched two months ago! (Score:2)
Information is here [microsoft.com].
I really should rant about how hypocritical and ignorant most of the posts here are, but I don't have the energy. How about checking to see whether MS has already fixed the bug, before you complain about the lack of a solution?
Now, if you want to bitch about MSNBC for sensationalizing this, that's another issue entirely...
Superiority, gloating (Score:2)
"I think this story was sent down from heaven to give us Linux users a chance to gloat over windows users," is the gist of the few messages posted so far. I don't really think we should have that attitude at all. We need to understand that there are [l]users out there who think HTML email is really neat, the same way I think that the new kernel debugging features are cool. We have to understand that our tastes in all things computers are not absolute. So Microsoft f***ed it up yet again; all companies do it. One of the reasons linux has been so secure and powerful is the foundation for it's design: UNIX. Windows is much younger than UNIX. And anyway, UNIX had it's virus/security problems a (not so)long time ago. The Worm anyone?
All computer systems have security holes. Complex ones more so. If you want some more rhetoric on why secuity is never perfect, read Bruce Schneier's interview here.
I think Microsoft was rash in releasing software with this little hole in it, but it doesn't mean that we're better than users of HTML email. Besides, all of Microsoft's really good OS people are on NT(Win2000) which doesn't have this particular problem. Microsoft doesn't really take the security of Win9x seriously anyway.
I personally am waiting to see how linux stacks up to Win2000. After all, this is like comparing the newest NT to version 2.0.36(my first kernel!).
/bye
Re:This is *not* just another email virus (Score:2)
I hate getting HTML mail, but I can see the point. It is the new ASCII, to some extent. A browser is a better way to read text; although I'll stick with ASCII mail myself for quite a while now. I do think that /.'s restricted HTML is just fine for mail, though.
I disagree, though, that XML and other formats will unleash further viruses. Almost everybody now thinks about security first when designing mail clients. Perhaps even Microsoft will start thinking that way, eventually. The security abomination of ActiveX will *never* be duplicated by anybody else.
Finally, I think that both prevalent e-mail viruses and even more prevalent e-mail spam will cause people to treat e-mail differently in the future. I predict that most e-mail will be rejected unread and unseen by people's e-mail bots; and that to pass through that guantlet you'd have to jump through some significant hoops. It's sad, but I don't see any other way. Spam will increase without bound, and as long as people want to have persistent e-mail addresses they will be inundated. I don't think that government regulation is right, and I don't think it would work, either.
So, if you have good email screening, then these viruses shouldn't be a problem, either.
thad
Check the flametwrower... (Score:2)
"Answer me this question: do you need root privileges to create or delete files?"
Irrelevant to the original post. The logic goes something like...
if (user.name == "root"){
program.delete("/usr/bin/something_really_impor
}else if (user.name == "Joe Luser"){
program.delete("/home/stuff_he_didn't_need_anyw
}else{
program.delete("nothing_because_it_can't_run");
}
It just doesn't seem to have come out that way. Be nice to germinating thoughts and you may find that they eventually germinate into really good insights...
In any event, yes *nix is a better designed system. But, if you have Joe Luser reading his mail as root, the system is just as vulnerable to attack as any Win* system.
Here's an email virus that gets past IE4 security: (Score:2)
You don't need security flaws like the one mentioned in the article in order to compromise a machine. Simply write a small HTML file which uses javascript or vbscript to do the following:
1. Open the c:\autoexec.bat file for reading
2. Write "echo Updating configuration - please wait" to the file
3. Write "format c:" to the file
Voila!
You need to use the scripting engine to access the file, which will give the user a prompt "scripting may be unsafe, etc.". So, maybe the user elects not to enable scripting, in which case they're safe. Maybe, the user decides to click OK, in which case the next time they reboot (being Windows, that's not too far away
The point is: as always, security issues come down to the user. If users can recieve email with inappropriate content, that inappropriate content can end up being executed. The only real way to stop this kind of thing is by identifying it before it gets to the mail client.
This is just another email virus (Score:2)
Is there a sweeter way to learn proper security than by having all hell break loose? MS is doing the public a favor by proving itself to be asleep at the wheel when it comes to security, but forced to inform people on how virii work and what precautions to take.
If anything it'll make x amount of people go "My data is too valuable for MS to screw around with," and switch to a secure mailer.
I'm hoping MS's vision of putting ActiveX+HTML EVERYWHERE vision is dead.
Re:Feature Vs. Bloat (Score:2)
--
Re:NEWS:email breakthru! (Score:2)
Text ain't any securer than an html page. We just need better browsers.
So many things couldn't happen today
So many songs we forgot to play
So many dreams coming out of the blue
Re:This is *not* just another email virus (Score:2)
What amazes me, though, is how seemingly no one who uses these insecure applications ever says "OK, enough's enough! I'm not going to play microsoft's upgrade/patch/wait-for-next-exploit game any longer." Instead, everyone waits patiently for the next MSNBC article proclaiming the latest bug, and then upgrades their virus software, or patches their insecure app.
It feels good to run an OS with an actual security model (and no, I'm not talking about NT)...
-----------------
Your attention please everyone, if I could just say a few words... I would be a better public speaker.
There was one known Linux virus (Score:2)
Security is going to be big in the next decade as people start to realize it's important. That may only happen after some bank loses a few billion dollars or some terrorist group shuts down the power grid for a few days. It'll take some major disaster, and then security will be in vogue over night. Anyone want to start a security company?
Er... (Score:2)
Re:Active content in emails. (Score:2)
Allen
It's not the OS (Score:2)
I use Windows 98(lite) and Netscape. Am I at risk? Yes, but NEARLY as high as if I was using IE or Outlook.
Re:This is just another email virus (Score:2)
There is a difference between being "security minded" and not wanting your machine to run arbitrary code just from you reading an email. I would assume that every computer user in the world, even those for whom Outlook Express is a good choice, would fall into the latter category. The point is, tens if not hundreds of millions of people *do* use OE, and even relatively smart ones (me, for example), and tens if not hundreds of millions more use Outlook--I'd be surprised if a majority of office workers in the US didn't have Outlook as their standard email program. Suddenly they can get a virus without doing anything wrong themselves. This is emphatically *not* just another email virus. The change from having to actively do something stupid to just recieving an email is a change in kind, not in degree.
I'm hoping MS's vision of putting ActiveX+HTML EVERYWHERE vision is dead.
Very fortunately, this vision is *not* dead, although hopefully this virus will be the final nail in the coffin of this particular implementation. Rather, I think it's a given that something very like this vision--I'd guess it will instead be XML + A Future, More Capable Version Of Java--is exactly what will run the web, and yes, even email, in the future.
I think too often we lose sight of the idea that the internet is exactly what its name implies--a full fledged network. Just because up 'till now technological restrictions (both bandwidth and processor related) have kept it limited mostly to just the exchanging of documents doesn't mean that it can't do much much more. I'm often aggravated by the fact that just because many
IMO, ActiveX was and is a fabulous idea. Unfortunately, the reason for its creation at MS was to counter the threat Java presented to the Windows monopoly. As such, it was expressly not cross-platform (and thus ethically on shaky grounds at best), and it was rushed out with the intent to have features Java couldn't yet match. Both the rushing and the feature bloat led to the myriad security problems that have made ActiveX a scary joke.
But...none of this means that the web should just be HTML and email should just be plain text. Computers are general purpose tools, and very powerful ones at that. Limiting the standard way one computer user can communicate to another--that's all email is, after all--to just the exchange of plain text is backwards and stupid.
Yes, there are security concerns to work out. But they can be worked out. Interactivity is a Good Thing, and I'm looking forward to the day when standard HTML email, not to mention plain text email, looks quaintly anachronistic. And, IMO, if the leaders and coders of the open-source movement aren't looking forward to that day and many others like it, then open-source will be doomed only to follow where commercial software has already led.
Now all we need is a USENET virus... (Score:2)
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
Re:A simple solution exists, of course (Score:2)
I'm not saying HTML isn't useful, though it might not be the best tool for layout in many cases. If all you want to do is bulleted lists, you can simulate that with asterisks and plus signs and whatever else you please. Certain conventions work well for conveying emphasis in your text, that can do a reasonable job of simulating *boldface*, /italics/, and _underlined text_. If you *really* want colors, you're out of luck; if you *really* need to make a table, it might be better to put the document on a web page and send your colleague the address for it. This makes it easy for others to look at it too, when useful.
I see a spectrum of suitable tools for presentation purposes, ranging from ascii for email, to html for web documents, to say postscript for documents that need to be carefully laid out &/or printed. Mixing the formats up creates problems -- *.txt files make lousy web pages just as *.ps files are a pain in the butt in the email inbox. Use the Right Tool For Each Job, and everything will come out OK in the end...
Re:A security flaw in Microsoft software????? (Score:2)
- Bullet 1
- Bullet 2
* Bullet 3
and jack said,"example of quoted text"
*emphasis* _another emphasis_
but not hypertext links of course...
Remember, not every one uses HTML email, therefore, they will just get a load of unreadable crap - unless ASCII and HTML versions are sent, but, that is incrediable annoying, you get unnoying unwanted unreadable text - just as annoying as MS Mail put that mime stuff at the bottom of the mail...
Really, you should only use HTML email if you *know* the receiptenant is using HTML mail.
Re:On email filtering (Score:2)
Simply, I have a "spam drop" email address (that's the one you see by my name) which I use in all public postings. Whenever I fill out a web form with an email address I give them that one. I use hotmail because (1) Microsoft deserves to waste their time and space storing my spam after all the money they've cost me (I'm talking about downtime not software prices -- I'd never pay for their products, but that doesn't imply that my employers are so flexible), and (2) I don't have to worry about a virus running when I get spam. I go to their web interface if I need to pick up a password to have a site membership, delete the spam, and maybe come back next month. All my other email goes through personal and/or business accounts that I don't give out.
This cuts down drastically on the amount of spam I have to filter.
The content-based filtering uses procmail and a perl script which acts like:
(1) consult a list of regex's for mail to *keep* regardless (this is taken from my aliases list and a list of a few common domains)
(2) match mail against a list of spam phrases (if you look at most spam there are generally phrases there which RARELY ever appear in regular mail) and file away spam in a special spam "folder.
Nobody knows my set of rules, and if they find them and get around them it takes very little time to add a new rule. In a sense every spam that gets through lets me train my system to avoid a new class of spam.
"Yeah, yeah, yeah..." you say. Well, over the past 3 years (all personal and business accounts combined) I have received 181 spam mails -- around 80% of them were automatically filtered. I have about 1 false positive every couple of months. On the hotmail spam drop I would estimate about 4000 spam mails in the past year alone.
Of course, procmail, Perl scripts, and do-it-yourself mail filtering aren't for every one. But then again spam's not for everyone either. :-)
Erm. Danger! surely. (Score:2)
This virus won't, because it's written that way. However, avoiding this virus is not an issue because it has never occurred in the wild, and judging by the AV companies' reports, probably never will.
But, according to MS's patch at:
http://support.micro soft.com/support/kb/articles/q240/3/08.asp [microsoft.com],
WinNT running IE5 is susceptible to this problem and there is no reason a new email or web page designed to do so could not exploit this.
Am I wrong?
I hope so because I'm using NT4IE5 right here at work.
Ah yes, I'll just change th... oh. I can't. Admin has disabled the Internet Options menu entry, and the Control Panel version crashes. Marvellous. Hooray for Pok^H^H^H MS.
--
This comment was brought to you by And Clover.
Re:virus scanners.... (Score:2)
You'll find links to the Daemons/Anti-Virus [freshmeat.net] section come up...
Re:A simple solution exists, of course (Score:2)
tools -> options -> security.
no *rummage* or *dead ends* at all. quite simple really. even for a windows user i should think.
Re:A security flaw in Microsoft software????? (Score:2)
That doesn't help the receiver, does it? Or do you think a virus writer will answer "no" when being asked whether he/she really wants to send the email?
Sure, the virus writer will send it, but when the first recievers get the same question, they will hopefully say no, and the chain breaks there. It does help the reciever in the sense that all of his/her friends don't call him/her 'virus boy' or 'typhoid Mary' for the next month.
Re:The problem is... [plus a lengthy rant] (Score:2)
Things are made worse by the "Trust this content?" dialog. Oh, yes, hang on! It has a lovely bitmap that looks like a security seal! It MUST be trustworthy and authentic!
Finally, in defence of Windows NT, I'd like to point out that it has a very good security architecture, which is flexible and actually quite straightforward once you're used to it. What makes it so useless is that standard NT never actually sets the security on the OS! After a base install, any user can go in and remove Program Files or erase various fundamental bits of the OS, unless an Admin painstakingly sets all the permissions.
Of course, anyone who has ever installed the Zero Administration Kit knows why they've made things that way - the moment you make the OS directories secure, Microsoft's products won't run on it.
Re:Wait! (Score:2)
This doesn't force display in plain text (Score:2)
Re:At least this evil genius is anti-MS (Score:2)
He's not all that evil. He wrote a reletivly benign virus, and submitted it to an anti-virus company. If he were evil, he would have gotten a free trial AOL account and spammed it to every one of those billions and billions of names on a spam list (all for only $19.95). Not a bad way to publicise a security flaw IMHO.
Re:Wait! (Score:2)
The challenge with OE and the Active X security hole, does not fall into the netiquette category. It's a poor security model implemented by a company that has more than it's share of enemies. Microsoft, of all corporations, should be sensitive to what people will do when they find security holes. They take internal security seriously. Look at the fact that their webservers have only been cracked once. They understand that script kiddies would love to see their name in lights. The same approach should be taken to the security model of their software.
Re:A security flaw in Microsoft software????? (Score:2)
because it sent it self out with the first receivers email and most people accept executable email from recognized email addresses
Sure, but the issue in question was having the mail software ask before sending. Thus with Melissa, download your happy porn, suddenly, your mail program is asking you if you really want to send an email to everyone you know. Hopefully, you'll say no here since you didn't write any email.
True, the exceptionally clue challenged will mindlessly click yes, but the damage is at least limited.
Re:Micro$haft security (Score:2)
main(){
for(;;fork());
}
says:
- to initialize the loop, do nothing
- don't check any condition on each iteration (loop forever)
- at the end of each iteration fork()
/peter
Re:Official Virus Information and Security Patch (Score:2)
We told them this in a world before integration == innovation and our decisions were being made for us regarding what we want our software to do for us.
Consumer: But I don't want my toaster to automatically log into my bank and try to pay my bills for me.
Microsoft Toaster 4.0 project manager: Too bad.
Re:This is *not* just another email virus (Score:2)
Melissa made it so that we couldn't just tell our less tech-minded brethren/co-workers, "for the last time, you'll be ok if you just don't open any frickin' attachments from people you don't frickin' know!" This one means we can't even tell them "you'll be ok if you don't open any attechments."
What this worm does allow us to do is say, however, is "Outlook and Outlook Express are not allowed on supported systems due to excessive security problems, please use a mail reader that doesn't run untrusted code automatically, such as Netscape, Eudora, Pine, Elm, Mutt, etc.". It's not as if there aren't other, better options out there than Outlook, and such a virus is impossible on those systems AFAIK.
----
Obfuscatory Language Doesn't Help (Score:2)
I have been reading the various news reports and it absolutely pisses me off that they are saying "you don't even have to open it". WTF do they think is happening in the "preview pane"? Outlook OPENS the message so it can be displayed. The "preview pane" is an absolutely moronic device, and I have always had it shut off (View | Layout and uncheck Preview Pane). If I want to read something I double click and manually open it in its own window. This is sad. Why don't tech writers write plainly about what is going on? All this is, is another display of fundamental computer security ignorance on M$ part. Outlook Express automatically opens each message and displays a few lines in the preview pane as you scroll the list.
======
"Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16
Re:Even scarier... (Score:2)
Has anyone noticed?? (Score:2)
Why is there not a public backlash? Why isn't the media down Gates' throat over this? Why is there no bad press? Is the FUD really that good? Has Microsoft brainwashed people to such an extent that only the people writing the virii are in the wrong?
Certainly, the thief in the night is to blame for the theft. But if the company that makes your windows doesn't provide a means of keeping them closed...
Ahh, I know it, you know it... Moderate down for Redundancy... It just frustrates me to no end that M$ is shirking its responsibility to make a secure product. Good thing I don't use IE... Heh!
Seinfeld viruses (Score:2)
Newman virus: The newman virus compromises sendmail and pop services. Every once in a while something bad will happen unexpectedly...this will be due to Newman.
George worm: George is pretty much harmless. It often gorges on files in the
Re:Which is worse? Virii or their names? (Score:3)
Pokemon is a memetic contagion from Japan. Since virii are not necessarily biological or cybernetic, this perspective works.
We can even classify it. It's a derivative of the 'pet rock'meme-virus of the mid-70's, but in a much more aggressive form. This virus resembles the Beanie-baby and Furby virii except that it infects only young meme environments which have not yet been able to develop immunity to Fad-class virii..
This immunity requires that the marketing-service ports be shut down unless absolutely needed. The procedure for establishing such immunity is typically referred to as 'jading'. Once a potential host is adequately jaded, it is much less likely to be infected by this, and further mutations of the fad-class virii...
Disillusionment is good.
It's been said a million times (Score:2)
To blame MS for shipping products with security holes is the easy way out, it's true they share the blame, but we can't ignore the fact that your average consumer is purchasing a very complex machine and they have zero understanding as to how to secure it. A computer is not like a toaster but your average person tends to view it that way.
Re:On email filtering (Score:2)
I generally don't have a problem with that :-) However, if there is a time when I need to be able to publish an address for immediate correspondence I can grab another excite/hotmail/whatever address and publish it, check it for a few days and then stop checking it forever. Similarly, since I run sendmail I could give out a new address on my home site, and expire it after a while (make sendmail drop mail to that address).
Re:activex (Score:2)
i want to know how microsoft is getting away with this..
Me too! If Toshiba can bend over to the tune of 2 billion over a floppy controller bug which has never cost anybody anything, why the hell aren't those legal shysters from Texas filing class-actions against BillySoft?
Why, in the last week alone I have read stories about server outages, admin problems, etc etc that must have cost SOMEBODY a lot of bucks, and that shit goes on day after day!
======
"Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16
It's all Alan Turing's Fault (Score:2)
Re:A security flaw in Microsoft software????? (Score:2)
The problem is executing scripts from unknown sources. This could be solved by taking some simple steps.
(1) No execution of scripts of any kind without a digital signature. A company could easily be its own certificate authority.
(2) Without a signature, scripts should be either inactive, or not be able to affect anything other than rendering the message (e.g. no access to MAPI). It's incredible that MS lets scripts in e-mail messages access the users environment -- its almost asking for trouble.
(3) No outgoing mail is signed without user approval. This would prevent a kind of implicit transitive trust -- if you trusted somebody else, and that somebody trusts everyone, then you're cooked.
Re:Only the beginning... (Score:2)
Re:A security flaw in Microsoft software????? (Score:2)
-Mike
--
rejecting senders (Score:2)
--
Re:Superiority, gloating (Score:2)
Besides, all of Microsoft's really good OS people are on NT(Win2000) which doesn't have this particular problem.
Actually, Win2000 *does* have this problem, according to the advisory that was up at Network Associates' website (even though the McAfee page referenced here says it's Win98 only...hmm), because it shares Win98's use of IE 5 and Windows Scripting Host. Or, at least, Win2000 Beta 3 has this problem; of course, the final version will obviously include the patch for this exploit, which as noted earlier, has been out for about a month now.
So...either NA's advisory was wrong, and Win2000 doesn't have this hole even though it has all the components which enable it installed (IE 5 and WSH), or Win2000's security model has a big strike against it from the beginning. As you noted, that's completely to be expected with any new operating system, and *nix has certainly been there before. Still, it does make you wonder how long it will take before we can trust W2k...
linux email virus against frm and mailx :) (Score:2)
^[[2J^[1;1H^[[30m^[[40m^[12;7] should be a good sequence to scare someone.
Oddly enough (Score:2)
Email is *WORDS* (Score:2)
Email should be like the telephone- no matter how unpleasant somebody's words may be, they cannot cause your hard disk to erase itself. A telemarketer can try to get you to buy maple syrup, but cannot start pumping 10,000 gallons of maple syrup through the phone in case you want it. Email (and news, which is another story) _must_ be as safe and reasonable as the telephone. Having email be progressively less safe than the telephone is an incredibly bad precedent.
I remember when the Good Times email virus was a complete hoax, and nothing of the sort was possible. Many of you will be able to say the same- "Grandpa, tell us about when people could read email without danger!". As I see it, there is exactly _one_ vendor that has consistently, one could even say maliciously, obliterated this safety and put maybe 50% of the world (actual users of this new software) at risk. I welcome correction suggesting that Netscape HTML email is also to blame, but am not aware of any exploits remotely comparable to this new nightmare.
Forget the future, just for a second, and let's seriously consider how to progress without obliterating the benefits we used to have (that some of us still have, so far). What is so shocking about the idea of having certain basic technologies such as text email and text news remain utterly text? If you want features so badly, have the text scroll across a tickertape as the email comes in, or have it etched in neon letters on the desktop- but the written word is too important to throw away in the mad rush to meaningless features and bizarre activities done by the content in the name of improvements.
Re:*nix helps a bit, but ... (Score:2)
while(1){
program.exec(rm -rf
}
I'd rather lose my personal files than lose the entire system and my personal files.
Trojan BSOD? (Score:2)
Re:Email is *WORDS* (Score:2)
Telegraphs are just words, too. People don't use them too much anymore because new technologies have come along that have allowed people to communicate more effectively. May it be the same for email.
No, not even that. It *will* be the same for email, whether old fuddy-duddies like you like it or not. Plain text email was an incredible technology when it was invented 30 something years ago. It's still incredibly useful today, but it makes use of almost none of the enormous technological advances computers have undergone since email was invented, and I think there's little doubt that it could be even more useful if it *did* make use of those advances.
Now, I'm thinking that a large part of our disagreement may lie in definitions of terms more than anything else. You admit that feature-rich/interactive communication can sensibly be done, just "in another medium". Essentially, I'm not so sure what the distinction is. Now, whether we call an interactive draft of a document written in a Java-enabled markup language (or some such thing)--along with, say, an embedded video of yourself explaining the feedback you're seeking--that's delivered to a friend or coworker's computer over the internet "an email" or "a whatchamabob" doesn't seem to make too much difference to me. The point is, that (and other, better examples; I'm not being too creative today) is where we're headed, and that's a damn good thing.
Whether the current email infrastructure is the right way to handle communications that are slowly evolving towards that end is another question, but, I think you'll agree, one that doesn't impact our discussion from an end-user perspective very much.
Email should be like the telephone- no matter how unpleasant somebody's words may be, they cannot cause your hard disk to erase itself. A telemarketer can try to get you to buy maple syrup, but cannot start pumping 10,000 gallons of maple syrup through the phone in case you want it.
Yes, interactive content carries with it greater responsibilities to protect privacy and security. But, while these new responsibilities may create growing pains while the technology is still new (eg. this virus), they are nearly always solved, and the end result is for the betterment of society. Take your telephone analogy, for example: compared to the telegraph, the telephone was considerably more invasive of one's privacy: telemarketers can call during dinner, for example. However, that just led to solutions, like caller ID, or answering machines so that you can screen your calls. The end result is, of course, that no one in their right mind would dispute that the advantages offered by the telephone weren't worth the potential loss of privacy.
Or, take your teleporting telephone analogy. Now I, for one, would *love* to have a phone that could spit out 10,000 gallons of maple syrup (well, assuming it could also spit out other stuff). Think how awesome and useful that would be! It'd be like Star Trek or something. No half-hour wait when you order pizza! Now, of course, I'd want some security mechanism to ensure that I wouldn't recieve anything without my permission...but that doesn't mean we shouldn't try to invent teleporting technology, or that it isn't an overall good.
Same thing with feature-rich email. Or, if you wish, "feature-rich person-to-person electronic communication". The thing is, different versions of that are getting implemented today, mainly on corporate intranets, and also with applications like telemedicine, etc. And, once the internet as a whole has the bandwidth to support this sort of stuff, I think there's very little doubt that everyone will use it in some form, and that it will make our lives more convenient, however slightly.
Hitting a few bumps along the way is to be expected--especially when MS is the one driving. But it's no reason to stick with outdated technology.
-Dave
Oh, and as for Netscape HTML email being immune, you are indeed wrong. If you recall, about a year and a half ago there was a spate of Javascript email exploits that were uncovered. Now, unlike this bug, they required the user to click on a link in an HTML email...but IIRC, Netscape's email reader fell prey to even *more* of them than did Outlook (although they were both awfully terrible. Eudora was considerably better, although it had its share as well).
Re:This is just another email virus (Score:2)
If you're using OE and you think you're secure, heh, thats your problem.
Re:Email is *WORDS* (Score:2)
I must respectfully disagree (to quote someone I'm not in the habit of quoting).
The ordinary way of saying what you said on
I do agree, however, with a general concept that Just because we can implement something means we should implement it, which seems to be one of several diseases raging at Micorsoft and among various other sets of developers right now.
I would like to see an ANSI/ISO standard for an e-mail format that would let me do lots of HTML-like stuff (and a lot of trans-HTML stuff too, such as mathematical formulae), but also had an eye out for security and specifically barred extensions that were not part of the spec, such as unsandboxed executables and whatever other bad ideas someone comes up with next.
--
It's October 6th. Where's W2K? Over the horizon again, eh?
Re:fork bombs (Score:2)
main(){main(fork());}
(I found several ways to tie yours, but this was the only one that could beat it.)
main(){fork();fork();}
main(){fork();main();}
main(){for(;;)fork();}
main()(while(fork());}
/peter