Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
The Internet

New Virus Can Strike Via HTML E-Mail 334

cmeans and lots and lots of others have pointed us to this MSNBC article article about yet another e-mail virus. Quote from the story: "The virus can only run if Internet Explorer 5.0 with Windows Scripting Host is installed (standard in Windows 98 and Windows 2000 installations). If security settings for Internet Zone in IE5 are set to High, the worm will not be executed. It does not run on Windows NT." ZDNet also has a story about this "Bubbleboy" virus. Update: McAfee weighs in too. (Thanks, Jade.) Consider yourself warned.
This discussion has been archived. No new comments can be posted.

New Virus Can Strike Via HTML E-Mail

Comments Filter:
  • Insert lots of gloating about not running MS software here.

  • Two obvious fixes, disabling scripting in the 'Internet Zone' for IE, and setting Outlook Express to use the 'Restricted Zone' for all content to start with. Anyone using those products should probably be doing both to start with.


  • Ok this one isn't even that bad (for micro$haft). It won't run on NT. and your security settings can't be on high.

    Isn't there something like this going on constantly on windows machines? A new email, virus, thingy every week. Why is this even here? Most /.ers run linux don't they.
  • by JoeShmoe ( 90109 ) <askjoeshmoe@hotmail.com> on Tuesday November 09, 1999 @07:10PM (#1547381)
    You know, whenever I read some really good piece of science fiction, the terror is never caused by something called BubbleBoy...or Melissa, or Good Times, or any of these other stupid names.

    At this rate, when some genetic mutagen is released that destroys all of mankind, it'll probably be called the Pokemon virus.

    [/tongue in cheek]

    - JoeShmoe

    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=-=-=-=-=-=-=-
  • It is not about not running MS software. Any OS is going to be attackable. It is because UNIX users tend to know more about how their computers work and how to secure them. They also know what is a risky behaviour and avoid or only walk into it with extreme caution.

    Even a well-maintained Windows system is not going to be attacked by a virus very easily. I have been running Microsoft software for going on 15 years now and have never had a problem. This is because I take good care and I know how things work. If Windows users were educated about how to properly manage a system, there would be few successful attacks.
  • pine
  • by ywwg ( 20925 ) on Tuesday November 09, 1999 @07:13PM (#1547385) Homepage
    "In fact, it's unclear exactly how users of HTML-enabled e-mail readers can protect themselves from such viruses."

    Um, how about ASKING the user if they REALLY want to send all of those emails??? Web pages can't do any real damage by themselves (except by replicating), unless of course they use java to do something nasty.

    Of course this begs the question, who _needs_ html email? I mean, do you actually spend hours designing a page to send to someone? HTML emails are big downloads and irritating. Email readers should only look at basic tags (a la slashdot), and not "embed" tags.

    Oh, I'm sorry, the users _requested_ that feature bloat for IE 5.0! How silly of me!
  • > Two obvious fixes,

    You neglect to mention a third, which will immediately occur to most /.ers. (It's so simple I could write it in the margin, if only this input box had a margin.)

    It's October 6th. Where's W2K? Over the horizon again, eh?
  • Werd.

    I don't run anything that I haven't compiled, or any binary that came from a reputable source/mirror. And because I use Linux, if another user on this system decides to compile and run crap they don't understand, they're the only ones affected.

    Maybe it's a practice left over from the good old days of MS-DOS and the virus paranoia associated with it.

  • by FauxPasIII ( 75900 ) on Tuesday November 09, 1999 @07:19PM (#1547390)
    I'm increasingly worried about the ability to send active content in emails... above and beyond people who blindly execute attached files (user stupidity), it's getting to the point where just
    READING email can actually spread a virus. Remember the big scare when people realized that Eudora would open up Java applets without asking permission ? I always wondered how netscape mail or Eudora would handle Meta refresh tags...

    Anyway, I avoid the whole thing by sticking to good old-fashioned ASCII-mail. Now if only all my co-workers could do the same... *sigh*
  • From what I read on Microsoft's advisory on this bug [microsoft.com], the same bug exists in NT.

    I guess that Bubbleboy isn't exploiting it for NT, though.

    NAI's page on Bubbleboy is here [nai.com].

    I read a news story which said that the author emailed the worm to Antivirus companies. So I guess that it was more of a demonstration of a serious problem than something malicous.

  • This is what we get from Micro$oft's "innovations".....

    The virus can only run if Internet Explorer 5.0 with Windows Scripting Host is installed (standard in Windows 98 and Windows 2000 installations).

    This is one of those "advantages" M$ talk about in the anti-trust case. Because the OS already comes with a browser, security flaws such as this are built in!

    If security settings for Internet Zone in IE5 are set to High, the worm will not be executed.

    And IE 4/5 default to medium setting. Wonderful work, Micro$oft! You really know your stuff....

    The virus actually takes advantage of a security flaw in Microsoft's ActiveX technology that was discovered in August.

    August?!? AUGUST! Why the hell wasn't a patch to repair the error relased in August then? When a monopoly has no competition, they have no motivation to repair errors until they become huge issues for their software....

    This is what we get with M$ winning the "browser wars", software with security holes that don't get fixed until they are a real risk. Fortunatly, most sane PC don't use IE, and don't have to worry about ActiveX flaws. However this is one more reason why M$ should not be ruler of the browsers...
  • gee IE5 with a bug??!! how could that be? anywayz, this is just another reason that netscape/linux rules
  • You are so right!

    I don't know who came up with that, MS or Netscape... either way, it is stupid. Next thing you know we'll have HTML ping.

  • Bah, Bubbleboy isn't a Seinfeld episode, its the AUTHOR. What would you do sealed up all day but write malicious virii?

  • Why is this even here? Most /.ers run linux don't they.

    Several reasons. For one, it's "News for Nerds. Stuff that matters." Hard as it may be to believe, some /.ers actually do use windoze. Others use *BSD, or other operating systems. Maybe Linux is the majority, maybe not (still almost certainly the major minority then).

    Even for those of us who don't use Windows, we all know people who do. Coworkers, friends, family, lusers on our systems. If we know about this potential problem with windows, perhaps we can help them avoid falling for it, or at least be quicker on cleaning up afterwards...

    i'd guess that most of us are the curious sort, who'll learn something interesting (New email worm? How's it work, what does it affect, and what could be done to stop it?) even if it has no practical application in our lives. Why else do we so love nanotech, quantum computing, good fiction, and all the other things posted on /.?

    And finally, don't neglect the gloat factor ;)


  • I was hoping that Melissa would make companies wake up and rethink the "lets move everything to Outlook/Exchange/IE" philosophy. Apparently IT people forget quickly...

    Now we have time and time again exploits against IE due to its extreme integration with Windows and such. How long until one of these gets really nasty? How long until someone gets bitted a little too hard, and then they want to bite back?
  • by Foogle ( 35117 )
    I know this is Windows tech, but it's ontopic so I just thought I'd say it:

    What's a real shame is that, in the world of Windows, the Windows Scripting Host has never really taken off. I mean, it's been around since the introduction of Memphis... Before WSH, any automated scripting had to be done through batch files. Batch files were nice in DOS, but they didn't have a world of flexibility under Windows, and they couldn't interact with the rest of the GUI. WSH fixed all that, and I don't think many windows programmers took advantage of it.

    Oh well - Now it's a security issue and will get a bum rap because of it. It's a real waste...


    "You can't shake the Devil's hand and say you're only kidding."

  • Any OS is going to be attackable? That is simply not true. The problem is a bug in Microsoft's scripting code. This bug is not present in other email clients. Therefore, it will not affect other operating systems.
  • To me, this seems more like a plain-old security exploit, no different than the dozen or so major security flaws in IE and Navigator found in the last 3 years or so.

    There are thousands of pieces of code out there that exploit security flaws such as buffer overruns right now and most of them are labled as pieces of code that expose programming flaws in the targeted application/server.

    How is this any different and why is it being branded as a 'virus'? It uses a security flaw in Microsoft code to introduce unexpected/unwanted behavior.

    I don't see this as furthering the viewpoint of "Well, the day has come when people can catch a virus from reading their email" any more than web servers having buffer overrun probelms furthers the viewpoint of "the day has come when people can catch a virus from running a web server". If a piece of software is poorly written, it will be exploited.

    Do you think perhaps it is because a good majority of computer users use email, but a very small number run server software susceptable to typical server attacks? Though if you remember the WinNuke exploit exposed in Win95 several years back, that is an example of a security flaw that could attack any Win95 machine attacked to the Internet.
  • (Pine Is Not Elm!)

    IIRC, it's "Pine Is No longer Elm."

    At least that was what the Slackware installation said.
  • ---- Warning...Maybe a little offtopic
    This brings up a question I was wondering about the other day, and I think that I know the answer.

    Is it possible for a virus to execute on a unix machine and do any damage?

    I know that the same effect as the "bubbleboy" virus could be achieved by targeting pine users or something, if their were those sorts of weaknesses in pine.

    In my opinion, though, a malicious virus, that did things such as deleting files, or whatever would have to have the ability to obtain root privileges, or it basically would only be able to delete or change files that the dummy user had access to in the first place.

    I assume this is correct, since I have never seen any Virii targeted towards say an i386 Linux system, or any virus scanners for Linux.
  • There apparently haven't been any known outbreaks according to ZDTV anyway. Now anti-virus companies will really be praised from keeping us safe from everyday things, now there is a full time danger and we must trust "HTML escorters" to surf around the internet. Gee Wiz.
  • Oops. I set: (setq enable-local-variables T) ... and someone set up a mail message that deleted my home directory tree...

    The above is, seriously, the big potential security hole in GNU Emacs. It is documented as such, in the documentation, and users are given suitable warning not to do so...

    It seems reasonably likely that the only way to make "executable email" safe is the implementation of some sort of capabilities-based system that can strictly lock down what particular programs are permitted to do. Of course, as we learn more about capabilities, it is also likely that its powers of protection will prove quite finite...

  • This is the time where we all check back over our warnings and say "If you use Outlook Express 5, yes, you CAN get a virus just from reading an e-mail."

    This shouldn't be true, in fact until now, it hasn't been. But hopefully this "feature" will be "fixed" by Microsoft. Until then, i'll just stick to pine.

    Oh, can't this ALSO affect Hotmail or any other web based E-mail, since they ALL use IE to display the formatting?
  • by Laven ( 102436 ) on Tuesday November 09, 1999 @07:25PM (#1547406)
    It appears that Symantec has already analyzed this virus. This article [excite.com] mentions that the the virus may be protected by an August Microsoft IE5 ActiveX security patch.

    Symantec posted this advisory of the VBS.BubbleBoy here
    http://www.symantec.c om/avcenter/venc/data/vbs.bubbleboy.html [symantec.com].
    It contains details of what the virus does, where it goes into the registry and how to protect yourself.

    If you already do not have that security patch from Windows Update [windowsupdate.com], you can download the patch from
    http://www.microsoft.com/s ecurity/Bulletins/ms99-032.asp [microsoft.com].

    This is kinda scary... as we have always taught people that you cannot get a virus by reading mail, only opening attachments. I hope this doesn't become a growing trend.

  • You know, now I understand where Microsoft is coming from. Imagine what would happen to the "freedom to innovate" exercised by virus authors and script kiddies if Microsoft were to somehow be made accountable for their lax security? What would bored pre-teens do with their l33t AOL connections? Learn something useful, like programming or writing?

    What kind of world would that be, and where do I sign up for it?
  • I was working tech support for an ISP when "Melissa" hit. I spent all day explaining to people the truth about the virus..."As long as you don't download and run any attachments..." I can just hear them now "But, you said before that I couldn't get a virus by just reading my mail..."

    I feel for you support boys, just keep your favorite UserFriendly strip on the screen to keep you from snapping.

  • No, it's not a "feature", it's a real live bug. One that MS has acknowleged, so stop acting all smug about Netscape -- like they never had a security bug...

    The fact is, if Netscape supported Windows Scripting Host, it would probably be succeptible to the same flaw. I don't care for MS anymore than the rest of us, but I can't stand baseless garbage.


    "You can't shake the Devil's hand and say you're only kidding."

  • First off, don't use HTML mail. Problem solved. This will mean having to type or cute & paste URLs, but hey -- life's rough.

    Now, how do you turn off HTML? Lemme see here, I'll show you...

    Hang on, this is the first time I've ever opened up Outlook.


    *rummage, rummage*

    *dead end*


    Well how about that, the boneheads won't let you turn off mail formatting. Slick guys, good thinking.

    Well I'm sorry folks, it looks like you're going to have to switch to a more sensible mail client. Try Eudora or Pine, both of which have Windows ports, or Mutt or Elm or something if they're available (not sure if they exist on Windows -- don't see why not but don't really want to bother verifying that at the moment).

    It's funny how a scare like this comes along every few weeks ...and I find myself completely immune to it. "The Humdinger virus abuses your Outlook addressbook, eh? How tragic. Good thing I don't have one nor ever will. Keep safe though, try not to accept any infected mails there, pal!". heh heh

    In the immortal words of the venerable Montgomery Burns, "Look at all these idiots!" Hahahaha

  • There is an implicit assumption that there will never be a virus for the first poster's OS and that simply isn't true.
  • There have been a couple that targetted i386 Linux. The only one I remember details of someway or another attached itself to DOOM, but I do not know how.
  • I believe it is classified as a virus, or more specifically a worm, because it replicates and spreads through a network. That's the normal definition of a worm.

    Yes, I do agree it is exploiting a security flaw... but in this case it is exploiting a security flaw to create a worm.

  • Alright, Xenex, you have some good thoughts, but tone it down a little. Lay off the exclamation point for every sentence. Stop using all caps for words, and using the $ in Microsoft is really just getting old.

    Please keep slashdot a nice place by posting your ideas (which were good) in a clear (started good), sane (not so good), and non-hostile manner. Everyone will love you for it, and you'll get better Karma guaranteed.

  • Mutt,

    Barks like a puppy,

    Bites like a Dog.


    (mutt user)

    (mutt is an E-mail client for the Enlightened)

    (mutt is a productivity device)

    (mutt is the end all be all)

    (mutt is truly open)

    (mutt is good for chasing of bad cat>'s)

    (mutt is man's best friend)

    (mutt it does a body good)

  • The easiest way to get your fix for Win98 is here: Just use Windows update on your start menu. [microsoft.com]
  • In my opinion, though, a malicious virus, that did things such as deleting files, or whatever would have to have the ability to obtain root privileges, or it basically would only be able to delete or change files that the dummy user had access to in the first place.

    It sure sounds like you're confused boy! Answer me this question: do you need root privileges to create or delete files?

    The reason you don't see viruses on linux is not because they need root privileges but because it's a fairly well designed system...
  • I just cannot wait to see my Work Email filled by the pointless drone of our Windows NT "Administrator" preaching about Security on windows boxen.

    Gee- What a suprise for Microsoft- A buggy insecure product.

    IE5 was made for Micro$oft by the devil.
  • Oh please. It's not like you avoided this virus through some incredible foresight of your own thinking. You just don't use Outlook -- that's fine, but a lot of people do.

    And it's a freakin' good client too. I don't care if it's a MS product, if there was a version of Outlook for Linux (that was as good as the Windows one) I would use it in a heartbeat. KMail just isn't cutting it for me, and I really hate using an xterm for my email.

    So you happen to be immune to these attacks because you're using software that less than 10% of the consumer desktop market uses. Believe me, Netscape under Linux has it's fair share of bugs -- they abound. You may not be succeptible to these attacks, but you're not invulnerable...


    "You can't shake the Devil's hand and say you're only kidding."

  • by ToLu the Happy Furby ( 63586 ) on Tuesday November 09, 1999 @07:36PM (#1547422)
    Read the article, folks. This is the email virus.

    That is, it runs on its own, without the recipient having to open any attachments. All they have to do is open the email itself (or, in Outlook Express, just point at the email so that it shows up in the preview pane), and they're infected.

    This is a big deal.

    Melissa made it so that we couldn't just tell our less tech-minded brethren/co-workers, "for the last time, you'll be ok if you just don't open any frickin' attachments from people you don't frickin' know!" This one means we can't even tell them "you'll be ok if you don't open any attechments."

    Now, this particular virus (well, technically it's more of a worm) isn't too malicious (except that, like Melissa, it could clog the hell out of mail servers), and mails itself under a goofy subject line so that you can be on the lookout for it. (Of course, I'm not sure what being on the lookout for it would accompish if you're running Outlook Express, since there's really no way to delete it from your inbox without first selecting it...which is enough to run the virus.)

    But it's a proof-of-concept, and a scary one at that. It just changes the name and organization your computer is registered to and forwards itself to your address book, but the point is that it was screwing around with your registry, and it could have done whatever the hell it wanted to.

    Now...there is some good news here.

    Namely, this is perhaps the first time in history when Microsoft actually had a patch for a new exploit *before it was released to the public*!! Yes, that's right, this email virus works in exactly the same manner as one of those web-page exploits a couple months back, for which MS has had a critical update patch on Windows Update for several weeks now. Essentially what it does is take advantage of some very very stupidly permissioned ActiveX commands that lets an untrusted source save a certain type of file (.HTA) to your Startup directory...thus allowing them to run arbitrary code upon reboot (shouldn't have to wait too long...ok, so that was a cheap shot).

    So, the good news is that my Win98 partition was already immune from this exploit, and hopefully so are many other people's. Of course, I can understand people not wanting to be on the bleeding edge of MS's security patches, because running everything MS throws at you can get you burned as well.

    As for what I'm sure the mainstream /. response to this will be--i.e., this sort of thing is inevitable with HTML email, why can't everyone just use Pine for email and ftp instead of attachments, and while we're at it let's replace all our PC's with teletypes hooked up to a PDP-11--I'm not so sure. IMO, it's a Good Thing that feature-rich email is here to stay, and in the long run there's not so much reason for email to be any more secure than browsing; if a computer can be compromised through its browser, then that's unacceptable right there.

    On the other hand, I have very little doubt that, as we expand into XML and all these other new technologies, short-sided security permissions are going to bite us (especially those of us that use MS products) in the ass again and again and again, probably with no end in sight until we stop coming up with new features. It's a rather scary trade-off to have to make, and even scarier that 95% of the world has Microsoft making all the decisions for them...
  • by BobLenon ( 67838 )
    God i love this crap. And people persist using IE/Windoze. And we wonder why they waste soo much time on fixing computers in the business world. Why dont they wake up and smell the coffe. Perhaps they will soon...

    MS = Monolopy != Good For You
  • Well how about that, the boneheads won't let you turn off mail formatting. Slick guys, good thinking

    Actually it can be done.

    Open Outlook
    From the memu go to Tools | Options
    Click on Mail Format tab in the dialogue box
    Change message format to Plain text
    Click OK then OK

    You should be back at the normal screen - Problem solved
  • August?!? AUGUST! Why the hell wasn't a patch to repair the error relased in August then? When a monopoly has no competition, they have no motivation to repair errors until they become huge issues for their software....

    Actually, they have released a patch to repair the error. Here's [microsoft.com] the security bulletin detailing the problem; it was last updated on October 12, which I'm pretty sure is the day the patch to fix this problem was considered safe enough to be released for download at the Windows Update site, where it was indeed marked a critical update. (IIRC, they released a beta patch a couple days after the flaw was discovered.)

    Now, there's no question that someone at MS was insanely stupid to give untrused sources permissions to use ActiveX controls that could write to the Startup directory (that's how this sucker works), and you can argue that the fact that it took 6 weeks before their fix was trusted enough to get on Windows Update is pretty shady as well. But it has been fixed by now.
  • A while back (~3 months?) I read an article linked to by /. about bloated apps. The author was stating that users ask for and want bloated software. I see this argument time and time again in the press, newsgroups and so on...

    Well, I think the point is really:

    Does an app need to be bloated to have features?

    Obviously, 90% of the people who read this will exclaim "NO!". So the quesion remains "why is software bloated?" This is the thing that is addressed in the Programmer's Stone [ftech.net] as well as many books. Everyone on this site should read The UNIX Philosophy [amazon.com] for a dissussion of the stages of software development as well as lots of discussion on why unix has developed into what it is. Only in the second growth stage of development does software become bloated. This is due to the addition of all of the requests for more features being implemented. They all are added withought thought until the software becomes too big and the app just about breaks. The UNIX Philosophy of code reuse and small applications still allow features to be added. An example would be the ability to pipe information from one app to another to gain more functionality. This same philosophy of code reuse still holds true in today's GUI world and is why I find KDE so interesting.

    The problem comes when code has to be churned out on a deadline without planning or thought. This is usually driven by coporations and Marketing/management. Without artificial deadlines Open Source/*n*x apps can stay small and elegant.

    They can also be trimmed back and restructured by anyone. As a community it is important to always grow as fast as possible by adding features but to also look back and take out the features that only benefit a small group of users. That part might hurt a little, but is very important to get the software into the 3rd stage of life. So look back thorough your code and rewrite some stuff every now and then. It makes your code smaller and you will be able to work faster. You get a net gain in the end.


    The truth is more important than the facts.
    In an amazing technological breakthrough, a hoard of new email programs have rendered themselves invulnerable to every concievable computer virus. By rendering email in plain text, ignoring worthless html formatting instructions and pesky attatchments which clog up the internet with unwanted and useless files, these programs, known by such arboreal names as pine and elm, sidestep the entire issue of computer viruses. Stay tuned for more details!
  • by mcc ( 14761 )
    i want to know how microsoft is getting away with this..
    msnbc, as i'm sure a lot of other news sources will be doing, are centering really big on the word "VIRUS!" despite the fact the virus isn't the important part at _all_. the important part is that the activex exploit which allowed web pages to install arbitrary code on the person's computer now run in HTML e-mail. If you accept that, the idea "you could write a virus with this" is so obvious as to be totally irrelivant.

    The page kinda implied to anyone who doesn't know what they're talking about that this problem is there because someone "wrote a virus", not because MS shipped a product with bad security.

    Meanwhile i want to know why microsoft is getting away with this. Despite the fact that a piece of HTML running an activex (or any other kind of applet or script or anything) that can TOUCH your hard drive, much less install, say, Backorifice (or a program that downloads and installs backorifice..) is to me the most terrifying thing a web browser could do. And yet what kind of attention has this little exploit gotten in the couple of months since it's been found? NOTHING. There was like one article on PCWeek months ago and that was IT.

    You can, of course, put activex on high, or even disable it, but that shouldn't be _neccicary_. Something like activex that allows something like this SHOULD NOT BE RUNNING BY DEFAULT, since it targets people who don't know enough about their computers to go to the bother of understanding what this "activex" thing that MS put on their computers along with windows is. Let things like this, or the little "feature" that let remote web pages view the contents of your copy/paste clipboard, be turned _off_ until the user needs to use them, not left on until the user finds out they're there? Even if in theory ActiveX had perfect security in every way, i still don't like the idea of a web page touching anything on your hard disk besides your cache. (but then, hell, i'm also an old-timey purist who doesn't think an interpreted language like Javascript should contain things that are reliably able to crash the machine of the person who runs them.. but that's another rant altogether. "while(1)alert('!')"..)

    How is MS getting _away_ with this? They should be in HUGE trouble for this whole activex thing; this is the most pathetic/deadly security exploit i think i've ever heard of. Yet they're barely getting any attention for it. WHY is this happening?

    Still i think it's awful funny that apparently the _only_ use for ActiveX-- at least, the only time i've ever heard of someone doing anything with ActiveX-- is a security exploit.

    why web browsers suck: http://home.earthlink.net/~mcclure111/cyberleary.h tml#discontent
  • Win9x [microsoft.com] WinNT [microsoft.com]

    Information is here [microsoft.com].

    I really should rant about how hypocritical and ignorant most of the posts here are, but I don't have the energy. How about checking to see whether MS has already fixed the bug, before you complain about the lack of a solution?

    Now, if you want to bitch about MSNBC for sensationalizing this, that's another issue entirely...
  • "I think this story was sent down from heaven to give us Linux users a chance to gloat over windows users," is the gist of the few messages posted so far. I don't really think we should have that attitude at all. We need to understand that there are [l]users out there who think HTML email is really neat, the same way I think that the new kernel debugging features are cool. We have to understand that our tastes in all things computers are not absolute. So Microsoft f***ed it up yet again; all companies do it. One of the reasons linux has been so secure and powerful is the foundation for it's design: UNIX. Windows is much younger than UNIX. And anyway, UNIX had it's virus/security problems a (not so)long time ago. The Worm anyone?

    All computer systems have security holes. Complex ones more so. If you want some more rhetoric on why secuity is never perfect, read Bruce Schneier's interview here.

    I think Microsoft was rash in releasing software with this little hole in it, but it doesn't mean that we're better than users of HTML email. Besides, all of Microsoft's really good OS people are on NT(Win2000) which doesn't have this particular problem. Microsoft doesn't really take the security of Win9x seriously anyway.

    I personally am waiting to see how linux stacks up to Win2000. After all, this is like comparing the newest NT to version 2.0.36(my first kernel!).


  • A couple of comments on Tolu's good post, and then something more.

    I hate getting HTML mail, but I can see the point. It is the new ASCII, to some extent. A browser is a better way to read text; although I'll stick with ASCII mail myself for quite a while now. I do think that /.'s restricted HTML is just fine for mail, though.

    I disagree, though, that XML and other formats will unleash further viruses. Almost everybody now thinks about security first when designing mail clients. Perhaps even Microsoft will start thinking that way, eventually. The security abomination of ActiveX will *never* be duplicated by anybody else.

    Finally, I think that both prevalent e-mail viruses and even more prevalent e-mail spam will cause people to treat e-mail differently in the future. I predict that most e-mail will be rejected unread and unseen by people's e-mail bots; and that to pass through that guantlet you'd have to jump through some significant hoops. It's sad, but I don't see any other way. Spam will increase without bound, and as long as people want to have persistent e-mail addresses they will be inundated. I don't think that government regulation is right, and I don't think it would work, either.

    So, if you have good email screening, then these viruses shouldn't be a problem, either.


  • ...bendawg is simply trying to check his understanding...

    "Answer me this question: do you need root privileges to create or delete files?"

    Irrelevant to the original post. The logic goes something like...

    if (user.name == "root"){
    program.delete("/usr/bin/something_really_import ant_to_the_system");
    }else if (user.name == "Joe Luser"){
    program.delete("/home/stuff_he_didn't_need_anywa y");

    It just doesn't seem to have come out that way. Be nice to germinating thoughts and you may find that they eventually germinate into really good insights...

    In any event, yes *nix is a better designed system. But, if you have Joe Luser reading his mail as root, the system is just as vulnerable to attack as any Win* system.

  • You don't need security flaws like the one mentioned in the article in order to compromise a machine. Simply write a small HTML file which uses javascript or vbscript to do the following:

    1. Open the c:\autoexec.bat file for reading

    2. Write "echo Updating configuration - please wait" to the file

    3. Write "format c:" to the file


    You need to use the scripting engine to access the file, which will give the user a prompt "scripting may be unsafe, etc.". So, maybe the user elects not to enable scripting, in which case they're safe. Maybe, the user decides to click OK, in which case the next time they reboot (being Windows, that's not too far away :)) they format their hard drive.

    The point is: as always, security issues come down to the user. If users can recieve email with inappropriate content, that inappropriate content can end up being executed. The only real way to stop this kind of thing is by identifying it before it gets to the mail client.
  • If this was cross-mail-reader than, yeah, it would *not* be another email virus. But its just Outlook users and, specificaly, more problems with ActiveX. Its devlish in the way that it blows right past the 'don't open attached crap' mantra, but at the same time security minded people wouldn't be using OE in the first place.

    Is there a sweeter way to learn proper security than by having all hell break loose? MS is doing the public a favor by proving itself to be asleep at the wheel when it comes to security, but forced to inform people on how virii work and what precautions to take.

    If anything it'll make x amount of people go "My data is too valuable for MS to screw around with," and switch to a secure mailer.

    I'm hoping MS's vision of putting ActiveX+HTML EVERYWHERE vision is dead.
  • I had this fortune today. It must be fate:

    An architect's first work is apt to be spare and clean. He
    knows he doesn't know what he's doing, so he does it carefully and with
    great restraint.

    As he designs the first work, frill after frill and
    embellishment after embellishment occur to him. These get stored away
    to be used "next time". Sooner or later the first system is finished,
    and the architect, with firm confidence and a demonstrated mastery of
    that class of systems, is ready to build a second system.

    This second is the most dangerous system a man ever designs.
    When he does his third and later ones, his prior experiences will
    confirm each other as to the general characteristics of such systems,
    and their differences will identify those parts of his experience that
    are particular and not generalizable.

    The general tendency is to over-design the second system, using
    all the ideas and frills that were cautiously sidetracked on the first
    one. The result, as Ovid says, is a "big pile".
    -- Frederick Brooks, "The Mythical Man Month"

  • Um, hello. Many years pine wasn't secure - text sequences escaping to shells, etc.

    Text ain't any securer than an html page. We just need better browsers.
    So many things couldn't happen today
    So many songs we forgot to play
    So many dreams coming out of the blue
  • Indeed, with the activex security holes, microsoft has made it possible for these worm writers to cause amazing damage. I can only see these worms/email viruses to get smarter and smarter (how about self modifying worms, that change the subject line of further forwards to any of, oh say, 100 different things, making it pretty impossible to avoid opening the naughty email), while causing more and more damage (Let's not forget that bubbleboy could have done a lot more than it does because apparently, it has full access to a win9x machine's registry.) I dont know about you, but I can't wait for increasingly nasty emails to ravage every outlook user into submission.

    What amazes me, though, is how seemingly no one who uses these insecure applications ever says "OK, enough's enough! I'm not going to play microsoft's upgrade/patch/wait-for-next-exploit game any longer." Instead, everyone waits patiently for the next MSNBC article proclaiming the latest bug, and then upgrades their virus software, or patches their insecure app.

    It feels good to run an OS with an actual security model (and no, I'm not talking about NT)...

    Your attention please everyone, if I could just say a few words... I would be a better public speaker.
  • It attempted to make use of a buffer overflow to gain access to propigate. It was not particularly robust and would clean itself if you asked it to. The general concept is still usable though -- write a program that exploits a new setuid buffer overflow, or a list of them, to gain root access and then start propigating.

    Security is going to be big in the next decade as people start to realize it's important. That may only happen after some bank loses a few billion dollars or some terrorist group shuts down the power grid for a few days. It'll take some major disaster, and then security will be in vogue over night. Anyone want to start a security company?

  • I clicked on this and now my Linux system has a start button! What do I do?
  • W3C HTML by itself is not all that "active". Shouldn't we lay the blame on VBscript in E-mail, not HTML. My Netscape E-mail seems to ignore VBscript, ActiveX, and all that as long as I don't do something stupid like opening an attachment named Happy99.exe or such!

  • It's not a security issu ewith the OS, it's the way that MicroSoft has tied its email programs so tightly to the OS.

    I use Windows 98(lite) and Netscape. Am I at risk? Yes, but NEARLY as high as if I was using IE or Outlook.

  • at the same time security minded people wouldn't be using OE in the first place.

    There is a difference between being "security minded" and not wanting your machine to run arbitrary code just from you reading an email. I would assume that every computer user in the world, even those for whom Outlook Express is a good choice, would fall into the latter category. The point is, tens if not hundreds of millions of people *do* use OE, and even relatively smart ones (me, for example), and tens if not hundreds of millions more use Outlook--I'd be surprised if a majority of office workers in the US didn't have Outlook as their standard email program. Suddenly they can get a virus without doing anything wrong themselves. This is emphatically *not* just another email virus. The change from having to actively do something stupid to just recieving an email is a change in kind, not in degree.

    I'm hoping MS's vision of putting ActiveX+HTML EVERYWHERE vision is dead.

    Very fortunately, this vision is *not* dead, although hopefully this virus will be the final nail in the coffin of this particular implementation. Rather, I think it's a given that something very like this vision--I'd guess it will instead be XML + A Future, More Capable Version Of Java--is exactly what will run the web, and yes, even email, in the future.

    I think too often we lose sight of the idea that the internet is exactly what its name implies--a full fledged network. Just because up 'till now technological restrictions (both bandwidth and processor related) have kept it limited mostly to just the exchanging of documents doesn't mean that it can't do much much more. I'm often aggravated by the fact that just because many /.ers were around for the "good old days" (and that the rest of us usually like to pretend we were), we often as a group tend to take the existence of problems with an emerging paradigm to mean that things are better off the way they were.

    IMO, ActiveX was and is a fabulous idea. Unfortunately, the reason for its creation at MS was to counter the threat Java presented to the Windows monopoly. As such, it was expressly not cross-platform (and thus ethically on shaky grounds at best), and it was rushed out with the intent to have features Java couldn't yet match. Both the rushing and the feature bloat led to the myriad security problems that have made ActiveX a scary joke.

    But...none of this means that the web should just be HTML and email should just be plain text. Computers are general purpose tools, and very powerful ones at that. Limiting the standard way one computer user can communicate to another--that's all email is, after all--to just the exchange of plain text is backwards and stupid.

    Yes, there are security concerns to work out. But they can be worked out. Interactivity is a Good Thing, and I'm looking forward to the day when standard HTML email, not to mention plain text email, looks quaintly anachronistic. And, IMO, if the leaders and coders of the open-source movement aren't looking forward to that day and many others like it, then open-source will be doomed only to follow where commercial software has already led.
  • ...to stop the damned cluebies from posting HTML messages there too. God, I can't stand that. Learn a little bit about your client before you start using it!

    - A.P.

    "One World, one Web, one Program" - Microsoft promotional ad

  • The MS specific stuff doesn't help at all, but I'm not at all convinced that HTML or Javascript belong in mail either. I'm not sure if open standards are more secure by design per se, but the opportunity to test them by independent sources tends to make them more robust than proprietary standards. In any event, something malicious could be embedded within HTML and Javascript, at least in principle, and just the chance of that makes me wary -- especially when plain ascii email is virtually guaranteed to be harmless.

    I'm not saying HTML isn't useful, though it might not be the best tool for layout in many cases. If all you want to do is bulleted lists, you can simulate that with asterisks and plus signs and whatever else you please. Certain conventions work well for conveying emphasis in your text, that can do a reasonable job of simulating *boldface*, /italics/, and _underlined text_. If you *really* want colors, you're out of luck; if you *really* need to make a table, it might be better to put the document on a web page and send your colleague the address for it. This makes it easy for others to look at it too, when useful.

    I see a spectrum of suitable tools for presentation purposes, ranging from ascii for email, to html for web documents, to say postscript for documents that need to be carefully laid out &/or printed. Mixing the formats up creates problems -- *.txt files make lousy web pages just as *.ps files are a pain in the butt in the email inbox. Use the Right Tool For Each Job, and everything will come out OK in the end...

  • You can do all of what you want in ASCII

    - Bullet 1
    - Bullet 2
    * Bullet 3

    and jack said,"example of quoted text"

    *emphasis* _another emphasis_

    but not hypertext links of course...

    Remember, not every one uses HTML email, therefore, they will just get a load of unreadable crap - unless ASCII and HTML versions are sent, but, that is incrediable annoying, you get unnoying unwanted unreadable text - just as annoying as MS Mail put that mime stuff at the bottom of the mail...

    Really, you should only use HTML email if you *know* the receiptenant is using HTML mail.
  • I agree with the principle of the Spam Arms Race, however, content-based filtering, coupled with some forethought can deal with the majority of spam/viruses. I use a system which has two components: separate email addresses and content- based filtering.

    Simply, I have a "spam drop" email address (that's the one you see by my name) which I use in all public postings. Whenever I fill out a web form with an email address I give them that one. I use hotmail because (1) Microsoft deserves to waste their time and space storing my spam after all the money they've cost me (I'm talking about downtime not software prices -- I'd never pay for their products, but that doesn't imply that my employers are so flexible), and (2) I don't have to worry about a virus running when I get spam. I go to their web interface if I need to pick up a password to have a site membership, delete the spam, and maybe come back next month. All my other email goes through personal and/or business accounts that I don't give out.

    This cuts down drastically on the amount of spam I have to filter.

    The content-based filtering uses procmail and a perl script which acts like:
    (1) consult a list of regex's for mail to *keep* regardless (this is taken from my aliases list and a list of a few common domains)
    (2) match mail against a list of spam phrases (if you look at most spam there are generally phrases there which RARELY ever appear in regular mail) and file away spam in a special spam "folder.

    Nobody knows my set of rules, and if they find them and get around them it takes very little time to add a new rule. In a sense every spam that gets through lets me train my system to avoid a new class of spam.

    "Yeah, yeah, yeah..." you say. Well, over the past 3 years (all personal and business accounts combined) I have received 181 spam mails -- around 80% of them were automatically filtered. I have about 1 false positive every couple of months. On the hotmail spam drop I would estimate about 4000 spam mails in the past year alone.

    Of course, procmail, Perl scripts, and do-it-yourself mail filtering aren't for every one. But then again spam's not for everyone either. :-)

  • It won't run on NT.

    This virus won't, because it's written that way. However, avoiding this virus is not an issue because it has never occurred in the wild, and judging by the AV companies' reports, probably never will.

    But, according to MS's patch at:

    http://support.micro soft.com/support/kb/articles/q240/3/08.asp [microsoft.com],

    WinNT running IE5 is susceptible to this problem and there is no reason a new email or web page designed to do so could not exploit this.

    Am I wrong?

    I hope so because I'm using NT4IE5 right here at work.

    and your security settings can't be on high.

    Ah yes, I'll just change th... oh. I can't. Admin has disabled the Internet Options menu entry, and the Control Panel version crashes. Marvellous. Hooray for Pok^H^H^H MS.

    This comment was brought to you by And Clover.
  • Yes, it's possible. Check Freshmeat [freshmeat.net] and do a search for 'virus'.
    You'll find links to the Daemons/Anti-Virus [freshmeat.net] section come up...
  • html isn't the issue. "active content" is

    tools -> options -> security.

    no *rummage* or *dead ends* at all. quite simple really. even for a windows user i should think.
  • That doesn't help the receiver, does it? Or do you think a virus writer will answer "no" when being asked whether he/she really wants to send the email?

    Sure, the virus writer will send it, but when the first recievers get the same question, they will hopefully say no, and the chain breaks there. It does help the reciever in the sense that all of his/her friends don't call him/her 'virus boy' or 'typhoid Mary' for the next month.

  • Allowing fully-fledged OS-dependent executables to be embedded in web pages (i.e. ActiveX controls) is clearly idiotic. Allowing those executables to run _as the current user_ is still more idiotic. In the end, you wind up with three accounts just for one person - one Admin, one User and one Web Browsing - the Web Browsing one being little more than Guest, since it's the only way to stop things breaking your PC!

    Things are made worse by the "Trust this content?" dialog. Oh, yes, hang on! It has a lovely bitmap that looks like a security seal! It MUST be trustworthy and authentic!

    Finally, in defence of Windows NT, I'd like to point out that it has a very good security architecture, which is flexible and actually quite straightforward once you're used to it. What makes it so useless is that standard NT never actually sets the security on the OS! After a base install, any user can go in and remove Program Files or erase various fundamental bits of the OS, unless an Admin painstakingly sets all the permissions.

    Of course, anyone who has ever installed the Zero Administration Kit knows why they've made things that way - the moment you make the OS directories secure, Microsoft's products won't run on it.
  • Linux users how they HATE when an OS asks those sort of questions "Do you really want to do this?". There's a big difference between questioning a command the user explicitly issued and questioning a side effect that even an experianced user may have been unaware of (such as embedded commands in an email that the user hasn't had a chance to read yet).
  • This doesn't force messages to display properly. All it does is causes your messages to default correctly. Now, why couldn't that be the default?
  • He's not all that evil. He wrote a reletivly benign virus, and submitted it to an anti-virus company. If he were evil, he would have gotten a free trial AOL account and spammed it to every one of those billions and billions of names on a spam list (all for only $19.95). Not a bad way to publicise a security flaw IMHO.

  • This is a good point. I still use NewsWatcher. I disable this alert, but its a good way of encouraging (not enforcing) netiquette.

    The challenge with OE and the Active X security hole, does not fall into the netiquette category. It's a poor security model implemented by a company that has more than it's share of enemies. Microsoft, of all corporations, should be sensitive to what people will do when they find security holes. They take internal security seriously. Look at the fact that their webservers have only been cracked once. They understand that script kiddies would love to see their name in lights. The same approach should be taken to the security model of their software.
  • because it sent it self out with the first receivers email and most people accept executable email from recognized email addresses

    Sure, but the issue in question was having the mail software ask before sending. Thus with Melissa, download your happy porn, suddenly, your mail program is asking you if you really want to send an email to everyone you know. Hopefully, you'll say no here since you didn't write any email.

    True, the exceptionally clue challenged will mindlessly click yes, but the damage is at least limited.

  • Nope, it's perfectly cromulent.


    - to initialize the loop, do nothing
    - don't check any condition on each iteration (loop forever)
    - at the end of each iteration fork()

  • This is kinda scary... as we have always taught people that you cannot get a virus by reading mail, only opening attachments. I hope this doesn't become a growing trend.

    We told them this in a world before integration == innovation and our decisions were being made for us regarding what we want our software to do for us.

    Consumer: But I don't want my toaster to automatically log into my bank and try to pay my bills for me.
    Microsoft Toaster 4.0 project manager: Too bad.
  • ToLu the Happy Furby wrote:

    Melissa made it so that we couldn't just tell our less tech-minded brethren/co-workers, "for the last time, you'll be ok if you just don't open any frickin' attachments from people you don't frickin' know!" This one means we can't even tell them "you'll be ok if you don't open any attechments."

    What this worm does allow us to do is say, however, is "Outlook and Outlook Express are not allowed on supported systems due to excessive security problems, please use a mail reader that doesn't run untrusted code automatically, such as Netscape, Eudora, Pine, Elm, Mutt, etc.". It's not as if there aren't other, better options out there than Outlook, and such a virus is impossible on those systems AFAIK.

  • I have been reading the various news reports and it absolutely pisses me off that they are saying "you don't even have to open it". WTF do they think is happening in the "preview pane"? Outlook OPENS the message so it can be displayed. The "preview pane" is an absolutely moronic device, and I have always had it shut off (View | Layout and uncheck Preview Pane). If I want to read something I double click and manually open it in its own window. This is sad. Why don't tech writers write plainly about what is going on? All this is, is another display of fundamental computer security ignorance on M$ part. Outlook Express automatically opens each message and displays a few lines in the preview pane as you scroll the list.

    "Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16

  • JavaScript links don't matter, I could just as well link to my page containing thousands of hostile javascript applets. But AFAIK you can't run any js without somebody clicking on your link.
  • The only viruses we've heard about over the last two years or so, are ones that exploit Microsoft software. And not on the OS level either, these things just crawl in thru security holes in applications. Of course, saying this on slashdot is preaching to the converted, but...

    Why is there not a public backlash? Why isn't the media down Gates' throat over this? Why is there no bad press? Is the FUD really that good? Has Microsoft brainwashed people to such an extent that only the people writing the virii are in the wrong?

    Certainly, the thief in the night is to blame for the theft. But if the company that makes your windows doesn't provide a means of keeping them closed...

    Ahh, I know it, you know it... Moderate down for Redundancy... It just frustrates me to no end that M$ is shirking its responsibility to make a secure product. Good thing I don't use IE... Heh!
  • Kramer worm: Enters and leaves system randomly at own volition, pilfering files and leaving others strewn around open.

    Newman virus: The newman virus compromises sendmail and pop services. Every once in a while something bad will happen unexpectedly...this will be due to Newman.

    George worm: George is pretty much harmless. It often gorges on files in the /var or /temp directory, and frequently thwarts itself. George is the product of the merging of two equally dysfunctional parent worms.
  • by jabber ( 13196 ) on Wednesday November 10, 1999 @04:44AM (#1547595) Homepage
    Already been done.

    Pokemon is a memetic contagion from Japan. Since virii are not necessarily biological or cybernetic, this perspective works.

    We can even classify it. It's a derivative of the 'pet rock'meme-virus of the mid-70's, but in a much more aggressive form. This virus resembles the Beanie-baby and Furby virii except that it infects only young meme environments which have not yet been able to develop immunity to Fad-class virii..

    This immunity requires that the marketing-service ports be shut down unless absolutely needed. The procedure for establishing such immunity is typically referred to as 'jading'. Once a potential host is adequately jaded, it is much less likely to be infected by this, and further mutations of the fad-class virii...

    Disillusionment is good.
  • These type of worms/whatever are aimed more at your average computer user who knows nothing about security, or active X, or changing settings for their mail reader. Most people who purchase a computer are thinking "internet" "email"... they don't have a clue about how any of it works. I'm not saying that this is bad, just these people have a different mindset than your average slashdot reader.

    To blame MS for shipping products with security holes is the easy way out, it's true they share the blame, but we can't ignore the fact that your average consumer is purchasing a very complex machine and they have zero understanding as to how to secure it. A computer is not like a toaster but your average person tends to view it that way.
  • I don't much like that idea. Somebody might want to send you a legitimate email to the address given here and you wouldn't read it for several days

    I generally don't have a problem with that :-) However, if there is a time when I need to be able to publish an address for immediate correspondence I can grab another excite/hotmail/whatever address and publish it, check it for a few days and then stop checking it forever. Similarly, since I run sendmail I could give out a new address on my home site, and expire it after a while (make sendmail drop mail to that address).

  • i want to know how microsoft is getting away with this..

    Me too! If Toshiba can bend over to the tune of 2 billion over a floppy controller bug which has never cost anybody anything, why the hell aren't those legal shysters from Texas filing class-actions against BillySoft?

    Why, in the last week alone I have read stories about server outages, admin problems, etc etc that must have cost SOMEBODY a lot of bucks, and that shit goes on day after day!

    "Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16

  • If it weren't for him nobody would have realized that programs==data.
  • Actually, like almost every security issue, there's a flip side. Executable e-mail is very useful for things like document routing and approval type applications. People like to use e-mail as an ad hoc to-do list, and executable e-mails fit right in. HTML formattng is also useful (it doesn't have to be an elaborate web page, how ofte have you used extrans in a slashdot posting?)

    The problem is executing scripts from unknown sources. This could be solved by taking some simple steps.

    (1) No execution of scripts of any kind without a digital signature. A company could easily be its own certificate authority.

    (2) Without a signature, scripts should be either inactive, or not be able to affect anything other than rendering the message (e.g. no access to MAPI). It's incredible that MS lets scripts in e-mail messages access the users environment -- its almost asking for trouble.

    (3) No outgoing mail is signed without user approval. This would prevent a kind of implicit transitive trust -- if you trusted somebody else, and that somebody trusts everyone, then you're cooked.

  • Listen to this guy. He's right. We already know how messed up the NT security model is: Ether you are god or you aren't. If your current login in is administrator equalivalant, and process (clanstinely or not) running on your "security station/interactive session" can do whatever it can get it's hands on. With COM, everything is connected to everything else, and the "security context" interfaces are the only thing that stand in the way. I forsee a future were the payload of a macro virus could be something like: MMC = CreateObject(MMC.workspace) session = MMC.newsession(IUSR_IMPERSONATE) dm = session.OpenSnapin("dskmanager.1",vbnull) dm.partition(1).Format("NO_LABEL,"FAT32",NO_PROMPT ) Of course this is all garbage, but real COM developers can see where I'm going.
  • Pine [washington.edu] is a text based email program that handles HTML mail pretty well.

  • If you spam filter first and then send all the suspected spammers instructions on resending, your false positives go way down. Procmail is a good way to go in a unix environment, since there are a number of kill files floating around that do a good job of spam filtering. If you're interested, email me and I'll send you mine (the email address above is legit, incidentally I get very little spam that I can trace to slashdot postings, go figure).
  • One nitpick on an otherwise very insightful comment:

    Besides, all of Microsoft's really good OS people are on NT(Win2000) which doesn't have this particular problem.

    Actually, Win2000 *does* have this problem, according to the advisory that was up at Network Associates' website (even though the McAfee page referenced here says it's Win98 only...hmm), because it shares Win98's use of IE 5 and Windows Scripting Host. Or, at least, Win2000 Beta 3 has this problem; of course, the final version will obviously include the patch for this exploit, which as noted earlier, has been out for about a month now.

    So...either NA's advisory was wrong, and Win2000 doesn't have this hole even though it has all the components which enable it installed (IE 5 and WSH), or Win2000's security model has a big strike against it from the beginning. As you noted, that's completely to be expected with any new operating system, and *nix has certainly been there before. Still, it does make you wonder how long it will take before we can trust W2k...
  • put escape characters in subject lines, its neither a virus nor a worm but it is a pain. :)

    ^[[2J^[1;1H^[[30m^[[40m^[12;7] should be a good sequence to scare someone. :) Put that sequence in a text file at linux console and cat it. Now present that to a newbie. Result: ahh! what happened to my computer? Answer: nothing. But it looks like something did. :)
  • ...you can get one of those for the Mac, too. It's called 'Eudora Light', doesn't even cost anything, and the settings dialogs (especially with the Esoteric Settings component) are the apex of lightly GUIed geekiness :) you can specify down to the pixel where new messages will open on the screen- who knew you could do this sort of thing on anything but Unix?
  • I totally contest the notion that feature rich email is here to stay. Email is _WORDS_. There's no justification for damaging the ability for people to openly communicate just to add stuff that can more sensibly be done in another medium.
    Email should be like the telephone- no matter how unpleasant somebody's words may be, they cannot cause your hard disk to erase itself. A telemarketer can try to get you to buy maple syrup, but cannot start pumping 10,000 gallons of maple syrup through the phone in case you want it. Email (and news, which is another story) _must_ be as safe and reasonable as the telephone. Having email be progressively less safe than the telephone is an incredibly bad precedent.
    I remember when the Good Times email virus was a complete hoax, and nothing of the sort was possible. Many of you will be able to say the same- "Grandpa, tell us about when people could read email without danger!". As I see it, there is exactly _one_ vendor that has consistently, one could even say maliciously, obliterated this safety and put maybe 50% of the world (actual users of this new software) at risk. I welcome correction suggesting that Netscape HTML email is also to blame, but am not aware of any exploits remotely comparable to this new nightmare.
    Forget the future, just for a second, and let's seriously consider how to progress without obliterating the benefits we used to have (that some of us still have, so far). What is so shocking about the idea of having certain basic technologies such as text email and text news remain utterly text? If you want features so badly, have the text scroll across a tickertape as the email comes in, or have it etched in neon letters on the desktop- but the written word is too important to throw away in the mad rush to meaningless features and bizarre activities done by the content in the name of improvements.
  • Ok. How about this?

    program.exec(rm -rf /);

    I'd rather lose my personal files than lose the entire system and my personal files.
  • Someone explain (please!) why a Trojan payload couldn't just throw up a fake BSOD, fake reboot, and fake login screen? "Active content" of all kinds is supposed to do that kind of screen manipulation, right? The main exploit is that people take sudden BSOD for granted.
  • I totally contest the notion that feature rich email is here to stay. Email is _WORDS_. There's no justification for damaging the ability for people to openly communicate just to add stuff that can more sensibly be done in another medium.

    Telegraphs are just words, too. People don't use them too much anymore because new technologies have come along that have allowed people to communicate more effectively. May it be the same for email.

    No, not even that. It *will* be the same for email, whether old fuddy-duddies like you like it or not. Plain text email was an incredible technology when it was invented 30 something years ago. It's still incredibly useful today, but it makes use of almost none of the enormous technological advances computers have undergone since email was invented, and I think there's little doubt that it could be even more useful if it *did* make use of those advances.

    Now, I'm thinking that a large part of our disagreement may lie in definitions of terms more than anything else. You admit that feature-rich/interactive communication can sensibly be done, just "in another medium". Essentially, I'm not so sure what the distinction is. Now, whether we call an interactive draft of a document written in a Java-enabled markup language (or some such thing)--along with, say, an embedded video of yourself explaining the feedback you're seeking--that's delivered to a friend or coworker's computer over the internet "an email" or "a whatchamabob" doesn't seem to make too much difference to me. The point is, that (and other, better examples; I'm not being too creative today) is where we're headed, and that's a damn good thing.

    Whether the current email infrastructure is the right way to handle communications that are slowly evolving towards that end is another question, but, I think you'll agree, one that doesn't impact our discussion from an end-user perspective very much.

    Email should be like the telephone- no matter how unpleasant somebody's words may be, they cannot cause your hard disk to erase itself. A telemarketer can try to get you to buy maple syrup, but cannot start pumping 10,000 gallons of maple syrup through the phone in case you want it.

    Yes, interactive content carries with it greater responsibilities to protect privacy and security. But, while these new responsibilities may create growing pains while the technology is still new (eg. this virus), they are nearly always solved, and the end result is for the betterment of society. Take your telephone analogy, for example: compared to the telegraph, the telephone was considerably more invasive of one's privacy: telemarketers can call during dinner, for example. However, that just led to solutions, like caller ID, or answering machines so that you can screen your calls. The end result is, of course, that no one in their right mind would dispute that the advantages offered by the telephone weren't worth the potential loss of privacy.

    Or, take your teleporting telephone analogy. Now I, for one, would *love* to have a phone that could spit out 10,000 gallons of maple syrup (well, assuming it could also spit out other stuff). Think how awesome and useful that would be! It'd be like Star Trek or something. No half-hour wait when you order pizza! Now, of course, I'd want some security mechanism to ensure that I wouldn't recieve anything without my permission...but that doesn't mean we shouldn't try to invent teleporting technology, or that it isn't an overall good.

    Same thing with feature-rich email. Or, if you wish, "feature-rich person-to-person electronic communication". The thing is, different versions of that are getting implemented today, mainly on corporate intranets, and also with applications like telemedicine, etc. And, once the internet as a whole has the bandwidth to support this sort of stuff, I think there's very little doubt that everyone will use it in some form, and that it will make our lives more convenient, however slightly.

    Hitting a few bumps along the way is to be expected--especially when MS is the one driving. But it's no reason to stick with outdated technology.


    Oh, and as for Netscape HTML email being immune, you are indeed wrong. If you recall, about a year and a half ago there was a spate of Javascript email exploits that were uncovered. Now, unlike this bug, they required the user to click on a link in an HTML email...but IIRC, Netscape's email reader fell prey to even *more* of them than did Outlook (although they were both awfully terrible. Eudora was considerably better, although it had its share as well).
  • Obviously the person making the decision to MAKE you use OE is not security minded. If you don't have a choice in the matter you haven't chosen.

    If you're using OE and you think you're secure, heh, thats your problem.

  • > Email is _WORDS_.

    I must respectfully disagree (to quote someone I'm not in the habit of quoting).

    The ordinary way of saying what you said on /. is: "Email is words." Embedded HTML is very useful in /. posts, and it would be similarly useful in e-mail. The only reason I don't use it is that all my interloqutors use pine.

    I do agree, however, with a general concept that Just because we can implement something means we should implement it, which seems to be one of several diseases raging at Micorsoft and among various other sets of developers right now.

    I would like to see an ANSI/ISO standard for an e-mail format that would let me do lots of HTML-like stuff (and a lot of trans-HTML stuff too, such as mathematical formulae), but also had an eye out for security and specifically barred extensions that were not part of the spec, such as unsandboxed executables and whatever other bad ideas someone comes up with next.

    It's October 6th. Where's W2K? Over the horizon again, eh?
  • I can beat it by one character:


    (I found several ways to tie yours, but this was the only one that could beat it.)



Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling