Clever New Windows Worm

freakboy303 sent in linkage to a new worm that will no doubt be cluttering our inboxes soon. Clever bits include running its own SMTP service to increase chance of success, as well as using a bunch of spaces to disguise the true extension of the executable. No doubt countless copycats will soon follow and our inboxes will be cluttered by countless copies of the thing. Not that there's a problem with windows security.

So

[xercist]

it runs an SMTP server and has spaces in the file name. This is suppoosed to make it "clever"? None of this is original.

Re:So

[bn557]

no no no,

see, people have either used a local smtp server OR used spaces. This is obviously the work of a professional. No script kiddie could be THAT good. This guy probably has an AMD

Pat

(link is to a funny article)

Re:So

[Tower]

Hmmm, I thought there was already a patent for that. Something like:

Method and Apparatus for delivery of a self-replicating bytestream through use of a square port number and excessive white space.

Couldn't find it on the patent search site, though ;)

More Slashdot demagoguery?

[Wire+Tap]

Not that there's a problem with windows security.

Why do the editors of Slashdot ALWAYS put their unproductive, derogatory, flaming, two cents at the end of _every_ story regarding something "AWFUL" Microsoft has done? Either they are really insecure about "their Linux," and can't get fullfillment from any other means than bashing the competition, or they really don't believe in what they advocate so much. I'm sick and tired of hearing it! Come ON Slashdot! There are countless posts in previous stories that sound just like this one - all in reponse to the crap you guys put in the Microsoft stories. Get the picture: no one wants your bias. Bias makes for unreliable, untruthful, and slanted news.

With that being said, of course there are problems with Windows security. There are security problems in EVERY OS. Stop pointing the relentless finger at Microsoft every chance you get.

Re:More Slashdot demagoguery?

[Wire+Tap]

But editors in the respected news firms of the world do not say things as unproductive as those who edit on Slashdot. As editors, they have a RESPONSIBLITY to get _news_ to us, not their own biased point of view.

How many inexperienced people will read that snippet (and other snippets) and forever think of Microsoft as an EVIL EVIL SCUM with no mind for security at all? Think about what influence Slashdot has over a very large proportion of the "geek community" and other technical and scientific gropus.

All I am saying is that Slashdot should put aside their pride, zeal, or whatever it might be that drives them to attach unproductive garbage to the ends of stories. They should recognize this on their own, but, apparantly they do not. It's unfortuante, as Slashdot is one of the best places on the Internet to go for news, and heady, informed discussion.

Re:More Slashdot demagoguery?

[Wire+Tap]

I simply assumed that people on Slashdot are above those biases. We are (mostly) computer and science enthusiasts, and, generally, those types are able to make well-informed decisions about things. And, decisions of that sort are best made without the influence of bias. Some would argue that if bias is a factor, those decisions are no longer well-informed - they are inherently ill-formed.

I could be wrong, but I thought that most of the users of Slashdot were above bias. I may have been wrong. Please excuse me if I was.

Re:More Slashdot demagoguery?

[kilgore_47]

How many inexperienced people will read that snippet (and other snippets) and forever think of Microsoft as an EVIL EVIL SCUM with no mind for security at all?

See, the facts are that Microsoft actually is "EVIL EVIL SCUM".
So cut the /. editors a break, they're just reporting facts!

Re:More Slashdot demagoguery?

[.sig]

Yes, and by choosing which to relay, they make the "news."

Bad news for windows == Post the story.

Bad news for *nix == Dump the story

It's called reporting, that's why you can't base all your news on one source. News organizations of all kinds only publish what they consider newsworthy. If they don't want the public to know something, they don't publish it.

Re:More Slashdot demagoguery?

[Jason+Earl]

Really!?! Show me the Email client that launches an executable simply by double-clicking on it.

What? You can't find one. Perhaps Microsoft will write one so that Linux can be unsecure as well.

Yes, there are security problems in every OS, but Microsoft goes out of its way to create security problems. Regular users can delete, update, or change system files in the default setting What the heck sort of security is that? Microsoft has even blurred the line between data and executables by creating documents that can launch macros with hooks into the entire operating system. What was Microsoft thinking? At the very least Microsoft should have created a sanbox for these VBA macros.

The fact of the matter is that Linux + StarOffice is an order of magnitude safer than Windows + Office and would be even if Linux had the greater market share.

Re:More Slashdot demagoguery?

[FortKnox]

I'd prefer it if they just wouldn't post anything about MS unless its related to Linux. Fact is, bad publicity is still publicity. If they wanted to be mature about MS vs. Linux, they wouldn't post this stuff.

The key word is in the above paragraph is "mature". Its like I always say about elitests and linux. They like being able to put other OSs (in this case) down, that is why you find people bashing Linux newbies instead of helping them out. Cause if everyone used Linux, they wouldn't be "special" and be able to insult the "average man".

Remember, the men behind /. are kids fresh out of school, without any business tact (not that I've shown much, but I'm not being paid to be here...).

Re:More Slashdot demagoguery?

[nomadic]

I agree with you there, but I'd like to get some opinions on something I think I've noticed, but can't be sure of:

Is it me, or are the comments under the stories actually getting less anti-microsoft? Seems to me like a year or two ago very few people would be willing to defend MS (or decry anti-MS sentiment), but nowadays people are a little more level-headed about it it seems (at least in the comments section; the /. editors still like to tear into them). Is that because slashdot is becoming more mainstream, or because MS software actually is pretty decent these days (I find XP a lot less irritating to use than X), or am I just coming out of left field here?

Re:More Slashdot demagoguery?

[FortKnox]

Show me a soccor mom that can pick up Linux+StarOffice and use it.

Show me an average person that can learn how to open up attachments with one of your "safe" email programs.

The graph you are now picturing is "User Friendliness" vs. "Security".
The market will show you which one is in higher demand.
Not that I agree with it, just telling you the way it is.

Re:More Slashdot demagoguery?

[Hormonal]

It's unfortuante, as Slashdot is one of the best places on the Internet to go for news, and heady, informed discussion.

OK, I come here for news, and for discussion. I read the headlines, generally the blurbs, and I poke around in the discussion until I can't stand it any more.

I don't use this site as a basis for generating opinions regarding what company is bad, what company is good, or what text editor I should use. I have my own methods for said exercise.

Surely, you realize that this site is coded, maintained, and read by geeks. I find it quite unlikely that a reader of this site hasn't formed an opinion one way or another regarding Microsoft. We don't thaw out cavemen, and then teach them to read, using Slashdot (boy, that's be an exercise in futility, with the l33t speak, and the horriffic grammar and spelling.)

Bottom line is this, and I know it's been said many times in the past: This is not a real news site. It's just a weblog, and it happens to have a lot of people who like it. The Slashdot editors are under no obligation to be fair, or unbiased. If you don't like it, create your own site. Buh-bye.

Re:More Slashdot demagoguery?

[Tower]

They *did* post the Aix/Solaris login hole... http://slashdot.org/article.pl?sid=01/12/13/155323 9

Of course, one could see that as a "See, Linux and *BSD are just as secure as those multi-zillion dollar *nixes" type of bias. But hey, if you have a soapbox, you get to decide which side you stand on, and what you want to say.

Re:More Slashdot demagoguery?

[child_of_mercy]

because it's their site

go somewhere else if you don't like it.

Re:More Slashdot demagoguery?

[child_of_mercy]

if it came pre-installed like windows does?

no problemo.

Re:More Slashdot demagoguery?

[Jason+Earl]

Good points. Of course, my response had nothing to do with ease of use. The original poster intimated that Linux had these same sorts of problems, and I pointed out that it doesn't.

Personally I think that if the question were spelled out as bluntly as you have said it that many organizations would opt for Linux's slightly lower user-friendliness, and much higher security.

Then again, I think that we are very likely to see StarOffice become popular due to its much lower price. In my opinion Windows, StarOffice, a decent email client that doesn't allow you to launch executables by double clicking, and a good virus scanner hits the sweet spot between usability and security.

Most users would still be able to do all of the stuff they currently do (including run all of their Windows software and open most of their Office documents), and yet they would be infinitely safer from viruses, trojans, and other malware.

Until it comes pre-installed Linux isn't likely to be a good fit for most folks.

Re:More Slashdot demagoguery?

[rseuhs]

But editors in the respected news firms of the world do not say things as unproductive as those who edit on Slashdot. As editors, they have a RESPONSIBLITY to get _news_ to us, not their own biased point of view.

I don't think you get it.

Slashdot is a site from the (tech)people for the (tech)people, that's why it gets a hell of a lot of typos, comments, double-posts, discussions, flamewars and bias.

I am really happy that there are still sites not controlled by huge corps.

Of course this is a hard concept for some people.

If you love to look at sites with no typos, no comments, no double-posts, no discussions, no flamewars and a more subtile form of bias, why don't you go here or here

On those sites there is no need to tell people to shut up, because people don't get to speak at all.

Re:More Slashdot demagoguery?

[the_rev_matt]

I was under the impression that /. was a site for discussion of a wide variety of issues/stories that would be of interest to technically minded people. Hence the frequency of stories about genetics/astronomy/physics/science in general, as well as discussion of new hardware/software regardless of platform. A large number of /. users run Windows at home or at work or both and often are responsible for maintaining those machines. A story such as this is a valid story for this audience, and as I have to run Windows at work I like to know what is likely to have an impact on me.

Re:More Slashdot demagoguery?

[mwalker]

Any attempt to compare the Slashdot editors to editors in the normal journalistic sense is absurd. Are editors of the New York Times just customers of the NYT? No. But here at Slashdot, Editors are just Users, just like everybody else. They don't have any special powers or priveleges like, say the editors of the NYT. You have to read that link fully to understand - but trust me - the comparison is completely without merit.

The Microsoft icon here is symbolically equivalent to burning Bill Gates in effigy. You want impartiality? Get a grip.

Re:More Slashdot demagoguery?

[JabberWokky]

But editors in the respected news firms of the world do not say things as unproductive as those who edit on Slashdot. As editors, they have a RESPONSIBLITY to get _news_ to us, not their own biased point of view.

Bullshit. If Slashdot wanted to be a "respected news firm", then that would make sense. However, it's run by some guys who liked Legos, Star Wars and KDE on Debian. They post links to stuff they think is nifty around the web, and a community grew around it. Now most links are submitted by readers and we all chat in the discussion board under each story. But at the heart, it's *still* just a website run by some guys who think legos (now mindstorms) Star Wars (now the pre-trilogy) and... well, CmdrTaco still uses KDE on Debian at any rate.

Think about what influence Slashdot has over a very large proportion of the "geek community" and other technical and scientific gropus.

It's opinion. People have them, and some people make theirs very public. It's part of human nature. I'm sure your office has a guy who goes off about how great some type of coffee is, or some woman who will tell anybody who will listen the plot of last night's TV show that she loves. Well, remember how I said that this is *not* a news site, but a site run by some guys who like geeky stuff? Their opinions are that Microsoft generally sucks (and it's shared by quite a few people). I may not agree (in fact I don't - and I run Linux on server and desktop), but I don't bitch about them stating their opinion on the site they run.

Dear Ghod - do you write in to Art Bell and bitch that he shouldn't have weirdos on his show? Do you write in to Howard Stern and tell him he should be more compassionate? Do you write in to Rush Limbaugh and tell him that he should stop expressing his opinions on political issues? No - they (and two of those three I can't stand listening to), are great radio *because* they are opinionated bastards that put weird, occasionally informative crap up on their show.

--
Evan

Re:More Slashdot demagoguery?

[dachshund]

But editors in the respected news firms of the world do not say things as unproductive as those who edit on Slashdot. As editors, they have a RESPONSIBLITY to get _news_ to us, not their own biased point of view.

I can't tell you how annoyed I get every time I read a [insert major newspaper here] article about the latest worm that's wreaked "hundreds of millions of dollars" of damage upon American businesses.

A lot of people are blamed, heads are called for (usually some dumb teenager in Kinosha or the Phillipines, wherever.) But in not one single instance have I read an article that pointed out the key fact-- that not one of those millions of dollars would have been lost had Microsoft simply built a product with a better security architecture.

So while I appreciate your quest for accurate news reporting, I don't find it in the major new outlets. The fact of the matter is that Microsoft bears a great deal of responsibility for the existence of these worms. Preventing the execution of potentially dangerous code should be a priority. These issues are not new with Windows, but even by the standards of recent Microsoft history they're old hat. How long ago was it that Microsoft Word was first infested by Macro viruses, and how many products and OS designs have made the same mistakes (on a grander scale) since then?

I'll take the opinionated rantings of the Slashdot editors (with the subsequent opinionated rantings of the pro-MS lobby) over the non-news I see in the "respected" sources.

Re:More Slashdot demagoguery?

[LinuxHam]

slanted news

Slashdot: we put the / in slanted news :)

Re:More Slashdot demagoguery?

[susano_otter]

I simply assumed that people on Slashdot are above those biases.

BWAHAHAHAHAHAHAHAHA!

Nice troll!

Re:More Slashdot demagoguery?

[LinuxHam]

I'd prefer it if they just wouldn't post anything about MS unless its related to Linux. Fact is, bad publicity is still publicity

I, and I would think others, don't mind reading about Windows vulnerabilities here. I just see through the bias statements. One thing's for damn sure, I'm not about to start reading some Windows site for good details on the hole-of-the-week.

If you don't want to read about Microsoft here, just turn it off in your preferences.

Re:More Slashdot demagoguery?

[pyramid+termite]

Bullshit. Linux-Mandrake [linux-mandrake.com] is amazingly easy to use,

Once you get it installed. I downloaded 8.1 - at the end of installing the files off the first CD, it hung up and refused to do anything else. I solved the problem by informing the install program that I had just one CD, figuring I'd install the other 2 CDs later.

My next problem was the package manager didn't want to install off my regular read CD. I put the CD into my Creative CDRW, and locked up my computer. A quick look at /etc/fstab revealed that it had identified my CDRW as a SCSI drive, not an IDE. I corrected this, and have been doing alright, although I still can't switch CDs when installing groups of programs.

I guess that wasn't too hard, seeing as I know what I'm doing. But "amazingly easy" for a newbie? No, it's not quite there yet.

Re:More Slashdot demagoguery?

[tswinzig]

I'd prefer it if they just wouldn't post anything about MS unless its related to Linux

Then I guess you'd be shocked to find out the percentage of people browsing this site via Windows, eh? Hint: It's larger than the percentage viewing it from Linux.

Re:More Slashdot demagoguery?

[Jason+Earl]

I suppose that if I was some kind of masochist I could save the binary file to my hard drive using Emacs/Gnus, chmod +x it, and then fire it up by typing something like ./dangerous_executable, but this sort of thing would give even the dimmest of dim bulbs time to think about what they were doing. It also assumes that the system administrator hadn't set up the user's home drive to disallow executables.

IMHO Windows users so far have gotten off fairly easy. Trojans with .pif in their name are so easy to filter that it's a wonder these things work on anyone. A really nasty worm would leverage VBA in a Word document or an Excel spreadsheet. It absolutely amazes me that Microsoft thought that Word needed a programming language with hooks into the operating system. Systems administrators can't reject .doc files out of hand, and if you get a .doc file from your boss chances are good that you are going to open it.

The only user that I blame for these sorts of trojans is the user that chose Outlook as the company standard email client. It's not the folks down in marketing's fault that IS has given them a bazooka, aimed it at their foot, and pulled off the safety. When push comes to shove the only thing that really is easier to do in Outlook is bring down your mail servers.

Re:More Slashdot demagoguery?

[muffen]

This whole thread should be marked OFF TOPIC!!!

I do however think it's time for on article about slashdot on slashdot, so maybe the editors can learn about what people think about slashdot and what can be done to make it better.

Guess I have an offtopic mod coming towards me...

Re:More Slashdot demagoguery?

[Dwonis]

There are security problems in EVERY OS.

Touché.

Someone should prod DJB into writing an OS...

Re:More Slashdot demagoguery?

[jgerman]

I'm not going to get drawn into this holy war again, but Windows has problems duing installation as well. Newbies can't install Windows any more than they can install Linux. But they don't have to, thanks to MS strongarming vendors windows comes pre-installed. For a plug and play system Windows is pretty pathetic. I had to hunt all over for a driver for my USB CdWriter, Redhat 7.2 picked it up and installed it with no complaints and without me doing a thing. I didn't even have to pop in a manufacturer disk to install software and drivers.

It all boils down to the same thing time and time again. Windows is no more usable than Linux it is only more common. There are an infinite number of ways a UI could have been diesigned. It just so happens that poeple have had Windows crammed down their throats for so long that something different seems hard and un-intuitive.

Re:More Slashdot demagoguery?

[Hormonal]

Actually, I'm surprised I didn't start a flamewar with that. I thought about using something else (say, window manager), but decided on my first instinct.

Thanks for the text-editor vote. It's duly noted.

Re:More Slashdot demagoguery?

[budgenator]

Well actualy I look at it like this, in the army if a story is started with a line like "now this is no bullshit"; the story is either
1. total bullshit but hilarious
2. actualy happened but told from a bizare point of view.
3. is a totaly stupid thing that everybody has done themselves, pretends they haven't

same kind of thing here. The Microsoft bashing is a kind of inside joke. The joke is actualy more about us being geeky, hyper-focused on how bad they are, and a little bit myoptic towards reality. Now have explianed that in an unbiassed manner as posible for a /. reader I have to inform you that the secret anti-Microsoft bashing society local #0400, ( #0400 is where CP/M a pre-DOS OS loaded programs, you could exec that location and run the program in memory recovering unsaved changes in the process i.e. obscure inside joke) requires me to insert this biased phrase "but you have to admit that their software and business practices make them such an easy target."

Re:More Slashdot demagoguery?

[budgenator]

slashdot is a business, and one operating in a very tough niche, basicaly lots of competion and very little available ad revinue these days. If style of story A generates $1000.00 in ad revenue and style B genertes $50.00 guess which gets posted. This is not bad either actualy its giving us what we want, we vote by what we click on on each visit and we get what we want.

So Yet Another MSTD

[White+Roses]

Chances are that this has already had a patch released, I am sure. Chances are also that there are an awful lot of unpached machines out there. I have to say the social engineering on this one is pretty clever. Who hasn't gotten a message like that? I mean in Outlook.

Now for the usual run of blame: hackers for writing it, MS for releasing Outlook, users for not patching. For the real solution, see my sig.

You know....

[Erik+Hollensbe]

.. windows handling of this pisses me off and all that, but if these were ELF executables being tossed around that did the same thing (all of which is possible through a normal user account on most unix machines), I doubt that we would be laughing so much. Especially those of you who administer 1000+ users with shell accounts...

Just my $.02

Re:You know....

[hackerhue]

Not only would you need to save it, you'd also have to chmod it and make it executable before you explicitly execute it.

Re:You know....

[Professor+J+Frink]

1. ELF executables would need to be (as per the usual retort of such idiotic comments) first marked as executable and then run by the user as an executable not run either by mistake as the user thought they were a text/image file or simply by the email client running them without any user intervention. I know of no unix client that does this and even the relative lack of HTML email is in itself a good thing in a security sense.
2. There tends to be a much wider range of email clients in use on unix machines: pine, kmail, mutt, xfmail to name a few. To make a worm that attacked all of these would be very hard, and only targetting one would greatly limit the impact.
3. I can manage millions of shell accounts and it wouldn't matter if I (through some miraculous event) was infected by an email worm as I wouldn't be reading my mail as root normally, and root would be reading mail through a known robust mail client, probably on a remote machine. Impact of a normal user on such a system will also be quite limited as it isn't often that easy to find out all the users on a machine and even if you do the 'worm' is still only on that one system and is easily prevented spreading onwards.
4. Homogeneity makes Windows a nicer 'user experience' but it also provides a very fertile ground for viruses and worms. There is far too much variety in the types of Unix, and the distributions of Unix and the number of clients for the sort of world-crushing effects that Windows security flaws produce. There are only 3 systems I can think of that would produce this: sendmail, apache and bind. Apache has a very good track record, bind and sendmail not so good but even though they are highly dominant they don't seem to produce such continual levels of exploitation and more importantly learn from their mistakes.

In fact it is often Unix that reduces the impact of Windows email viruses and worms due to sendmail/procmail filtering rejecting known infected mails.

All I hope is that the unix developers out there are looking long and hard at Microsoft's mistakes and learning from them. Unix viri and worms aren't impossible (there have been a handful over the years) but they are certainly a lot less prevalent and mostly a lot less destructive both through intention and as a side benefit of general unix design and unix variety. Variety is good, look at the world about you.

uber-uber time?

[Erris]

If the W2k virus is "Bassed on NT Technology", where NT stands for "New Technology", will the next patch recursivly contain the previous "uber" patch. The New Technology Technology Uber Uber patch?

Re:uber-uber time?

[sam@caveman.org]

HAL--IBM
VMS--WNT

-sam

Where is the useful information?

[Havokmon]

So I check the link to see what I can do to stop this worm before virus defs are released, and the best I can find is to drop .txt.pif ? Ok, that's nice, but I don't like to rely on extensions..

Where is the link to all the detailed meaningful info about this worm?

Re:Where is the useful information?

[Howie]

Based on previous posts in the last week, there's not much reason not to rely on extensions - after all, IE and Windows do.

The reason the thing is treated as an executable is because the the .pif extension... there's no really good reason for anyone to want to send you a PIF file these days - they are more or less a DOS/Win3.x hangover. Block *.pif.

[agreed that useful info about the worm would be good too]

Re:Where is the useful information?

[scott1853]

Outlook Express 6.0 has some checking already built-in to say "hey this might be a virus" before you open attachments with .pif extensions as well as some others (I don't remember which).

Re:Where is the useful information?

[Havokmon]

Block *.pif.

Already done, but the issue isn't the name, it's the code. We don't run OutLook, but if this thing was renamed before being sent, it could still potentially be damaging...Especially since the writeup at the link is so...sparse.

Re:Intresting

Macros don't infect people - people infect people.

Am I the only one...?

[Wakko+Warner]

... who hasn't gotten a single one of these worms? I think the only one I got was the "I send you this file in order to have your advice" thing like 6 months ago. No Nimda for me, no Sircam, no other elite macro viruses. Are the people I converse with in email just cooler/smarter than everyone else, or is this whole email virus thing more hype than reality?

- A.P.

Re:Am I the only one...?

[Dimensio]

I've never gotten any virus of any nature through e-mail. Either no one likes me or no one I know is stupid enough to open e-mail attachments.

Re:Am I the only one...?

[Tackhead]

> Are the people I converse with in email just cooler/smarter than everyone else

At the risk of stroking the collective /. ego, yeah, they are.

Canonical example - someone who got Sircammed at work, came to me and said they were having trouble opening up this attachment someone had sent them, and they wondered why someone sent it to them in the first place.

I did my best "All your base!" voice and said "I send you this file to have your advice!"

Cow orker said "Yeah, hey, how did you know that? Are you reading my mail?"

Another admin and I spent the next hour disinfecting 0wn3d box3n from other cow orkers who had done the same thing.

Re:Am I the only one...?

[suwain_2]

I actually asked a friend who got SirCam to send me a copy so I could say I got it. :)

Re:Am I the only one...?

[ethereal]

That's the idiot that picked Outlook/Exchange for the corporate messaging system, right? Sorry, I'm not ranting at you, but I hear this a lot at work and want to set the record straight.

I don't think it's fair to blame the user for not knowing that ".txt.pif" is a magic extension that can hurt their computer, or just to tell them "don't open email from someone you don't know". The fact of the matter is that it's wrong for your email client or your web browser to executed code from an unknown source, and the user should have to take positive steps (more than one) to execute such things. Microsoft's email tools are fundamentally broken, even to the point where they betray their supposed ease of use by requiring the user to puzzle over which emails are safe and which aren't.

So no, I don't really blame the marketing guy for not knowing that ".txt" is OK but ".txt.pif" isn't OK - it's not his job to know. It's the job of the tools Mr. Marketing is given to tell the difference for him and not automatically or easily do something dangerous. And it's the job of corporate IT purchasers to make sure that the right tools are being given to Mr. Marketing. More than anything, the repeated Microsoft virus and worm attacks point to a fundamental failure to learn from past IT purchasing mistakes.

Don't get me started on my company's new internal IM system that only works from Windows - thanks for nothing there, guys.

Re:Am I the only one...?

[_Sprocket_]

Am I the only one...who hasn't gotten a single one of these worms?

...

Are the people I converse with in email just cooler/smarter than everyone else, or is this whole email virus thing more hype than reality?

My personal mail accounts tend not to see any of this traffic. Although some of this may have to do with the systems on which my accounts live. And I'm sure its also got something to do with my usual lists of correspondents.

Still - these things certainly exist and they're a pain for some. I do infosec consulting and see it all the time with my clients and in conversations with friends and peers in the industry.

As a side note - it never ceases to amaze me how some businesses manage to continue functioning with all the crap dumped on to, and floating around, their insecure networks. Especially smaller businesses who's resources are usually a lot tighter than their larger counterparts.

I'm just glad I can escape it all to the (relative) safety of my own little home network once in awhile. :)

Re:Am I the only one...?

[aozilla]

All it takes is one idiot, though, to bring down an entire company.

One desktop machine should never be able to bring down an entire company, even if the hacker has full access to it.

Re:Am I the only one...?

[uebernewby]

who hasn't gotten a single one of these worms?

I haven't. But I have gotten phonecalls from my dad that went something like "you see, there was this e-mail message, and it said 'click here' and I didn't, but still, my computer tries to dial in every five minutes now even though I didn't click when it told me to, just like you told me not to do a thousand times already". Hundreds of times. And, by proxy, from his colleagues.

I'm guessing email viruses are a reality for people who've got better things to do than toy around with computers and read /. (i.e. almost everyone). Count yourself lucky.

Re:Am I the only one...?

[fanatic]

Notes was the original scriptable mailclient, so don't laugh too hard.

Also, Notes, as a email system, is the most inconceivable piece of shit in so many other ways, it hardly bears telling. Just a few:

• Their joke of an SMTP server crashes if a message has more than 32K of headers (which sometimes happens for stupid mailing list software). (Or at least it used to.)
• Have you ever seen a Delivery Failure notification in Notes? SMTP Servers generally put a lot of information into these to explain why the message couldn't get through. The Notes piece-o-shit excuse for an MUA throws out most of it and hides the rest.

I have never seen Outlook but it's hard to imagine it could be any worse than Notes client - other than the security of course. Give me mutt or pine any day.

Re:Am I the only one...?

[Bronster]

Are the people I converse with in email just cooler/smarter than everyone else At the risk of stroking the collective /. ego, yeah, they are.

Most of them I get are from spammers (I presume) who have collected one of my email addresses in their database. Really pathetic that is, I tell you.

Re:Am I the only one...?

[mrjohnson]

No, it just takes an idiot administrative staff/person to bring down the whole company.

Look, this virus executes automatically if you haven't applied the security patches to all the desktops in your company. An administrator worth his salt stops the virus at the door, long before the blasted things ever reach a user.

My company's email is first taken off the wire by postfix on Linux, because we trust it's security. Next it's relayed to a special anti-virus smtp server, which scans all the email, blocks any attachment types that we've disallowed, and then relays the email (finally) to our exchange server.

The anti-virus relay updates it's dat files every hour, every day of the week. On top of that, all the desktops in the company have virus scanners installed. When they log in, my python script will take care of updating their dat files from an internal mirror -- and if it's unsuccessful, they're told to contact the helpdesk, and then they're promptly booted out of Windows.

Since I've been at the company, there has not been one exploit of our security. Nor has there been one virus infection. Sometimes we have been lucky, but it's mostly preparation.

Don't blame the users. For god's sake, they think the *monitor* is their computer. Blame the staff, and hire some Linux administrators.

Re:Am I the only one...?

[rjamestaylor]

>>No Nimda for me, no Sircam, no other elite macro viruses.

I believe you'd only see Nimda if you run a webserver. I get TONS of these:

209.88.229.62 - - [17/Oct/2001:14:46:38 -0700] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 339 "-" "-"
209.88.229.62 - - [17/Oct/2001:14:46:41 -0700] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 337 "-" "-"
209.88.229.62 - - [17/Oct/2001:14:46:42 -0700] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 347 "-" "-"
209.88.229.62 - - [17/Oct/2001:14:46:43 -0700] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 347 "-" "-"
209.88.229.62 - - [17/Oct/2001:14:46:47 -0700] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 361 "-" "-"
209.88.229.62 - - [17/Oct/2001:14:46:47 -0700] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 378 "-" "-"
209.88.229.62 - - [17/Oct/2001:14:46:48 -0700] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 378 "-" "-"
209.88.229.62 - - [17/Oct/2001:14:46:49 -0700] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c 1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 4
04 394 "-" "-"
209.88.229.62 - - [17/Oct/2001:14:46:50 -0700] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 360 "-" "-"
209.88.229.62 - - [17/Oct/2001:14:46:51 -0700] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 360 "-" "-"
209.88.229.62 - - [17/Oct/2001:14:46:51 -0700] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 360 "-" "-"
209.88.229.62 - - [17/Oct/2001:14:46:52 -0700] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 360 "-" "-"
209.88.229.62 - - [17/Oct/2001:14:46:53 -0700] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 344 "-" "-"
209.88.229.62 - - [17/Oct/2001:14:46:54 -0700] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 344 "-" "-"
209.88.229.62 - - [17/Oct/2001:14:46:58 -0700] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+d ir HTTP/1.0" 404 361 "-" "-"
209.88.229.62 - - [17/Oct/2001:14:46:58 -0700] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 361 "-" "-"

I believe these are the droppings of Nimda...

Without Outlook?

[krony]

"The worm utilises it's own SMTP engine so it does not depend on Outlook for e-mail sending."

Not even a virus can depend on Outlook anymore...

:-P

There's a few differences

[BadDoggie]

Differences:

• 1) "Legitimate"-looking Subject line.
• 2) Legitimate-looking warning message straight out of Outlook.
• 3) Good social engineering
• 4) Own SMTP engine, so an Outlook script to warn that there's mail w/ attachments going out is useless.
• 5) New "method" of hiding file extension which is harder to see even if extensions are displayed.

We were all talking about this a week or two ago, but I'm too busy trying to get this pinball machine on eBay, so no time to search through old articles.

woof.

Windows == spammer?

[pdqlamb]

Since this installs its own smtp, does this mean any Windows machine can now become an open relay for some random spammer?

Gag, I hope I didn't understand that correctly...

Re:Windows == spammer?

[pdqlamb]

Of course any code red infected machine already can be set up as a mail relay...

Right, but the point is that this bug (may) already have it set up. All the spammer would have to do is scan for a machine with a valid header response on port 25, and relay away.

Wonder what my logs will show in the next week or so...

Get a Mail FIlter Already!!!

[seigniory]

Mail worms/virii/sausage - whatever - can be unbelievably contained with a simple attachment checking process - after Melissa, I implemented Mail Essentials (www.gfi.com) at my company - one server - 200k+ messages a day capacity - extention filtering ON.

Since then, we got hit with evey major email worm, but got infected by none - 1,000's of messages per incident blocked at the server - none made it to the internal Exchange box... they all get blocked at the "mailman" (block EXE, VBS, PIF, whetever)

The sender gets a "kindly" message saying "Sorry, we don't accept this extention type - try again".

It'll even scan for uncertified macros in Office Docs, filter spam (i.e. GREP searches), autorespond, basically a nice .procmail GUI. Works with any SMTP server.

It's amazing how a small company like us can spend the $1,500 to protect our mail system, while larger ones (i.e. employers of my roommates) would rather lose 4 hours of mail to one of these buggers.

It makes no sense NOT to use a simple filter - when will people learn. Until then, I'll just laugh.

Re:Get a Mail FIlter Already!!!

[ethereal]

Mail Filter == BandAid, nothing more. I'm glad that it protects your small company for now, but you have to realize that the filter is only as good as the filter set, and someday someone will get past it and you'll have another worm outbreak. The only way to be really safe is to fix your users' email programs so that they don't easily execute things that the users are sent. Fix the root of the problem, not the symptom.

Re:Get a Mail FIlter Already!!!

[ethereal]

I'd rather filter for a couple weeks until I installed a mail client that wasn't susceptible to this kind of stuff, and then quit worrying about the filter. But I suppose you could also use the filter for other somewhat useful things, like limiting attachment size, scanning for dirty words, etc. And if the bounce message informs the worm-ridden sender that they have a problem, then that's all for the better I guess.

Re:Get a Mail FIlter Already!!!

It makes no sense NOT to use a simple filter - when will people learn. Until then, I'll just laugh.

Unless, of course, you have a Mac, which asks me very nicely what I would like to open happy99.exe with: Photoshop, or TeachText. :-)

Re:Get a Mail FIlter Already!!!

[ralmeida]

Put this in your server's /etc/procmailrc:

#LOGFILE=/var/log/procmail
#VERBOSE
VIRUSDUMP='/var/spool/virus'
GOTCHA=`formail -xTo:`

:0
*^Content-type: (multipart/mixed|application/octet-stream)
{
:0 HB
*^Content-Disposition: attachment;
*filename=".*\.(vbs|wsf|vbe|wsh|hta|scr|pif|com|ex e|js)"
{
:0 fhwc
| (formail -r -I"Precedence: junk" ; echo -e "Our mail server refuses e-mail messages with suspect attachments, like: \n\n vbs, wsf, vbe, wsh, hta, scr, pif, com, exe ou js.\n\nYour e-mail was not delivered.\n\nPlease contact webmaster@host if you have any questions.") | $SENDMAIL -t
:0
${VIRUSDUMP}
}
}

Re:Get a Mail FIlter Already!!!

[n-baxley]

Unless of course someone at your company wants to send a legitimate exe, vbs, etc. I don't know what your company does, but at my consulting company they tried this and it didn't fly.

You can keep your car from being stolen by taking of the wheels, but that doesn't make it very useful.

Re:Get a Mail FIlter Already!!!

[namespan]

Unless of course someone at your company wants to send a legitimate exe, vbs, etc.

Other people have mentioned WinZip. You could also gzip or stuffit.

But there's also other ways of transfering stuff. Send them a link to an ftp server or web page.

Re:Get a Mail FIlter Already!!!

[JoshuaDFranklin]

Sorry, that'll leave unfiltered all the
attachments with just name="foo.doc.pif",
not filename=. Also, it'll filter out
any HTML attachments with "filename" and
".com" in them. Not that that's a bad thing.

Re:Get a Mail FIlter Already!!!

[Pogue+Mahone]

The DOC files can contain executable content. It's
also rumoured that PDF files can too.

Re:Get a Mail FIlter Already!!!

[Matts]

Umm, you forgot .bat

Also, you forgot that you can now send .txt files that get executed as though they were .exe's.

Sorry, but there's really no simple way to stop all viruses. Though you're probably doing a reasonable job with your script, it's certainly possible to get past it.

Re:problem with the users

[Wire+Tap]

just like the rep AOL gets, the more users you have the more dumb users you have.

Do you know what that means? It means the system needs to be engineered to handle those users. It does NOT mean we should shout and flame about how stupid those users are. Guess what: Everyone who uses an online service (or the Internet, for that matter) is NOT a Computer Science or Engineering major, and they should NOT be expected to act accordingly. They are there for their own purposes, to accomplish their own ends. The systems should be designed accordingly, with error prevention and correction built in, to catch things that would otherwise hurt users or administrators.

At least it won't kill my ping

[Hormonal]

With all of these Microsoft worms running rampant (can worms run?), I can't say I'm surprised to hear about another one. It's not even news any more. It's like reporting that the sun rose this morning (provided you live at a reasonable latitude.)

The nice thing about this one is, it's just hitting e-mail. When Nimda and Code Red were wreaking havoc on the internet, they made it impossible for me to play games on my cable modem. I had so many incoming requests on port 80, I couldn't do anything.

How many times does this have to happen before Microsoft starts putting security in front of the user experience? I can't see how having to remove viruses from your machine on a near-daily basis inproves the user experience.

I wonder how long it will be before...

[mrroot]

Viruses get sophisticated enough that they look at subject lines in your current "Sent Items" folder and use the same subject and text, just adding the attachment, or if they find an email you previously sent that had an attachment and replace it and re-send the message.

Its only a matter of time. Its amazing how even a dumb virus can fool so many people.

Re:I wonder how long it will be before...

[NeuroManson]

In that case I would have a serious giggle, since there's ample 'remove' messages to various spammers in my sent items box... Now THAT would be blessed irony!

Re:I wonder how long it will be before...

[isaac_akira]

I still think that a virus that randomly forwards all incoming and outgoing email to all the addresses in those messages would cause SERIOUS damage to companies (not just computer downtime).

Your customers get the snide comments you made about them to your co-workers. All of a manager's employees get all of the emails about all the others (complaints, performance reviews, etc). Lot's of internal mail gets sent out to lot's of external addresses. The sexy note you sent to your signifigant other about hand-cuffs and spanking is sent to all your biz contacts.

You know that most employees in companies (especially high level employees) keep tons of old email around.

Re:This isn't a windows problem..

[Steveftoth]

Actually this is not an outlook problem at all. It doesn't even depend on outlook as it has it's own smtp engine. If you have an exploitable version of IE, then IE can be made to execute the content. Or it tries to trick the user into executing the text file included ( which is really a .pif file )

This isn't a problem if you use netscape or other non-ie code to view your mail. Pine works great, just not point and click.

I'm bracing for the big one.

[JMZero]

These mail viruses have all been evolutionary steps. The big one will run straight from the preview pane, will send e-mails with no real signature, and will mimic other emails sent by that user.

As a simpler step, these viruses should be hiding themselves within attached .EML files. That would get around the filters many companies have set up.

Not a bad virus...

[Pete+(big-pete)]

Most sensible organisations will already be blocking .pif files in mail - this virus is already known by McAfee as W32/Shoho@MM and they have detailed it as a LOW risk worm.

On another note, I hope Slashdot isn't going to run a story on every new virus that gets released...

-- Pete.

Regexps and procmail recipes anyone

[KjetilK]

Ouch, another one.

Anybody got some good regexps I can put in the header check MailMan does for me?

And/or a procmail recipe I can use to filter out this junk?

Re:Regexps and procmail recipes anyone

[wirefarm]

Here's what I use - I got it here on slashdot, tweaked it and it has been working really well. Put the following into /etc/procmailrc - all of the junk messages get put into /var/virusdump/virus.
Be careful of accidentally wrapped lines.
Cheers,
Jim in Tokyo

---Cut Here---
VIRUSDUMP=/var/virusdump/virus
:0 # Use procmail match feature
* ^From:\/.*
{
HFR = "$MATCH"
}

:0
*^Content-type:.*
{
:0 HB
*name=".*\.(vbs|wsf|vbe|wsh|hta|scr|pif|com|exe\
|bat|lnk|url|dll|hlp|shs|ocx|js|nws)"
{

:0 fhw
| (formail -r; \
echo -e "This is an auto-generated message\n\
\n\
The email referenced above, which was sent from your address, \n\
had an attachment of a type that this server does not allow.\n\
(Files that end in: .exe, .vbs, .pif, .scr , etc).\n\n\
This mail server no longer accepts mail with these attached file types,\n\
due to the risk of viruses.\n\n\
You email has not been delivered.\n\n\
If you didn't knowingly send an attachment, your computer\n\
may be infected with a virus. \n\n\
If you were attempting to send an attached file that you know \n\
is free from viruses, you may try resending the file \n\
in a compressed format such as ZIP. \n\n\
Error No: aybabtu. \n\n\
Contact your@company.email if you have any questions")\
| mail -s "Possible Virus Detected" "${HFR}" -b your@company.email
:0
${VIRUSDUMP}
}
}

Is this slashdot or a Windows bug tracker?

[dark_panda]

Is it just me or is slashdot slowly turning into bugtraq here? Do we really need to hear about every single fscking Windows bug and exploit found?

I see two stories concerning an Outlook virus and an XP exploit within two hours or so of each other, with one new story in between.

Can we move along to some real news for nerds, some real stuff that matters? Or at least add an option to ignore the damn Outlook virus updates and other nonsense.

J

Re:Is this slashdot or a Windows bug tracker?

[Frank+Sullivan]

The XP exploit, at least, is an entirely new class of security hole, not seen before, and every last one of the 10M+ XP boxes shipped is vulnerable to total control from the outside.

If that ain't news, what is?

As for the worm... well, it's mildly technically interesting. But if Microsoft worms have become so common that they are no longer news... well, i think that's news, too!

Re:Is this slashdot or a Windows bug tracker?

[nyquist_theorem]

Is it just me or is slashdot slowly turning into bugtraq here? Do we really need to hear about every single fscking Windows bug and exploit found?

It wouldn't bother me so much except that there are plenty of interesting stories and provocative "Ask Slashdot" questions submitted regularly that are arbitrarily discarded. I know, because I've submitted a number and have had them very quickly rejected (altho I did get one, my first, accepted - gave me the false hope that there's a purpose in going to great length to research a topic, event or issue and submit it as a story).

Of course, I don't pay for /. so I suppose I shouldn't complain - on the whole it is enjoyable to read and participate in. I just find it hard to believe that the potential story pipeline/queue is really full of nothing more than "new version of [insert *nix variant here] available, which you already know if you use it!" and "M$ Software vulnerability found - who'da thunkit?".

Re:Is this slashdot or a Windows bug tracker?

[grammar+fascist]

NEWS FLASH: Another Microsoft Outlook VMS worm appeared today, leaving thousands of companies stranded network- and Internet-less as their IT departments struggled to contain it.

But this isn't news! It's not-news - and therefore news - because it isn't news anymore! Get it?

(You know, the word "news" starts to sound really, really weird after you say it a bunch.)

Oh, stop with the Windows security remarks already

[Junks+Jerzey]

Worms and virii are being written for Windows/Outlook, because:

(A) 98% of all people using PCs to read email are running Windows.
(B) There are a lot of cracker-types full of concentrated angst about Microsoft, Bill Gates, Windows XP, etc.

If that 98% referred to Linux/KDE or MacOS X, you can be _damn_ sure that there would be severe security exploits for those systems as well. All it takes is _one_ small hole to give a virus writer leverage, and in any system with hundreds of thousands of lines of code behind it, there are going to be small holes. Arguably things would be much worse if everyone used Linux, because Linux is more daunting for users to administrate than Windows. So anyone not keeping up with security issues would be vulnerable. Most people fall into that category, even intelligent people.

As for (B) above, what can be said except that it's pretty sad.

Anyone know what SARC is calling this one?

[ellem]

Welyah isn't pulling up anything.

Neither is Winl0g0n.exe

The difference is...

[paranoic]

is that we don't PAY for the privilege of having a secure OS.

Ancient Troll

[Chris+Burke]

Not a bad one, either, judging by the reaction. But seriously, if this wasn't a troll and you really have these complaints you wouldn't be reading /. anymore, would you?

At least the people who bitched when Taco first used the Bill Gatus of Borg icon they had a legitimate reason.

Re:Ancient Troll

[nate1138]

And what was that reason?? They liked the borg too much to see them ridiculed like that?

Looks like a hoax

[sphix42]

I didn't see any misspelled words in the sample email at that link...this is an obvious hoax.

Depends on how much you are out there...

[singularity]

There are several factors to consider. The first is you mail provider. If they are quick to block out the newest viruses at the server, you obviously will not get it.

The other is how much your email address is out there. Some of the viruses would go through the web cache and grab email addresses from there. If your email address is out there a lot, you are going to get more viruses. 99% of the SirCam, Nimda, and so on that I got (probably a couple hundred) came from people I did not know.

Re:Oh, stop with the Windows security remarks alre

[s20451]

I agree to some extent, but there's a little more intrinsic security in *nix ... stuff like permission checking; anybody can do anything on a Windows box but only root can do the really nasty stuff on a *nix box.

You have to be a measure more clever to find a root exploit before applying your trojan payload ... in fact maybe it's a good thing that Windows has low security; most crackers probably take the path of least resistance and leave *nix alone ...

Is a 6ft-deep pothole in front of your car "news?"

[Tsar]

For us Windows users, reports of new security issues seem to come as often as potholes on an Arkansas highway. Like the potholes, looking for the next one isn't all that interesting or entertaining, but we still have to try to avoid them or at least minimize their impact.

"Net access: $20/mo. -- Electricity for computer: $20/mo. -- Reaching the 50 Karma cap: Priceless"
I'm at the karma cap, and I've been oscillating between 47 and 50 for some time. Does anyone else in that situation agree with my Modest Karma Proposal?

When will we see the real worms?

[tuxlove]

Windows is so easy to write worms for that we see a constant influx of simple stuff. Simple VB scripts, etc., can do a great deal of damage, and worm authors don't seem motivated to try a harder because they don't have to. This new worm seems like a step in a scary direction, towards real sophistication. Depending on system services to propagate will not be easy forever, and I expect to see more worms with their own protocols (like SMTP) built-in.

The "optimal" worm is one in which all it needs is a thread of execution and access to basic OS APIs like sockets and elementary file access. You're not going to stop a worm from calling the most basic APIs, so the key to stopping worms (once all the fundamental holes are patched in Windows, if ever) seems to be not letting them have that thread of execution in the first place. Of course, there will always be lots of users willing to run unknown executables, but the less automatic, the better. Patching buffer overflows in IIS, etc., will only go so far because there will always be users ready and willing to execute email attachments. Until focus comes to bear on ways to keep unsophisticated users from doing this sort of thing, there will always be a cornucopia of devastating worms.

Duplicate

["Zow"]

Hey, CmdrTaco, what's with having another duplicate story today? You just reported about the new windows vulnerability two hours ago.

Oh, wait. . .

Windows security problem?

[bob1000]

I understand that the narrowcasting strategy has changed significantly here to attract Microsoft haters but in all honesty, what could Microsoft do to stop the viruses/worms? Short of completely disabling internet connectivity there just isn't anything to stop them completely on any OS.

Re:hmm

[_Sprocket_]

...so suddenly I get all these images of people flying along all happy and then find themselves flying in to a swarm of locasts. Or earth worms. And other such bugs, worms, glowing clouds of plague, and such creapy-crawlies.

Or, at least, occasionally having to land back on solid ground to pick the bugs from between their teeth. Maybe applying one of those teeth-whitening patches.

You don't get it

[Frank+Sullivan]

Apache has a veto-proof majority of the web servers out there. Where are the Apache worms? Why is IIS, with far less market share, getting them? It's because Apache is secure and IIS is not, period.

Linux and OSX are both based on the Unix security model, a fundamentally sound design refined by two decades of real-world practice (dating back to the RTM worm in the early 1980s). It's not a matter of the virus writers aren't looking... it's a matter of a lack of exploitable holes. Name ONE Unix email client stupid enough to auto-execute code. Just one!

Yes, there are still exploitable holes here and there in Unix/Linux. But they generally require real mastery to find. Windows macro viruses can be written by 14 year old boys. My wife, a technical writer, doesn't know enough programming to write heapsort (do you?), but she knows enough to write a macro virus in VBA.

Get it through your head... the number of viruses and worms today is not a function of popularity or attention. It is a function of poor design and poor implementation, combined with security by obscurity (a technique discredited everywhere but Microsoft).

Really, learn about it. Don't just whine because Microsoft is getting a richly deserved spanking, and you don't want to hear how bad your favorite OS sucks.

Re:You don't get it

[cscx]

IIS IS secure.

It just ships in a default configuration that is about as tight as a gay man's asshole.

IIS is an excellent piece of software. I've used it before, and I'll use it again. Remember Code Red, et cetera? Guess what? I didn't have to patch my servers because they were IMMUNE. IIS "flaws" are NOT part of IIS itself, but part of different addon modules that should be easily removed by any knowledgeable sysadmin. Anyone knows that running script modules for everything in the world that you're not using is asking for trouble. IIS just ships that way for ease of use for the consumer. I can easily make IIS just as secure as Apache --- it takes about the same knowledge required to set up apache.

So quit the FUD.

Re:You don't get it

[Junks+Jerzey]

Apache has a veto-proof majority of the web servers out there. Where are the Apache worms? Why is IIS, with far less market share, getting them? It's because Apache is secure and IIS is not, period.

That's because Apache is a web-server and we're talking about exploits on the user's machine. The last big Windows virus from a few weeks ago was actually a trojan horse. People clicked on it and that was that. Linux is just as vulnerable as Windows.

Re:You don't get it

[bitrott]

All software sucks. Get THAT through YOUR head.

Re:You don't get it

[Junks+Jerzey]

Only if the user is logged in as root. A big problem with Windows is that the user logged in with local admin permissions (default) runs everything under the Windows equivalent of root. So yes, it's possible for Linux to be vulnerable, but at least it gives you a choice of not acting as root.

You're not getting it are you? It doesn't matter that the user isn't logged in as root. We're talking about *exploits* that get around that.

And note that the recent Windows worms send mail to everyone in your address book, filling inboxes with garbage. You don't need to be logged in as root to send mail on most systems.

Enough with regurgitating the standard advocacy lines, already.

Re:You don't get it

[rlp]

I agree with your basic thesis. However, it should be noted that Unix design and Windows design started with different premises. Unix was derived from Multics which was an early time-sharing system designed to be (relatively) secure. As a multi-user system, mechanisms had to be built-in to protect a users environment from other users. Windows is descended from DOS (and CP/M) and came from an environment that assumed one machine / one user. Hence their were no protections built in.

Unix was built by developers for developers. In many cases the system administrators were also the system programmers. System administration problems tended to be solved by code. For example, in the early 80's Unix did not limit the number of processes per user. At Bell Labs, whenever the Intro. to Unix Programming class got around to the 'fork()' system call, machines started crashing. This was soon fixed by a kernal change. Linux has continued (and expanded) on this tradition.

In contrast, Microsoft has focused on ease of use for the average user. This focus has been rewarded with market share. Security has been an after thought. Prior to mass adoption of the Internet - this was not an unreasonable approach. Now, of course, it's a disaster.

Re:You don't get it

[Junks+Jerzey]

Windows is descended from DOS (and CP/M) and came from an environment that assumed one machine / one user. Hence their were no protections built in.

Sigh. Not this again. Windows 95 & 98, yes. Windows NT, 2000, and XP, no. The latter family were designed from the ground up as secure, reliable, operating systems. And they are.

Re:You don't get it

[Sloppy]

Then Microsoft and its apologists need to quit lying to people about their products being easier to use than their competitors'. They should quit implying that Windows/Outlook/IIS/etc can safely be used by people who aren't computer experts, or that the competing products are somehow less "ready for the desktop".

Re:Oh, stop with the Windows security remarks alre

[cscx]

Uh, no.

It really makes me sick when linux people automatically refer to Win9x. In NT, you need to be an Administrator to do that kinda stuff. Not a User. And, yeah, if you live in a cave, WinNT ACLs are a far more advanced permissions system than *nix ever dreamed.

This is funny.

[JeremyYoung]

From the AP on Yahoo:

Just last week, Microsoft's corporate security officer, Howard Schmidt, expressed frustration about continuing threats from overflows. ``I'm still amazed that we allow these things to occur,'' he said at a conference of technology executives. Schmidt is expected soon to resign from Microsoft to work for President Bush's top computer security adviser.

Funny that SOMEONE at Microsoft is finally, publicly, admitting that there's a pattern to Microsoft vulnerabilites.

Re:This isn't a windows problem..

[b_pretender]

I have pine set up to point and click just fine. It's a setting and you have to use it with an Xterm. Then you can click on messages or click on the options at the bottom and it works just find. Click somewhere within a message and the cursor moves there.

Can anyone find more info?

[selan]

I can't find this listed on Symantec's site or Trend Micro. Has anyone seen any real info about this worm?

Slashdot demagoguery, or troll snacks?

[eddy+the+lip]

I simply assumed that people on Slashdot are above those biases.

and i simply assume most people have a sense of humour, but we don't all get what we want, do we?

sure, i know that windows isn't complete crap - hell, i can admit it's gotten pretty useful in the last couple revisions. i've even been known to use it to play the occasional game. but i don't come to /. for flat, ZDNET style reporting. i come to it for useful links and snide comments.

i also come here to do this once in a while:

is this bugging you? poke poke poke.

secure email client

[Webmoth]

I have found that my system is not infected with virii when I use the following command to read my mail:

$ /bin/vi /var/spool/mail/myusername

That is, until someone finds a vulnerability in vi.

Re:secure email client

[gewalkeriq]

There are well-known vulnerabilities in vi. Don't recall details, but there was a problem in a SCO
version that allowed any access to the scratch files. There have also been version that played with macro capabilities in vi to run aribtary code, etc.

To my knowledge, none of these exploits even became very popular.

A better example would be to consider use of Pine, Elm, mailx, kmail, mutt or whatever is your favorite.

If memory serves correctly, There are (or have been) buffer overflow vulnerabilites in Mutt, Pine, MailX at least and I personally would be surprised that Elm, kmail and others have not also been vulnerable. Don't recall buffer overflows in vi.

Go to CERT and do a search for remote root, read the vulnerabilities and then explain to me how Linux/Unix is immune to attacks.

Re:problem with the users

[Mike+Schiraldi]

I wonder if, say, construction workers, when building a shopping mall, say stuff like, "Man, we have to put railings up? Come on, what kind of idiot would just walk off the edge and plummet to the floor below? Stupid users."

"What? Circuit breakers? What sort of moron would overload a circuit? Who needs circuit breakers? Stupid users."

Visual Basic?

[innocent_white_lamb]

I find it tremendously amusing that a Windows worm was written in Visual Basic, of all things.

Training wheels for small children's bicycle for sale. Buy now and get a free shotgun.

Re:Visual Basic?

[snake_dad]

It's funny allright. However there is an explanation that 5 years ago this was less feasible.

Earlier we used to be suspicious only of very small executable attachments. Often that would be a virus. If someone mailed you a large executable attachment it would probably be a legitimate file. However after all the legitimate funny files that are sent to friends (you know, those cartoon like programs, or sheep floating on your desktop) nobody is surprised anymore about a rather large attachment.

There have been so many 'harmless' funnyfiles that people don't believe you anymore when you say "never open executable files!". Not to mention the fact that it's allways "safe, because a friend sent it to me". Oh well...

Inviting flames, I guess

[dachshund]

Why do the editors of Slashdot ALWAYS put their unproductive, derogatory, flaming, two cents at the end of _every_ story regarding something "AWFUL" Microsoft has done?

Because to a programmer/architect/sysadmin, the mere existence of these worms is mind-boggling. Imagine the largest-selling American car manufacturer building all of their models with the gas tank right behind the front bumper, or some such idiocy. Now you, as an automotive columnist (with some professional understanding of auto design), are forced to report every time one of these Hindenburgs ends up as a firey wreck.

It'd be bad enough if this happened in one model of car, but to see it happen year after year, when the company should know better, has to be somewhat irritating. I'll let MS slightly off the hook when a "legitimate" bug is found-- that is, one that might not have been directly anticipated when the product was being designed. But each of these worms exist as a result of MS's ongoing, dunderheaded ignorance of basic security issues. Windows scripting on as default? Minimal security in their email software? Preview panes that can automatically execute scripts?

So yes, the Slashdot editors' scorn is thoroughly justified in these cases. If you're looking for more objectivity in your reporting, there are other places to go. If you stuck to the reports I've seen in reputable newspapers, you wouldn't even have to suffer the notion of Microsoft as a responsible party. If you think that's the case, choose your news sources differently. Slashdot is run (and contributed to) by people who take this sort of stuff a little bit personally.

How long a list do you want?

[Frank+Sullivan]

1. Stop auto-execution of content within Outlook. Ideally, make it impossible to execute content from a mail reader.

2. Stop designing operating systems where the default user account has write access to system binaries. Make it easy enough to do basic administration without formal administrator access that users don't run with administrator access by default (NT, W2K, XP desktop use).

3. Build bounds checking into Visual C++, at least as an option. Require programs under development to be tested with bounds checking on in order to detect buffer overflows.

I could go on, but you get the picture. No, you can't stop all security problems completely. However, you can make a very good dent in them. Just because a burglar can break your door down or pick the locks doesn't mean you shouldn't lock the doors to keep out the less skilled or ambitious.

Quite a large list of offending extensions

[mclearn]

See here for a discussion on the experiments of a particular fellow on finding a list of offending Windows extensions that are not unhidden even if "Show all extensions" is used.

Re:Quite a large list of offending extensions

[Bronster]

What a maroon. Brute force it???

All this crap is nicely in the registry.

If you'd read the link for more than a few seconds, you would have seen (apart from the dodgy 'look I'm a C coder' perl with hard coded array length and lots of double quotes in the definition) that the registry wasn't used for a reason.

* The registry may not document every piece of behaviour (i.e. there could be hard coded extention handling in the Explorer code itself.)
* By observing the behaviour of the system itself, directly at the level where it matters, you are guaranteed correct results.

I am very impressed with the research methodology presented in that link. Rather than trusting some documentation, the author actually went and recorded the behaviour of the system under real conditions. My hat is off (and my Redhat box is off the net, finally - but that's another story!)

Re:Quite a large list of offending extensions

[Bronster]

But it's also inherently flawed. [ more than 3 char extension ]

That's a very good point, and one I didn't think of that the time. I think (?) that they still map to some underlying 3 char extension in the 8.3 file format of MSDOS though.

Of course Win9x probably doesn't treat them as special without the full length extension - OK, so the experiment needs to deal with longer extensions, and suddenly we're in really-messy-big-area land. Doh!

What's registered also depends on what's installed - I would only test the default install, since M$ can claim anything else to be a security problem with the installed application (and probably rightly so).

Re:the long filename hoax!

[Peaker]

There is no right way to name your string hierarchy (i.e a file system).
Since there is no proper convention of attributing things such as title, content, author, etc. on the file (only type, in the extension), these are conviniently put in the file name.

The problem here is not spaces in file names, but the weakness of a string hierarchy.

File systems are dated technology (EROS Tunes...)

Re:Wrong again!

[cperciva]

Actually, ELF executables running under a normal user account CANNOT do the most interesting part, namely run their own SMTP server. Root access is required to open a low-numbered port.

Root access is required to bind to a low-numbered port, but not to connect to a remote service, which is all you need in order to send email.

Geez, don't people know at least the rudiments here?

Okay... so we can't fix the software or the users.

[pi_rules]

It's still mind-boggling to me that companies don't have better policies in place for handling these situations. As another poster mentioned using mail filters to strip attachments w/ dangerous file types is nice and all, but it isn't going to be 100% effective. George Guninski released an example a while ago where filename.txt.{some big guid here} would look just like filename.txt on the desktop, but when opened you'd find it was HTML w/ an IE exploit inside. So... now you have to add a rule to your filter script to catch those, and hope that you knew about it before an expoit in the wild. Not 100% safe.

Why are companies letting people thrash the mail system inadvertantly and go on like nothing happened? This is a social problem, albeit one that has been made more prevalent by bad technology. So what if Outlook took out the double-click-run-and-destroy feature for attachments? Trojan's would get mailed along w/ instructions on how to safe to your disk and run the program. And some idiot would do it too.

I'd much rather see corporations making their employees responsible for breaking things on the network. If the admin fscks up the entire system he'd be up to his knees in shit -- but the "users" are allowed to do it because they can claim ignorance? No thanks. Draw up some strick hard-line rules for your employees and get this crap taken care of. My personal suggestions would be:

1. No using IE at work -- Netscape/Mozilla/Konq only. Far fewer vulnerabilities.
2. No Outlook/Outlook Express for mail. Use Outlook -only- for calendering functions. I'd personally like to see corps going back to how my old university did it. One Unix box w/ pine on it for users to read their mail. Use SMB to attach the user's /home dir to the Windows machine and let them save attachments that way. No HTML email viruses, no buffer overflows. Plain jane simple email.
3. Running an attachment sent via email should be punished just as if the user walked in w/ a virus on a disk and ran it from home. And make them -work- to get that attachment to run.
4. Forgo the use of the .doc format entirely. What's so bad with RTF? Do you -really- need to spend all this extra time authoring up nifty documents for internal use only? Sure, use .doc to interface with clients but keep it's use limited.

Sure, it's a bit drastic. But is productivity really benefiting from wreckless use/abuse of insecure software? Must your employees use Outlook so they get that warm fuzzy feeling of being able to fiddle with all sorts of buttons on their screen? Why can't the computer be viewed like another other tool? If you don't know how to use it why in the world are you using it at work? I wouldn't dream of putting joe-schmoe on a fork life w/out some training, why put people w/ no training on a computer? If joe-schmoe runs the fork-lift into a wall you bet he'll get some heat for it. Run a virus though? Nah, everybody does that.. let it slide, let IT clean it up.

Re:SMTP service?

[mikey504]

I haven't seen the source, but I'll take a stab:

I believe that for a given mail address, bob@foo.com, the infected machine attempts to connect directly to the foo.com mailhost on port 25. This is what similar viruses have done in the past.

I block and log outgoing connections to that port (among others) from our local network, so if something like this does get loose, we can at least be saved the embarrassment of having it go back out to our clients.

So, for the inbound side, does anyone know of a free procmail-esque mail filtering solution for Exchange? I would LOVE to throw the Exchange server in the river, but it seems to have grown roots here what with the gee-whiz outlook integration, global address book and Schedule+ stuff.

I don't like the "deny all of them" approach taken by the last security patch and we don't have the cash for one of the commercial filtering solutions.

I hope to move us to IMAP + LDAP + CGI (for the calendar and scheduling stuff) in the near future.

Windows be a secure operating system...

[OSgod]

Never in the main stream release.

Nor is it supposed to be. Just as Linux is not a secure OS in the main stream releases. Linux will never be a secure OS in the main stream release. As it gains more market share it will become less secure (a high percentage of security is the users and administrator -- in the home box that's Joe and he doesn't give a hoot about security and won't buy an OS if he has to).

A secure OS is a special or a tuned release. Always will be.

Re:Windows be a secure operating system...

[NumberSyx]

As it gains more market share it will become less secure

In reality, just the opposite is true. With each new release, all of the major brands of Linux have gotten more secure out of the box and easier to maintain that sercurity over time with better and easier tools. Red hat is good example of this, a few years ago, an out of box install of Redhat meant all services where enabled by default and the user had to disables them if they didn't want them. Today services are disabled by default and only enabled at the users request. This is harder for thier customers, but makes for more secure box.

Windows isn't the biggest target of worms, trojans and virus because its popular, it is the biggest target because it is an easy target. Microsoft themselves put out the greatest software in the world for writing worms and trojans (VB Script) and then integrated it completely into thier OS and most of thier other software as well. Of course now they refuse to fix the software or to even have it turned off by default.

Lets face it, Windows is Prostitute and Microsoft is her Pimp. The Pimp wants the Prostitute to be easier and more accessable and doesn't want to inconvience the John by making them use a condom, so naturally the Prostitute is going to get a few diseases. The Pimp will want to keep the disease a secrect, but will also want the Prostitute to keep working. So she is going to spread the disease around alot before it gets treated.

Re:Band-aid? How do you figure?

[ijx]

Well, there are serial ports (I assume you referred to network ports), brute-force techniques at the keyboard, etc.

For offline cracking, steal the harddrive. It's less sexy, but would get the job done.

Point is, nothing is ever 100% secure.

Proper Egress Filtering

[Gothmolly]

Egress filtering at the firewall will block the spread of this. Simply don't allow anything but the mail server to make SMTP connections out. Done. Same thing with all of those "home firewall" products.

The reason this doesn't affect *nix

[WeaselGod]

The reason that the various *nix OSes are immune to virii/worms of this type is because the vast majority of users use windows and MS products, not because of any superior security on the nix part. I am forced to use MS products at work and I have never been infected by a worm/virus because I know better. The average user doesn't know better. If they were on unix it would probably be an even worse problem because they would have even less of an idea of whats going on. I think Microsoft has made some bad decisions in its time, but I blame the worm/virus proliferation on the vulnerability of the users, not the vulnerability of the operating system.

Re:The reason this doesn't affect *nix

[TheAwfulTruth]

No but it CAN delete all UJoes's files (And user files are the ENTIRE reason a desktop computer exists) AND it can remail the virus out as UJoe's account permits. It can also install deamons running as UJoe and allow warez distribution to the limit of UJoe's account space. So what really is the difference?

Reinstalling an OS is minor work compared to the major damage of losing all your personal work data. (And yes I KNOW that you are SUPPOSED to back data up, but I can attest that I am the only person on the planet (or at least in my local vacinity) that does)

Re:The reason this doesn't affect *nix

[Legion303]

That's not quite true. While it may be harder for a normal account to hose the entire system with *nix, local root exploits are a dime a dozen. A cleverly written trojan *can* take down your system from a normal user account if you aren't up-to-date on the latest security patches.

-Legion

How to deal with the lusers...

[thogard]

I've been reading lately that many geeks seem to have problems identifying some of the socal clues that indicate to normal people that they are being picked on or ridiculed. Where I work there are two people that will have clicked on this thing before I arrive to clean it up. So exactly how do I point out to these lusers that some 16 yr old kid is doing the electronic equilivent of holding their very importaint work over a flusing toliet just to watch them worry. And they walked into the situation?

Re:This would be worse in Linux

[afidel]

4) Own SMTP engine, so an Outlook script to warn that there's mail w/ attachments going out is useless. Linux is the perfect environment for a rouge program to set up its own little SMTP server and start spamming out copies of itself. The system is much more open to this kind of infection than a Windows-based machine.

Umm no only root can bind to low numbered ports (of which port 25 is a member)

5) New "method" of hiding file extension which is harder to see even if extensions are displayed. Again, for example, the worm writer could just make the file with a . in front of it and it would be hidden on most people's displays.

And no, it would need to be chmod executable. Now this part could be automated by a stupid mail client writer but there is no currently popular unix/linux email client that does this!

Just like emacs is better than vi...

[orius_khan]

I simply assumed that people on Slashdot are above those biases. We are (mostly) computer and science enthusiasts, and, generally, those types are able to make well-informed decisions about things.

Right. Just like Emacs is a clearly superior text editor to "vi", which is why there's never any discussion about it. Such issues are easily settled in a timely manner by us well-informed geeks!

"640K ought to be enough for anybody"
-- Some guy, I don't remember who...

Re:problem with the users

[taloobie]

Undoubtedly every online services must respect the less abled user community. However, there's a certain "literacy" level that must be enforced. Services should be intuitive and straight forward. However, if you've hopped on the net and a particular OS you've assumed the responsibility of staying informed and skilled.

We're not talking about VCRs here. We're talking about a device that deals with the most private aspects of our lives - bank accounts, work, and personal conversations. You don't buy a boat you can't steer.

Happy Holidays!

That's why I don't use Windows!

[Adrian+Voinea]

My office is now 100% Window-less as of about 6 months ago, but we're instead 100% Mac OS X (currently 10.1). It's great. I don't miss Windows at all, and the myth that you "can't get applications for the Mac" is such a load of cr@p.
In fact, the new Office for Mac OS X is, in my opinion, much BETTER than the Windows version.
Networking has been faster, too, and that's important to us. You'd never believe it, but it's cheaper too. No more calling for technical support or having someone on duty to fix problems with our systems. You just don't need it with a Mac because the hardware and software is so well integrated.
The machines themselves have been CHEAPER for us. $1199 iMacs as clients and G4s to handle some of the heavier loads. It's worked great.
And by the way... that 22" Apple flat screen is not only beautiful for working with, but it impresses customers too. I know it seems like a detail, but people have gotten the impression we're an upscale successful business because they see those screens and comment on them.
I know I seem like a troll ranting about this or that, but I just want to get the word out, because I'm a very pleased Apple customer... and I'm laughing at myself for ever having used Windows for so long.

All that has already been done!!!!!!!!

[Mr+44]

1. Stop auto-execution of content within Outlook. Ideally, make it impossible to execute content from a mail reader.

Done. With the (free) Outlook Security Update, or Office XP, all executable (exe, vbs, etc) attatchments are hidden by the client.

2. Stop designing operating systems where the default user account has write access to system binaries. Make it easy enough to do basic administration without formal administrator access that users don't run with administrator access by default (NT, W2K, XP desktop use).

Done. Win2k and XP both have System File Protection, which prevents system binaries from being overwritten. And XP makes it much easier to set up non-admin user accounts. The "runas" command makes doing occassional admin tasks really easy.

3. Build bounds checking into Visual C++, at least as an option. Require programs under development to be tested with bounds checking on in order to detect buffer overflows.

Done! Look up the -GS option on Visual Studio.net

Irradiate the mail

[filtersweep]

The post office has taken steps towards irradiating mail. Maybe more ISPs need to "irradiate" email.

The consumer-level answer (repeated like a mantra) of course is to use anti-virus software, and I find it interesting (and conspicuous) that MS has stayed out of the anti-virus racket- but I suppose one cannot integrate AV software into the OS.

It still boils down to individual "responsibility"- at home I run no AV software on my windows box, and I've never had a problem. I'm no windows apologist, but the fact remains that most people treat their PCs as if they are leaving their keys in the car, garage door unlocked, etc... I mean, it certainly is more "convenient" to ignore any security precaution in actual life (think airport)- but is it safe? And is it at all convenient to clean up after a security breech?

Windows *has* most of the tools for a reasonable level of security if only people educate themselves and use them. The widespread problems people experience, such as this, boil down to NOT opening unknown attachments- which is email 101. This STILL boils down to an .exe attachment... it is boring. Show me an actual .txt file that can do some damage and I'm interested!

Re:Irradiate the mail

[90XDoubleSide]

Show me an actual .txt file that can do some damage and I'm interested!

Well, this looks just like a .txt in Outlook, which is why it is so clever (for another stupid email worm).

Watch the comercial again...

[srvivn21]

None of the people actually using XP get to fly. They are chained to a computer while they watch others fly by. Seriously. Watch it again.

(Too bad adcritic is no more. They would have had an easily accessable copy of the commercial)

IIRC...

[chipuni]

Name ONE Unix email client stupid enough to auto-execute code. Just one!

I believe -- correct me if I'm wrong -- that was a problem with the mail client of emacs.

Re:IIRC...

[(H)elix1]

Don't worry - Microsoft built an Outlook Express client for Solaris too.

Hah!

[Sanity]

Linux and OSX are both based on the Unix security model, a fundamentally sound design refined by two decades of real-world practice

Are you kidding? Security in Unix was an afterthought, and a kludge. The user/group/all methodology is totally inflexible, even NT has a more powerful and flexible file-system security mechanism, even if its user-security mechanism sucks.

Re:Hah!

[Mike+Schiraldi]

The user/group/all methodology is totally inflexible

Name one granular thing that you'd like to do with Unix security and don't think is possible, and i'll tell you how to do it.

Re:Hah!

[Sanity]

Easy, allow a file or directory to have different permissions for multiple different groups.

Re:Hah!

[the+eric+conspiracy]

Easy, allow a file or directory to have different permissions for multiple different groups.

Try again. It's part of the POSIX ACL standard.

Re:Hah!

[Sanity]

Try again. It's part of the POSIX ACL standard.

Of course, anything is possible with the right extension, ACL isn't included as standard with any Unix AFAIK and certainly isn't a standard part of Linux. If standard Unix security was truly a "fundamentally sound design" then surely it wouldn't require extensions to perform such a simple task?

Re:Hah!

[the+eric+conspiracy]

ACL isn't included as standard with any Unix AFAIK

The fact is that all major commercial unices including SGI IRIX, Digital, HP and Solaris have ACL type extensions in one form or another.

As far as what constitutes a 'standard' feature under Linux, that is difficult to say. What is quite clear is that there is support for ACL's in both the XFS file system port from SGI and in extensions to ext2/3.

Samba will actually take advantage of these various ACL implementations and allow mapping of NT ACLs to UNIX hosted SMB shares.

Credit Card Processing

A Credit Card Processor, CCBill has been hacked and credit cards were stolen. No mention of it on Slashdot. Is it because the site runs Apache/PHP?

That wasn't his point at all.

[Wakko+Warner]

Please read what he said again.

There is no perfect email system, and there never will be, but the way Microsoft does things is fundamentally wrong. The default "trust all attachments" behavior of Lookout and Lookout Express, coupled with the default behavior of hiding extensions for known filetypes, mated with most users' general inexperience in all things computer-related equates to one huge fucking train-wreck of a problem, wouldn't you agree?

This whole mess could easily be avoided (or at least toned way, way down) if Microsoft would wise up and start shipping their mail clients (and their web browsers) with much more locked-down defaults.

Yes, I'm picking on Microsoft. They're a huge company and a lot of people who simply don't know any better use their products. Their products ought to know better; don't leave security up to the end-user, and don't make the IT guy's job more tedious than it already is.

- A.P.

Not sure why this would only have a LOW risk....

[Lawmeister]

warning from McAfee, as look at the file listing that is attempted to be deleted (according to McAfee):

Files being Deleted on an example (win9x) system:
- c:\WINDOWS\1STBOOT.BMP
- c:\WINDOWS\ASD.EXE
- c:\WINDOWS\CLEANMGR.EXE
- c:\WINDOWS\CLSPACK.EXE
- c:\WINDOWS\CONTROL.EXE
- c:\WINDOWS\CVTAPLOG.EXE
- c:\WINDOWS\DEFRAG.EXE
- c:\WINDOWS\DOSREP.EXE
- c:\WINDOWS\DRWATSON.EXE
- c:\WINDOWS\DRWATSON
- c:\WINDOWS\DRWATSON\FRAME.HTM
- c:\WINDOWS\EMM386.EXE
- c:\WINDOWS\HIMEM.SYS
- c:\WINDOWS\HWINFO.EXE
- c:\WINDOWS\JAUTOEXP.DAT
- c:\WINDOWS\Kacheln.bmp
- c:\WINDOWS\Kreise.bmp
- c:\WINDOWS\LICENSE.TXT
- c:\WINDOWS\LOGOS.SYS
- c:\WINDOWS\LOGOW.SYS
- c:\WINDOWS\MORICONS.DLL
- c:\WINDOWS\NDDEAPI.DLL
- c:\WINDOWS\NDDENB.DLL
- c:\WINDOWS\NETDET.INI
- c:\WINDOWS\RAMDRIVE.SYS
- c:\WINDOWS\RUNHELP.CAB
- c:\WINDOWS\SCRIPT.DOC
- c:\WINDOWS\Setup.bmp
- c:\WINDOWS\SMARTDRV.EXE
- c:\WINDOWS\Streifen.bmp
- c:\WINDOWS\SUBACK.BIN
- c:\WINDOWS\SUPPORT.TXT
- c:\WINDOWS\TELEPHON.INI
- c:\WINDOWS\W98SETUP.BIN
- c:\WINDOWS\Wellen.bmp
- c:\WINDOWS\WIN.COM
- c:\WINDOWS\WIN.INI
- c:\WINDOWS\WINSOCK.DLL

That would seem to be pretty destructive to me... Also strange that we can only get a beta DAT file and there is no mention on McAfee's virus alert pages that this thing is out there... tisk tisk how many people will think this is a hoax and run it fscking up their systems...

Hardly...

[Anonymous+Brave+Guy]

But seriously, if this wasn't a troll and you really have these complaints you wouldn't be reading /. anymore, would you?

Sure you would. My first thought was exactly the same: it's not a problem with Windows, it's a problem with a mail client that happens to come with Windows. For crying out loud, the patch for this vulnerability was out nearly a year ago.

I read /. because it has some interesting news pieces that I follow, and occasionally some informed discussion on subjects that interest me. But I, too, get annoyed when the editors just slap anti-MS FUD all over the intros (and when they reject my submission but run the same story three days later from someone else, etc.). It doesn't do anything for the credibility of the site.

Re:Hardly...

[Chris+Burke]

Not that it makes me cool (nothing could), but I've been around /. since it's inception and I certainly don't remember /. ever having any credibility. I mean, I never believed Katz when he said that /. was the source of a great revolution... did you?

Re:Okay... so we can't fix the software or the use

[leonbev]

You've never done corporate IT support, have you? Even if you could convince the pointy-haired bosses to accept these draconian security restrictions, the employees would attempt lynch you for it. Business people don't like being told what they CAN'T do! They aren't like apthetic college students, who usually care less about the rules (unless it affects their precious beer supply).

If a manager (Or a sales guy, or an accountant, whatever) is used to using IE at home and sending e-mails with pretty fonts and pictures attached, they'll demand that they can do it at work. They'll want to be able to read Word attachments from outside sources, and share files with their co-workers. If you say no, they'll just keep complaining louder to your manager and your manager's managers until someone forces you to cave in to their demands. Most of your changes will get shot down, and you'll put up with a lot of grief in the process.

Most users don't give a rats ass about security, they just want to be able to do their jobs as quickly and easily as possible. If you try to get in their way, they'll fight you on every change until you get frustrated and give up.

That's why it's important to make SMALL security improvements, and make them slowly. Start by blocking certain attachments on the server side, and continously remind people not to click on unknown files. Make sure that your virus software runs automatic scans, and updates itself automatically. The users aren't going to do it for themselves, or at least not until they are already infected. Warn constantly, but never try to FORCE anything on your users unless it's absolutely necessary. The nastier you get, the more that they'll start ignoring you.

Re:This would be worse in Linux

[grammar+fascist]

Umm no only root can bind to low numbered ports (of which port 25 is a member)

Contrary to popular belief - and it's really, really prevalent on Slashdot nowadays, of all places - you don't need an SMTP server to send an email. You just need a client.

All you need to do is open a connection to port 25 on an existing SMTP server to send an email to an address it assumes is its own, and send off a bunch of commands: HELO, MAIL FROM, RCPT TO, DATA, and QUIT.

Try it sometime. Telnet to a mail server on port 25, and type the following commands, without using the backspace key:

HELO heaven.gov
MAIL FROM: god@heaven.gov
RCPT TO: <actual email address>
DATA
I've been watching you. Your fly is down.
.

QUIT

Make sure the email address domain is one that the mail server will answer for, otherwise you'll get an error saying it won't relay for you. (Usually.) And make sure the user is a valid user on that domain. If those two requirements are met, you've sent an email - without needing an SMTP server, I might add.

So if you don't need a server, you don't need to bind a port, and a worm like this could spread through Linux systems the way it spreads through Windows systems.

Objectivity

[mizhi]

Since when has the slashdot crew ever claimed they were objective? Yeah, I agree, /. editors are rather immature at times about *nix vs MS. I read their comments with that in mind even if I do agree with them sometimes. You are perfectly free to continue reading /. and to continue bitching about the constant MS editorializing by the crew, but my opinion is that if you don't want to read it, then don't read /. because I don't think that they're going to change.

YAY KARMA PLUMMET! :-D

Re:problem with the users

[Mike+Schiraldi]

I agree that everyone should have a basic level of skill and training when it comes to such things as driving a car, being healthy, or operating a computer. However, the fact that millions of people still click email attachments called FOO.MP3.exe shows that such intricacies of computer security are too much for the average user.

Plus, people can't be on guard 24 hours a day. They have a job to do, and it probably has very little to do with file extensions.

Re:Availability

[Sethb]

I haven't been able to confirm existence of this worm either. Has anything shown up on any other security site? I'm still at work, hoping for some virus defs so I can update all our machines before I go home for the night...

Bias and Journalism

[nyet]

The idea that "unbiased" journalism is somehow superior is simply wrong. Not because being unbiased is inherently wrong (its not; the opposite is true, being unbiases is always superior), but because there simply is no such thing as "unbiased" journalism.

I don't know about you, but by FAR the reporting that holds value for me is the kind where the bias is KNOWN. Ever see "The Insider"? Wouldn't you like to know if there is bias mucking with your news organization?

You are living in a DREAM world if you think your news organizations are giving you unfiltered, unbiased news.

Time to wake up and do a bit of research son.

Either that or yours was a masterful troll.

All news is slanted.

[JeremyYoung]

All news is slanted, learn it, deal with it, read a variety so you don't fall prey to slant. Let Slashdot be Slashdot. They may lose credibility for offering slant, but you're not going to suddenly reverse that trend by posting telling them to stop.

All news is slanted, read a variety and if you're lucky you'll get a reasonable perspective.

Re:Get a Mail FIlter Already!!! [Like batemail]

[ryanvm]

WARNING: THIS IS A PLUG FOR MY MAIL FILTER

I got sick and tired of cleaning viruses off my users' machines and I didn't like any of the current GPL mail filters out there, so I wrote my own!

It's called batemail. Written in Perl, batemail scans incoming email messages for executable attachments. On finding an executable attachment, batemail saves the attachment on the server (optional) and replaces it with a nice little notice explaining what happened.

Go ahead and try it. It's been saving my ass for over 6 months now.

no, knowledge to help.

[Erris]

Remember, the men behind /. are kids fresh out of school, without any business tact (not that I've shown much, but I'm not being paid to be here...).

Let's see, I'm 35 and work for a US national sized company. They have not fired me yet, so I must have some tact.

I'm interested in all the windows worms and I'm glad that Slashdot documents them. Here disasters that cost companies that trust M$ millions of $ are treated rather cooly, exept by folks like me. You see, here I get to scream my head off about how stupid, irresponsible and incompetent the exchange group is. You don't think I'd actually tell anythig to the moron "standardized" on Exchange then got clobbered by all this? I mean, they tried very hard. They spent all the company money on all the band-aid virus checkers, comercial mail filters and what not. Heck, they are still trying very hard to recover all the contacts, email, calender events, daily journals and what not that contained the characters "hi" in them? Nah, they might get their feelings hurt if they learned how badly the company they trusted let us all down. Here I can scream it all out loud, share laments with others who suffer and more important, learn exactly why such things happen and why they will always happen when you do things the M$ way. Slashdot is teaching me with good and bad expamples of how to do things. Shame on M$ for the way they do things. Here I can gloat and bitchslap trolls like you in a way that would get me shitcanned at work. When I'm finished learning good conceptes and taking out my frustration on loosers like you, I can gently suggest things to my co-workers that might improve the place I work. I don't have to gloat about new viruses, the NAV packs and viruses themselves do that for me.

Competition...

[sporty]

Think of it, if there was more competition, and the numbers were more even, say like Pepsi and Coke are (i think), imagine how many fewer people this would have affected. Just a thought..

Slashcode another victim?

[SilentChris]

"as well as using a bunch of spaces to disguise the true extension of the executable"

You mean the same way some trolls are now hiding Goatsex links by putting a popular site in the front of the url (like Yahoo), having it show [yahoo.com] on Slashdot, then redirecting the user to Goatsex?

Windows isn't the only one with flaws...

Re:problem with the users

[Wire+Tap]

Thank heavans their not a clueless Computer Science major!

Thank heavans you are not an English major.

Re:This would be worse in Linux

[nathanh]

Contrary to popular belief - and it's really, really prevalent on Slashdot nowadays, of all places...

To be "popular belief" it would need to be a prevailing opinion. The post you responded to is proof of just one person who knows less about SMTP than they thought they did. Hardly prevailing.

What is really popular right now is the "hate Slashdot" meme. It seems to be trendy to bash Slashdot, people who read Slashdot, people who post to Slashdot, and so on.

Re:Duplicate moderation (OT)

["Zow"]

Okay, it may be in poor form to reply to one's own post, but I have to express my feelings to the moderators (at futile as it may be). Why? I got three people who labeled this post as a troll, and one redundant.

Let's start with the easy one: it wasn't redundant - I checked the comments before I posted. I didn't see any other post that attempted to make light of the fact that there where two windows security stories in just as many hours.

Now for the Trolls. You people don't understand what a troll is. A troll is a beast of a post that adds nothing to the discussion, but serves to demean the general humanity of the average slashdot reader. The name troll stems from the passing of Jon Postal (if memory serves - I'm 99% sure on this one), when some trolls started to post offensive comments such as "good riddin's" and the like. At the time, Slashdot was just starting to gain real mainstream exposure and as such, many high profile Internet pioneers had just started to read it. There were many unkind words from them regarding the level of respect that was being expressed towards their friend and collegue, and I'm sure many dismissed /. altogether after that. It was generally thought that there needed to be a label for these types of posts to seperate them from other types of negative posts (flamebait/offtopic/etc), because there is this perception of being worse. To get back to my point, I don't believe that my post in any way insults anyone's basic dignity and it was by no means meant to troll.

Now, I did rather expect that it would be moderated three ways:

1. Funny - that is after all the intent behind the message and many of the other readers here share my warped sense of humour.
2. Flamebait - for the humour impared, my comment could be taken to be nothing more than a jab at our friends at Microsoft.
3. Overrated - should someone understand that I was trying to be funny, but just think I failed miserably.

You only have five points. Use them wisely.

-"Zow"

Gross negligence

[Animats]

This could be gross negligence by Microsoft. They installed a secret privileged program that runs in every Microsoft XP system. This program waits for messages from any outside user and acts upon them. No client system should have something like that installed by default. Microsoft has a whole security system in NT/Win2K/XP; if they wanted to implement a service, it didn't have to run at a high privilege level. They effectively shipped a system with a secret server that runs as root. This is so stupid as to potentially be criminal in states that have "reckless endangerment" laws. (Under the Penal Law, a person acts recklessly when he or she is aware of, but disregards, a substantial and unjustifiable risk that a result will occur or that circumstances exist, where such disregard constitutes a gross deviation from the standard of conduct that a reasonable person would have observed (New York State Penal Law 15.05[3]).)

Re:Okay... so we can't fix the software or the use

[freeweed]

If a manager (Or a sales guy, or an accountant, whatever) is used to using IE at home and sending e-mails with pretty fonts and pictures attached, they'll demand that they can do it at work.

If any of these employees wore a bathrobe to the office, and sat all day watching television, I'd fire their ass in no time flat. Yet they do this at home all the time.

I don't mean to come off as a flame, as I agree for the most part with your post, but employees are paid to do a job, and to do as *I* the employer says with *my* equipment. A huge problem with email viruses is that because they're computer related, we somehow feel we shouldn't be able to hold employees accountable for their actions. If an employee doesn't want to lock his house door, fine. If he leaves my office door unlocked after hours, he's gone. When I tell an employee "DO NOT open email attachments" and they do, I'm sorry, but the employee is at fault.

Re:This would be worse in Linux

[moyix]

I've seen quite a few comments along the lines of "you don't need a server running to send e-mail!" While this is technically true, the fact of the matter is that this worm does (if I'm reading what's here correctly), in fact, run its own SMTP server. Therefore, in this specific instance at least, the worm's impact would be minimized by denying non-admins access to low ports.

It's worse than you think.

[Futurepower(tm)]

A lot of people don't realize how bad the situation is with Microsoft. They read a story on Slashdot, and think that Slashdot is exaggerating the problems. The opposite is true. There are many, many problems you never hear about on Slashdot. For example, this just arrived:

Title: SQL Server Text Formatting Functions Contain unchecked Buffers.
Date: 20 December 2001
Software: Microsoft SQL Server 7.0 and Microsoft SQL Server 2000
Impact: Run code of attacker's choice on server, denial of service
Max Risk: Moderate
Bulletin: MS01-060

Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin /MS01-060.asp.

If you read all the advisories, it is possible to come to the conclusion that there seems to be a lot of sloppy code in Microsoft products.

--
The U.S. government causes problems, then pretends to solve them by creating more: What should be the Response to Violence?

Re:Okay... so we can't fix the software or the use

[Phroggy]

You sound like someone who would like to be in an IT department, but never has been. Most of your suggestions explicitly violate company policy at most large corporations.

1. Many intranet Web sites only work correctly in Internet Explorer, because of incompetent coders. This could be fixed by firing the web design staff and hiring new ones for more money, and training them in company procedures and such. Sometimes, sites operated by your vendors don't work correctly in other browsers; this cannot be fixed.

2. Managers really like Outlook. Exchange does have some nice features. People like the convenience of being able to embed a table in their e-mail message just by copying and pasting from Excel to Outlook, and having it open as a normal e-mail without the recipients having to save an attachment and launch Excel. Bottom line is, managers like it, and they're the ones who pay your salary.

3. Many companies wouldn't punish that, if the user didn't know they were doing it. So, it's already being treated the same way.

4. Documents that employees create that could potentially be saved in RTF files are not the cause of virus propagation. Restricting users wouldn't help.

By the way, regarding #1, my preferred browser is Mozilla. I work for a large DSL ISP. Our internal database system doesn't work in Mozilla. One of the internal telco web sites we use doesn't work in Mozilla. Another internal telco web site might work in Mozilla, except it uses Java for something, and when I tried to get Java to work it crashed.

Two things:

[fractaltiger]

Wow, it has its own mailer engine? I am genuinly interested on acquiring it to see how I can use it for good things so that I won't have to use Outlook all the time. Does this mailer work as a spam mailer?

This program can send mail using only 110K of code. Outlook is pretty big. Why do viruses have to be so DAMN efficient?

Re:Duplicate moderation (OT)

[(H)elix1]

I thought it was funny - if the thought counts. Got nailed myself the other day on a joke that was modded poorly (IMHO).

Re:Patch for this was released 9 months ago..

[90XDoubleSide]

The patch for this was released 9 months ago

The patch to preventing things from automatically executing in MS internet tools 5/5.5 was released 9 months ago, although if the author was smarter s/he could have used the newer vulnerability in MS internet tools 5/5.5/6.0, which many still haven't patched.

In any event the worm is of interest only because it masquerades as a harmless .txt file in hopes of getting novice users to execute it, which thousands no doubt will, if past indications are of any relevance.

I think it is important, however, to point out that this one occurred through no fault of Microsoft; even the most ardent MS-basher has to admit they couldn't have seen this kind of trick coming (although they would only need to look back 2 articles to find another MS security flaw :)

Re:problem with the users

[(H)elix1]

people still click email attachments called FOO.MP3.exe

Joe six-pack does not know to turn off hidden file extentions - thus they see FOO.MP3, which looks safe to them.

Re:Not sure why this would only have a LOW risk...

[Pete+(big-pete)]

Maybe you'd like to know how McAfee assess risk?

There are also more details available about AVERT Risk Assessment if you are really interested.

-- Pete.

Still waiting for the LEGAL virus.

[Restil]

Imagine if you will....

You get an email with an executable attachment.

The attachment executes automatically, because we WANT it to do that.

Upon execution, a EULA pops up, with a "licence agreement" that states the following:
- The program being executed will automatically forward itself to a significant number of people using a variety of means
- Some type of modification will take place to your file system.
- By clicking OK you AUTHORIZE this to happen, and claim full responsibility for any damage that
is caused as a result.

And most importantly, if the cancel button is pressed, the program won't execute.

Chances are good that 90% of the people who would be affected by an illegal virus will just as happily click OK without reading anything. The fact of the matter is, the virus will cause the same amount of damage, but the author could probably plaster his name all over it and not fear any legal repercussions.

Of course, there's always the issue of intent. Bottom line, authorized or not, the INTENT of the program was to cause havok of the same nature as a virus. But in the end, it would sure make an idiot out of anyone who spread it.

And maybe, just maybe, it MIGHT result in people actually READING the EULA's. Yeah.. I know.. I'm dreaming.

-Restil

Re:Still waiting for the LEGAL virus.

[mr3038]

And maybe, just maybe, it MIGHT result in people actually READING the EULA's. Yeah.. I know.. I'm dreaming.

Or it might finally result in making ALL "press enter to agree" EULAs to be void. Yeah... I'm dreaming.

Re:problem with the users

[Restil]

Its a tradeoff between power, protection, and usability.

Cry as I might at the lamebrained nature of something like the WebTV, it does indeed serve a purpose. It provides a virtually idiot proof websurfing experience for those who probably have difficulty operating their remote control. Of course, the webtv is a seriously limited application, but Joe Bob "I've done gotten on that there internet!" is virtually incapable of fucking it up.

Add a more versatile operating system, with multiple input devices, and hard disks, and floppy drives, and Instant messengers, and buggy email programs.. sorry, I mean fully featured email programs that run your attachments automatically.. Add all that in, and you increase usability but decrease protection from yourself. And yes, a lot of users need protection from themselves. WebTV was designed for those very people. Sadly though, they've chosen to wield a chainsaw when they can't handle a butterknife.

This is sad for numerous reasons. Its these very problems that are causing certain small software companies to offer largescale networks where mission critical data will be stored online somewhere. Because its safer there. All these problems we've been causing you create the need for us to provide you with a safe place to put your data. For a nominal monthly fee. And we're virtually certain we won't corrupt it. This is borderline extortion.

So engineer an idiot proof system and shove all the idiots there. They'll still leak out. AOL will make certain that any idiot can get on the internet, and they're doing a damn good job of it I might add. And so the cycle will continue. Idiot users will use insecure operating systems and the worms/viruses will always have fertile breeding ground.

What can ya do?

-Restil

To play with my webcams and lights, check out http://206.54.177.105

Re:poor appology

[mpe]

There is nothing inherently conveinient in the stupid single user mode M$ chose to keep.

Indeed there are plenty of inherently inconvenient things (for the end user) connected with the MS model. Specifically where the end user ends up expected to carry out system administration and configuration tasks. Rather than having "local admins", "power users", etc a lot of the time what's needed is a "Let if think it can write to any file" VM or even an overlay file system to handle apps written with single user/no file protection assuptions.

Re:Oh, stop with the Windows security remarks alre

[mpe]

however,the steps MS has taken to make Windows 'user-friendly' make it EASIER to take advantage of those holes

Considering that some of these features are more often used by malware than users. Indeed typically users don't even know the "feature" is there. Maybe "virus friendly" would be more applicable than "user friendly".

Re:Oh *please*. Like M$ Office is "user-friendly"

[mpe]

Just watch some poor sap trying to write a resume and running into the auto-format and auto-complete stuff.

Tweak these a little and you have a cypher machine instead of a word processor. They can be a real big problem on networks where several users use a machine...

The great Outlook patch that nobody uses

[Mr_Silver]

Since this submission was rejected by the editors, I think that here is going to be as good a place as any for it.

Have a read of this article at Wired entitled "The Great MS Patch Nobody Uses". (brief extract below).

A free, downloadable update that transforms Microsoft's Outlook into a significantly more secure e-mail application has languished virtually ignored on Microsoft's website for more than a year.

Although the majority of recent viral attacks have come compliments of worms that don't rely only on e-mail to spread, the Outlook E-mail Security Update (OESU) can stop or greatly lessen the impact of most malicious code, such as BadTrans and SirCam, if only people would download and install it.

OESU blocks the receipt and transmission of most of the e-mail attachments that typically can contain virus or worm code. The update also stops malicious code from spreading by blocking unauthorized access to Outlook and its address book. Many viruses and worms spread by surreptitiously e-mailing themselves to e-mail addresses culled from an infected computer's system files.

Funny how if the other 99% of people had this patch then virus spreading would drop drastically.

Picking out Microsoft software for my company.

[synq]

In 1997 (I think it was could have been 1998 though) the company I work for Delft Hydraulics used Z-mail as the windows platform e-mail client (they used popmail, a text based e-mail client on dos).

I was presented the task of picking out a browser and an e-mail client for the windows95 platform we were preparing to roll out (about 400 computers used by the people that design dykes and harbours for places all over the world).

I knew some software but to be fair I started looking around for all kinds of e-mail packages and browsers. Z-mail was not really an option because it was unstable and required a lot of ram. After playing around with some five or six different e-mail packages the choices became evident.

The advantage of having a browser e-mail combination ruled out all of the separate e-mail programs, not that I found a lot of great ones. (Pegasus, Z-mail, pine, IMC and Eudora where all missing some functionality I whished for our company.)

So the choice was between Microsoft's Internet Explorer in combination with Outlook Express (I never considered Outlook an option since we use sendmail for mail exchange from the early beginnings of the internet in the 80's) or Netscape Communicator (including Navigator, Mail, Calendar and some more stuff).

I summed up the advantages and disadvantages for all products and stated that the software of my choise was the Netscape package.

But, my superiors ruled out Netscape. They did not want to pay $50,- per computer for 'just a browser and an e-mail package' when they could get Internet Explorer and Outlook Express for 'free'. Back then I was in no position to tell them the $50,- was really worth not using all software of one vendor. Today I could, but not back then. So am I to blaim for getting Outlook Express into the company?

1 month after we started to roll out windows95 everywhere the Netscape Communicator package was suddenly available at no cost. But by then Netscape had lost and Microsoft had put it's monopoly foot deep into our company.

We are still using windows95 with Microsoft Office and Internet Explorer and Outlook Express to this very day. All email virus and worm checking is performd by our e-mail server and a strong firewall in combination with PC viruschecking software should keep browser virus out.

Re:Easier method of prevention...

[pipeb0mb]

Not_a_Virus_.exe

:-)

zdnet for unbiased reporting?

[EnderWiggnz]

right...

good thing MS doesnt have a large stake in zdnet, or else, i'd worry about the bias in their reporting.

at least with /., you KNOW they hate MS. ZDNet pretends to be unbiased, but it just a MS shill.

Nonsense

[FreeUser]

If standard Unix security was truly a "fundamentally sound design" then surely it wouldn't require extensions to perform such a simple task?

Nonsense.

There are many fundamentally sound designs which do exactly what is intended, and required, and are then extended in some form because creative people have come up with a new problem domain in which they would like to use the aforementioned design.

UNIX security is fundamentally sound. However, some users want greater flexibility than the basic UNIX security implimentation allows, without losing the fundamentally sound security UNIX offers. Enter an extention (in this case ACLs) to an already fundamentally sound system.

In short, your logic is flawed. The desire to build upon and extend something does not in any way imply it is not sound in its own right, any more than the desire to build a fifty story building implies that the underground foundation and subbasements are somehow not "fundamentally sound."

Re:Nonsense

[Sanity]

By your reasoning virtually everything is "sound" since if it doesn't meet people's needs, it can be extended to do so.

If Unix security was so sound then why is it so easy for me to write a virus, put it in a .deb or an .rpm, and gain control over someone's computer? The only thing which makes Unix appear more secure is the relative lack of insecure applications such as MS Outlook, and the relative disinterest virus writers seem to have in writing Unix viruses.

Same here

[budgenator]

My wifes almost exactly the same and has no problem, sure she needs me to occasionaly admin some thing or install something, but so does the boss on a WindowsME® machine, what's the diff?

The biggest diff is Microsoft® all but pays OEM to pre-install windows®. Once I was spec'ing a SCO boxen and the local 'puter store responded to my telling them that a windows install was unnecessary, "for $40.00 we'll remove the software"!

Re:You left out the real reason

[Sloppy]

That's the point the MS apologists seem to be missing. Lots of programmers can make the kinds of mistakes that lead to buffer overflow vulnerabilities, etc. But the vulnerabilities you listed aren't something that merely stupid/unskilled/inexperienced programmers can make. This class of mistakes requires something a little extra: stupidity combined with arrogance. It is the combination which Londo Mollari praised as being so efficient, and I guess Microsoft is a very efficient company. No other software company has the ability to combine those two qualities so efficiently.

Re:Something is wrong with the icon

[OpCode42]

Right, its been a while since I used windows, but this is what I guess is happening.

The email is faking the mime type, and telling windows that the attachment is text, hence displaying the notepad icon.

When the attachment is d/clicked, windows sees the .pif extention and runs it as a .pif

I have been able to mess about with this type of mime/extention trickery and make a web page open a word document with the content "You tosser! This could have been a virus!"

More (Microsoft-inspired and paid?) Nonsense

[FreeUser]

By your reasoning virtually everything is "sound" since if it doesn't meet people's needs, it can be extended to do so.

Nonsense.

I merely stated that wishing to add additional functionality to an already sound system does not, in any way, imply that the aforementioned system is unsound. The discussion was about adding and extending functionality, which is not at all the same thing at all as fixing an inherent flaw in design or implimentation. Hint: fixes repair flaws which break things; extentions merely add functionality (and perhaps add new flaws as well, but creaping featurism is a subject for another day). Your comment clearly confuses the two.

UNIX security meets the fundamental need it is designed to address: keeping a multi-user system secure from the depradations of the malicious and/or the inept. It is fundamentally sound and has withstood the test of time very well, certainly better than its most well-known competitor.

If Unix security was so sound then why is it so easy for me to write a virus, put it in a .deb or an .rpm, and gain control over someone's computer?

That is, of course, more nonsense. In the case of RPMs you would need to compromise the maintainer's secret GPG/PGP key to have your trojanned RPM installed. Similarly you would need to gain trusted access to deb servers in order to get your trojan deb disseminated (though the maintainers have not, as of yet, begun using GPG signatures in ernest the way they should. Even so, good luck cracking an apt-get server ... it is most likely running on a robust UNIX box, protected by a fundamentally sound security paradigm (remarkably identical to what is being discussed here)).

Both are non-trivial problems (cracking GPG signatures and breaking into RPM/DEB servers) ... far easier to exploit one of the countless gaping holes in Microsoft's Operating Systems and Internet Server packages.

The only thing which makes Unix appear more secure is the relative lack of insecure applications such as MS Outlook, and the relative disinterest virus writers seem to have in writing Unix viruses.

There is a reason for the lack of insecure applications, and the lack of interest on the part of virus writers in writing UNIX viruses, worms, and the like. The fundamentally sound and well tested UNIX security paradigm makes it difficult to write viruses, or worms, which have any significant ability to spread or to cause any but the most localized of damage (localized to one user, unable even to damage the rest of the machine, much less do antying to remote machines). There are occasional bugs, and occasional exploits which result, but the underlying design and paradigm are sound and very well tested, and UNIX systems as a whole tend to be quite secure. A virus/worm/trojan author is going to find little fulfillment in writing attacks with such limited applicability and impact.

Microsoft, on the other hand, has extended what amounts to an open invitation to such people to attack its platform, with its shoddy security policies, flawed implimentations, and willingness to keep information on security flaws out of the hands of security professionals and network administrators for extended periods of time, even denying such flaws exist, while the system cracker underground freely exploits them. Why write a virus, worm, or trojan that has to talk the user into doing something they normally wouldn't, and when finally run can only harm that user's home directory and has little if any ability to spread beyond that machine or infect much of anything else? Far easier and more rewarding to those of malicious intent to throw together a quick VB script which accepts one of any number of Microsoft's invitations to mayhem, with often devistating results.