New Virus Can Strike Via HTML E-Mail

cmeans and lots and lots of others have pointed us to this MSNBC article article about yet another e-mail virus. Quote from the story: "The virus can only run if Internet Explorer 5.0 with Windows Scripting Host is installed (standard in Windows 98 and Windows 2000 installations). If security settings for Internet Zone in IE5 are set to High, the worm will not be executed. It does not run on Windows NT." ZDNet also has a story about this "Bubbleboy" virus. Update: McAfee weighs in too. (Thanks, Jade.) Consider yourself warned.

Gloat

[antizeus]

Insert lots of gloating about not running MS software here.

Re:Gloat

[howardjp]

It is not about not running MS software. Any OS is going to be attackable. It is because UNIX users tend to know more about how their computers work and how to secure them. They also know what is a risky behaviour and avoid or only walk into it with extreme caution.

Even a well-maintained Windows system is not going to be attacked by a virus very easily. I have been running Microsoft software for going on 15 years now and have never had a problem. This is because I take good care and I know how things work. If Windows users were educated about how to properly manage a system, there would be few successful attacks.

Re:Gloat

[bartyboy]

Werd.

I don't run anything that I haven't compiled, or any binary that came from a reputable source/mirror. And because I use Linux, if another user on this system decides to compile and run crap they don't understand, they're the only ones affected.

Maybe it's a practice left over from the good old days of MS-DOS and the virus paranoia associated with it.

Bart.

Re:Gloat

[rmull]

Any OS is going to be attackable? That is simply not true. The problem is a bug in Microsoft's scripting code. This bug is not present in other email clients. Therefore, it will not affect other operating systems.

Re:Gloat

[fred+walter]

Another reason for _not_ using any m$-related software. Great thing: m$-users are infecting eachother, they have to clean their files/mails, perhaps format their hd - that's what "selection" really means: only the better survives ;-)

Re:Gloat

[thundrcast]

WHAT?? It is an Active X attack! MS is the only one I know using Active X. Why don't you go read the articles.

Re:Gloat

[howardjp]

I was not refering to this specific instance of a virus attack. Get off your high horse and use your head.

Re:Gloat

[Ark]

I don't run anything that I haven't compiled, or any binary that came from a reputable source/mirror.

I think you're saying that you don't run a binary or compile source unless its from a reputable source, but just in case you're saying you feel safe just because you compiled source from any old place and only run binaries from know places...

But do you check every single line of code you compile? Just compiling something from source doesn't automatically protect you from harm. I see/hear this attitude alot, and it just doesn't make sence when you think it all the way through.

Now if you get a PGP or GPG signed source from a "known place" such as signed kernel source from kernel.org, you're probably safe.

It just bothers me the number of people that assume they are safe just because they compiled the binary they are using.

Re:Gloat

[pvthudson]

Moops

Re:Gloat

[Balance]

The problem is a bug in Microsoft's scripting code

Yes and that bug is called Active-X.

Outlook Express Settings

[BlakeCoverett]

Two obvious fixes, disabling scripting in the 'Internet Zone' for IE, and setting Outlook Express to use the 'Restricted Zone' for all content to start with. Anyone using those products should probably be doing both to start with.

-Blake

Re:Outlook Express Settings

[Black+Parrot]

> Two obvious fixes,

You neglect to mention a third, which will immediately occur to most /.ers. (It's so simple I could write it in the margin, if only this input box had a margin.)

--
It's October 6th. Where's W2K? Over the horizon again, eh?

Re:Outlook Express Settings

the most obvious fix:

format C: /Q

-phuzz

warned?

i'll consider myself immune, thanx ;)

Re:warned?

If your using vmware you could just as easily wipe out your linux box from running wx in it.

Micro$haft security

[lubricated]

Ok this one isn't even that bad (for micro$haft). It won't run on NT. and your security settings can't be on high.

Isn't there something like this going on constantly on windows machines? A new email, virus, thingy every week. Why is this even here? Most /.ers run linux don't they.

Re:Micro$haft security

[Anomie-ous+Cow-ard]

Why is this even here? Most /.ers run linux don't they.

Several reasons. For one, it's "News for Nerds. Stuff that matters." Hard as it may be to believe, some /.ers actually do use windoze. Others use *BSD, or other operating systems. Maybe Linux is the majority, maybe not (still almost certainly the major minority then).

Even for those of us who don't use Windows, we all know people who do. Coworkers, friends, family, lusers on our systems. If we know about this potential problem with windows, perhaps we can help them avoid falling for it, or at least be quicker on cleaning up afterwards...

i'd guess that most of us are the curious sort, who'll learn something interesting (New email worm? How's it work, what does it affect, and what could be done to stop it?) even if it has no practical application in our lives. Why else do we so love nanotech, quantum computing, good fiction, and all the other things posted on /.?

And finally, don't neglect the gloat factor ;)

-----

Re:Micro$haft security

[Skim123]

Several reasons. For one, it's "News for Nerds. Stuff that matters." Hard as it may be to believe, some /.ers actually do use windoze

I wonder how many /.'ers use Windows or Linux or some other OS. I would assume this has been a past poll?

Re:Micro$haft security

[phil+reed]

Well, for one data point: I run (in no particular order)

• Windows 95
• Windows 98
• Windows NT
• Novell
• Oh, and Linux

Hacking is an attitude, not an operating system.


...phil

Re:Micro$haft security

[GaspodeTheWonderDog]

I'm pretty sure you have a mal-formed for loop

Re:Micro$haft security

[loki7]

Nope, it's perfectly cromulent.

main(){
for(;;fork());
}

says:
- to initialize the loop, do nothing
- don't check any condition on each iteration (loop forever)
- at the end of each iteration fork()

/peter

Re:Micro$haft security

Why is this even here? Most /.ers run linux don't they?

Yep, but that doesn't mean they need not concern themselves with this. They may have more than just a linux (or bsd) box. They may be needing to maintain a network stuck full of 95/98/NT boxes. And even if not, it's always good to know just what troublemaking stuff is out there, should they one day have to deal with it, whether from work, friend, or family.

Re:Micro$haft security

[Skim123]

That's the fewest number of characters I could find to run a fork bomb. Can anyone out there beat that? :)

Re:Micro$haft security

[GaspodeTheWonderDog]

sorry, for some reason I mis-read the statement and 'saw' 3 semi-colons in the for statement... shoot...

Re:Micro$haft security

[GaspodeTheWonderDog]

sorry, for some reason I mis-read the statement and 'saw' 3 semi-colons in the for statement... shoot... guess that is what I get for listening to too much rob zombie...

Which is worse? Virii or their names?

[JoeShmoe]

You know, whenever I read some really good piece of science fiction, the terror is never caused by something called BubbleBoy...or Melissa, or Good Times, or any of these other stupid names.

At this rate, when some genetic mutagen is released that destroys all of mankind, it'll probably be called the Pokemon virus.

[/tongue in cheek]

- JoeShmoe

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=-=-=-=-=-=-=-

Re:Which is worse? Virii or their names?

[jabber]

Already been done.

Pokemon is a memetic contagion from Japan. Since virii are not necessarily biological or cybernetic, this perspective works.

We can even classify it. It's a derivative of the 'pet rock'meme-virus of the mid-70's, but in a much more aggressive form. This virus resembles the Beanie-baby and Furby virii except that it infects only young meme environments which have not yet been able to develop immunity to Fad-class virii..

This immunity requires that the marketing-service ports be shut down unless absolutely needed. The procedure for establishing such immunity is typically referred to as 'jading'. Once a potential host is adequately jaded, it is much less likely to be infected by this, and further mutations of the fad-class virii...

Disillusionment is good.

Re:Which is worse? Virii or their names?

[jafac]

Damn, that Pokemon virus IS nasty. My 12 year old son is infected, my 6 year old son is infected, my 3 year old daughter is infected, and of course, all of their friends. I'm even addicted to the Gameboy (emu) version of this virus. It's incredible, the range of hosts this species can adapt to.

Humanity is doomed.

I wish I had a nickel for every time someone said "Information wants to be free".

oh boy

[bendawg]

Just another one of those "features" that make Internet Explorer so much better than Netscape...No wonder it's winning the browser war.

one word

[lubricated]

pine

Re:one word

Except for all those buffer overflow bugs that made it possible to run arbitrary code on a victim's machine if he was using Pine, of course.

Re:one word

[Edmund]

elm elm elm
:)

Okay, I'll stop now.

IMHO, e-mail clients shouldn't be running scripts in the first place. You want some scripts? Leave a link in your mail. E-mail should contain plain text. I'm still groaning about all the people sending their pretty HTML-ized mail all over the place, esp. if it's HTML-only (have you ever tried reading that in pine or elm? they make you save the file to disk before you can view it...)

Re:one word

[gromm]

Heh. For my money (or lack thereof) it's an old version of Eudora. You know, back when all it did was send and recieve e-mail, and your mail took up more space than the program did. (okay, maybe I have lots of mail.) This is a perfect example of why Simplicity Is Best. And on top of that, simple programs like this are extraordinarily user-friendly. File menu. Check mail. Any questions?

Re:one word

[Ambassador+Kosh]

Well there is a solution for you. The newest version of pine can read HTML email by using Lynx. I know version 4.10 at least can do it. I have that version running on my computer and we upgraded the machines at work here also and it really helps. Finally I can read that annoying html email people send me and still use pine.

Re:one word

[ShadowDragon]

I've also got a script that was written before we got the new version of pine that launches lynx for html mail.. it also launches a text based word viewer for the stupid word attachments floating around the office

A security flaw in Microsoft software?????

[ywwg]

"In fact, it's unclear exactly how users of HTML-enabled e-mail readers can protect themselves from such viruses."

Um, how about ASKING the user if they REALLY want to send all of those emails??? Web pages can't do any real damage by themselves (except by replicating), unless of course they use java to do something nasty.

Of course this begs the question, who _needs_ html email? I mean, do you actually spend hours designing a page to send to someone? HTML emails are big downloads and irritating. Email readers should only look at basic tags (a la slashdot), and not "embed" tags.

Oh, I'm sorry, the users _requested_ that feature bloat for IE 5.0! How silly of me!

Re:A security flaw in Microsoft software?????

[SPorter]

You are so right!

I don't know who came up with that, MS or Netscape... either way, it is stupid. Next thing you know we'll have HTML ping.

Re:A security flaw in Microsoft software?????

[MattyT]

HTML mail is an extremely good idea. The idea that ASCII is adequate for email is ridiculous.

Strict HTML consists of things like block quoting, lists, hyperlinks, emphasis, etc. which are all as useful in Mail as they are in web pages.

The problem is that HTML is polluted with presentational rubbish like bold and background colours that allows people to make things unreadable.

So what is needed is a sensible mail client that supports HTML mail and supports ignoring all presentational markup (and only uses a user-side stylesheet).

As for scripting, I can't really see anything wrong with it (dynamic HTML etc.), but I think you really have to set the default to prompt the user.

Hmm, I smell a Mozilla enhancement request coming on ...

Re:A security flaw in Microsoft software?????

[Abigail-II]

Um, how about ASKING the user if they REALLY want to send all of those emails???

That doesn't help the receiver, does it? Or do you think a virus writer will answer "no" when being asked whether he/she really wants to send the email?

Web pages can't do any real damage by themselves (except by replicating), unless of course they use java to do something nasty.

Or javascript, or anything else that allows execution of code in combination with implementations that have security holes; even an inline PostScript image can potentially lead to a security hole - PostScript after all is code. And before you start pointing to M$, take a look at the CERT archives and look at all the security holes in Unix applications over the past. At least this virus doesn't become active until someone reads the mail, while for attacks on sendmail all that needs to happen is delivery of "mail"...

The bottom line is that you are putting yourself at risk when you execute code that is driven by a third party; be it an embedded scripting language, or just data.

-- Abigail

Re:A security flaw in Microsoft software?????

[stewart.hector]

You can do all of what you want in ASCII


- Bullet 1
- Bullet 2
* Bullet 3

and jack said,"example of quoted text"

*emphasis* _another emphasis_

but not hypertext links of course...

Remember, not every one uses HTML email, therefore, they will just get a load of unreadable crap - unless ASCII and HTML versions are sent, but, that is incrediable annoying, you get unnoying unwanted unreadable text - just as annoying as MS Mail put that mime stuff at the bottom of the mail...

Really, you should only use HTML email if you *know* the receiptenant is using HTML mail.

Re:A security flaw in Microsoft software?????

[stewart.hector]

You can do all of what you want in ASCII


- Bullet 1
- Bullet 2
* Bullet 3

and jack said,"example of quoted text"

*emphasis* _another emphasis_

but not hypertext links of course...

Remember, not every one uses HTML email, therefore, they will just get a load of unreadable crap - unless ASCII and HTML versions are sent, but, that is incrediable annoying, you get unnoying unwanted unreadable text - just as annoying as MS Mail put that mime stuff at the bottom of the mail...

Really, you should only use HTML email if you *know* the receiptenant is using HTML mail.

Re:A security flaw in Microsoft software?????

[sjames]

That doesn't help the receiver, does it? Or do you think a virus writer will answer "no" when being asked whether he/she really wants to send the email?

Sure, the virus writer will send it, but when the first recievers get the same question, they will hopefully say no, and the chain breaks there. It does help the reciever in the sense that all of his/her friends don't call him/her 'virus boy' or 'typhoid Mary' for the next month.

Re:A security flaw in Microsoft software?????

[mpe]

You can do all of what you want in ASCII
- Bullet 1
- Bullet 2
* Bullet 3

and jack said,"example of quoted text"

or
> quoted text.

*emphasis* _another emphasis_

You can even have the software render *bold* as bold and _underline_ as

• underline

possibly also /italic/ as italic without rendeing the result unreadable to the rest of the world.

Re:A security flaw in Microsoft software?????

[Carnage4Life]

Sure, the virus writer will send it, but when the first recievers get the same question, they will hopefully say no,

Not really. Remember Melissa and how she started. It was a download on a porn newsgroup...and from there it was too late because it sent it self out with the first receivers email and most people accept executable email from recognized email addresses [wasn't that what virus firms said was all the security needed just a year ago...:) ]. Variations of the theme are everywhere, a particular favorite is sticking the virus in some useful shareware code, I've been bitten by two Trojans and 1 virus when downloading utilities online. CPU Idle from the official site was one.


Bad Command Or File Name

Re:A security flaw in Microsoft software?????

[sjames]

because it sent it self out with the first receivers email and most people accept executable email from recognized email addresses

Sure, but the issue in question was having the mail software ask before sending. Thus with Melissa, download your happy porn, suddenly, your mail program is asking you if you really want to send an email to everyone you know. Hopefully, you'll say no here since you didn't write any email.

True, the exceptionally clue challenged will mindlessly click yes, but the damage is at least limited.

Re:A security flaw in Microsoft software?????

[ddwalker]

I would agree that HTML in email is excessive currently, but there is one aspect of it that you cannot do with plain text that is definitely nice. Highlighting of important concepts (as if the writer is using a yellow highlight pen.) This is the only thing that I would miss if I were forced to move away from HTML email, although I have used pine (and was happily content with it.) As for the ability to embed images and links and the ability to read java and javascript...pretty unecessary, IMO. Perhaps if you are writing a magazine-type email article, or are sending a greeting card. (Pretty useless for me, in other words, since I will never do either.) Give me only limited HTML. Perhaps only HTML v1.0.

Re:A security flaw in Microsoft software?????

[hey!]

Actually, like almost every security issue, there's a flip side. Executable e-mail is very useful for things like document routing and approval type applications. People like to use e-mail as an ad hoc to-do list, and executable e-mails fit right in. HTML formattng is also useful (it doesn't have to be an elaborate web page, how ofte have you used extrans in a slashdot posting?)

The problem is executing scripts from unknown sources. This could be solved by taking some simple steps.

(1) No execution of scripts of any kind without a digital signature. A company could easily be its own certificate authority.

(2) Without a signature, scripts should be either inactive, or not be able to affect anything other than rendering the message (e.g. no access to MAPI). It's incredible that MS lets scripts in e-mail messages access the users environment -- its almost asking for trouble.

(3) No outgoing mail is signed without user approval. This would prevent a kind of implicit transitive trust -- if you trusted somebody else, and that somebody trusts everyone, then you're cooked.

Re:A security flaw in Microsoft software?????

[jafac]

Bullets in ASCI aren't bulletproof. If your viewer reads the file in a smaller window, and the window word-wraps, the lines of text that are bulleted will wrap to the next line without indent.
Ugly.

I wish I had a nickel for every time someone said "Information wants to be free".

Re:A security flaw in Microsoft software?????

[copito]

Pine is a text based email program that handles HTML mail pretty well.

-Mike
--

Re:A security flaw in Microsoft software?????

[MattyT]

Those are not acceptable alternatives. Those things can and are misinterpreted by mail agents and possibly people. One thing being added to Mozilla by an independent developer at the moment is plain-text styling. It's hard, because you can err in either direction.

I should have the ability as to how I want my mail agent to display bullets. I should have the ability to say how I want quoting to look. I should have the ability to show how I want emphasis to look. ASCII gives you none of those, because it does not separate content from style.
The fact that it has been the standard does not mean we should stick with it. With good mailer support like I mentioned upwards, HTML mail is a superior solution.

These days, I would consider a mailer that doesn't support HTML mail unfinished. It doesn't have to be flashy and display it like the author wants. It's better to display it like I want! But it at least needs to know how to display it.

Re:A security flaw in Microsoft software?????

[MattyT]

While I don't know what structural aspects differ between HTML 1 and 4, I'd imagine there is some useful stuff. HTML 4 without the style should be quite an adequate solution.

I personally think it would be quite cool if I could set up a stylesheet that displayed messages as I wanted, but that's hard to do in ASCII email because elements are differentiated by characters than can easily be interpreted as content.

pine

I never see problems like this with my email client of choice, pine.

And yes, pine does read HTML email.

(Pine Is Not Elm!)

Re:pine

[jfunk]

(Pine Is Not Elm!)

IIRC, it's "Pine Is No longer Elm."

At least that was what the Slackware installation said.

Re:pine

[nicedream]

Pine Internet News and Email

although I have heard

Program for Internet News and Email

look here for an explaination

Active content in emails.

[FauxPasIII]

I'm increasingly worried about the ability to send active content in emails... above and beyond people who blindly execute attached files (user stupidity), it's getting to the point where just
READING email can actually spread a virus. Remember the big scare when people realized that Eudora would open up Java applets without asking permission ? I always wondered how netscape mail or Eudora would handle Meta refresh tags...

Anyway, I avoid the whole thing by sticking to good old-fashioned ASCII-mail. Now if only all my co-workers could do the same... *sigh*

Re:Active content in emails.

[Molina+the+Bofh]

> it's getting to the point where just READING email can actually spread a virus.

As a sysadmin, I remember replying to my users, when they asked me, in the "Good Times" era:

- "I received this warning from the Pope, FBI and IBM, and they are telling me there is a new widespread virus named "Good Times" that will infect everybody that opens that e-mail. Is that true ?"
- "No, it's a hoax. You can't receive a virus simply by reading an e-mail. You have to deliberately execute a file containing a virus to be infected. There is no 'magic' virus that can spread by itself."

I had some users who had a really hard time to understand the concept of a virus.

Well, now the explanation is very much harder (hopefully the users will have more cluons by now )...

Now the explanation will go like this:
-"There are some e-mails that run its code by themselves, but it just applies to a special HTML e-mail, that has some Visual Basic code and 'normal' e-mail remains safe."
-"What ?"

Just to worsen the virus concept, there is a new exploit that gives a pretty good buffer overflow in Photoshop image files, when read by Irfan View 3.07 (yes, you can run another programs, virus, anything simply by opening a picture). [That appeared on Bugtraq yesterday, for those who don't read it.] So how can we explain to a user that a virus is a code that needs to be run?

-"OK. I think I grabbed the concept now. So a virus is a piece of executable code, right?"
-"Exactly."
-"So it can only infect executable files, right ? I can't get infected simply by, say, opening a picture, right?"
-"Uh... not exactly... Well, yes, you can't be infected unless you're using a vulnerable picture viewer."
-"What about text documents ?"
-"They're safe, unless they use macros such as Word."

Re:Active content in emails.

[protagonist]

W3C HTML by itself is not all that "active". Shouldn't we lay the blame on VBscript in E-mail, not HTML. My Netscape E-mail seems to ignore VBscript, ActiveX, and all that as long as I don't do something stupid like opening an attachment named Happy99.exe or such!

Allen

Re:Active content in emails.

[osterby]

I've hit a redirect from a spam email in the first Netscape suite with email included, 2.0 I think. It launched a Web browser and pulled up a spam page. As I recall it was a redirect brought about via JavaScript.

Re:Active content in emails.

[protagonist]

Annoying, I'm sure. But no access to your hard drive, no access to your bookmarks, no access to your address book, and it didn't replicate or send copies of itself, right? Just SPAM with pictures, in effect.

on NT...

[Barbarian]

From what I read on Microsoft's advisory on this bug, the same bug exists in NT.

I guess that Bubbleboy isn't exploiting it for NT, though.

NAI's page on Bubbleboy is here.

I read a news story which said that the author emailed the worm to Antivirus companies. So I guess that it was more of a demonstration of a serious problem than something malicous.

It comes back to Micro$oft's incompedence...

[Xenex]

This is what we get from Micro$oft's "innovations".....

----------
The virus can only run if Internet Explorer 5.0 with Windows Scripting Host is installed (standard in Windows 98 and Windows 2000 installations).

This is one of those "advantages" M$ talk about in the anti-trust case. Because the OS already comes with a browser, security flaws such as this are built in!
----------

If security settings for Internet Zone in IE5 are set to High, the worm will not be executed.

And IE 4/5 default to medium setting. Wonderful work, Micro$oft! You really know your stuff....
----------

The virus actually takes advantage of a security flaw in Microsoft's ActiveX technology that was discovered in August.

August?!? AUGUST! Why the hell wasn't a patch to repair the error relased in August then? When a monopoly has no competition, they have no motivation to repair errors until they become huge issues for their software....
----------

This is what we get with M$ winning the "browser wars", software with security holes that don't get fixed until they are a real risk. Fortunatly, most sane PC don't use IE, and don't have to worry about ActiveX flaws. However this is one more reason why M$ should not be ruler of the browsers...

Re:It comes back to Micro$oft's incompedence...

[Starselbrg]

Alright, Xenex, you have some good thoughts, but tone it down a little. Lay off the exclamation point for every sentence. Stop using all caps for words, and using the $ in Microsoft is really just getting old.

Please keep slashdot a nice place by posting your ideas (which were good) in a clear (started good), sane (not so good), and non-hostile manner. Everyone will love you for it, and you'll get better Karma guaranteed.

Re:It comes back to Micro$oft's incompedence...

[ToLu+the+Happy+Furby]

August?!? AUGUST! Why the hell wasn't a patch to repair the error relased in August then? When a monopoly has no competition, they have no motivation to repair errors until they become huge issues for their software....

Actually, they have released a patch to repair the error. Here's the security bulletin detailing the problem; it was last updated on October 12, which I'm pretty sure is the day the patch to fix this problem was considered safe enough to be released for download at the Windows Update site, where it was indeed marked a critical update. (IIRC, they released a beta patch a couple days after the flaw was discovered.)

Now, there's no question that someone at MS was insanely stupid to give untrused sources permissions to use ActiveX controls that could write to the Startup directory (that's how this sucker works), and you can argue that the fact that it took 6 weeks before their fix was trusted enough to get on Windows Update is pretty shady as well. But it has been fixed by now.

Re:It comes back to Micro$oft's incompedence...

[jesser]

Why the hell wasn't a patch to repair the error relased in August then?

Microsoft did release a patch to windowsupdate.microsoft.com a few weeks ago, but that was another few weeks after the flaw was documented on microsoft's security bulletin thing.

Re:It comes back to Micro$oft's incompedence...

Fortunatly, most sane PC don't use IE

If I understand your English correctly, you mean that most PC users don't use IE? Well unfortunately for me, Win98 is the only thing that can run on the computer I have at the moment (the graphics card is unsupported under FreeBSD 3.2, but I have a copy of 3.3 which I hope to install soon). Also, Win98 supports my modem & hence internet access, so that I can go online. Yes, I might like to do that from time to time! Unfortunately, my connection keeps dropping out, so I haven't managed to download Winzip yet, let alone Netscape (that would take me all night, and I would run up a huge phone bill). Why should I have to pay for an expensive ISP when all I want to do each evening is surf a few webpages.

There are many reasons why people have Microsoft products on their computers; businesses especially don't expect nor allow for people to run e-mail clients other than Exchange. Some of us try hard to rail against this, but in the mean time, don't criticise us for our lack of choice!

err

[toaster13]

gee IE5 with a bug??!! how could that be? anywayz, this is just another reason that netscape/linux rules

At least this evil genius is anti-MS

[gad_zuki!]

Bah, Bubbleboy isn't a Seinfeld episode, its the AUTHOR. What would you do sealed up all day but write malicious virii?

Re:At least this evil genius is anti-MS

[sjames]

He's not all that evil. He wrote a reletivly benign virus, and submitted it to an anti-virus company. If he were evil, he would have gotten a free trial AOL account and spammed it to every one of those billions and billions of names on a spam list (all for only $19.95). Not a bad way to publicise a security flaw IMHO.

Not again

[EvlG]

I was hoping that Melissa would make companies wake up and rethink the "lets move everything to Outlook/Exchange/IE" philosophy. Apparently IT people forget quickly...

Now we have time and time again exploits against IE due to its extreme integration with Windows and such. How long until one of these gets really nasty? How long until someone gets bitted a little too hard, and then they want to bite back?

Re:Not again

Apparently IT people forget quickly...

It ain't the IT people who've forgotten. It's the PHBs that own^H^H^Hrun^H^H^Hpay them who have forgotten. Or more likely: never learned in the first place.

Re:Not again

Apparently IT people forget quickly... IT people in most companies don't actually get to make any decisions. Somebody with money goes to a show somewhere and gets a nice T-shirt, or even a coffee mug. Next thing you know, the IT guys are asked to implement some bassackward "solution". I used to like when someone actually asked for my opinion. Then I realized that my opinions don't matter. I don't have any good freebies for the guys with money.....

WSH

[Foogle]

I know this is Windows tech, but it's ontopic so I just thought I'd say it:

What's a real shame is that, in the world of Windows, the Windows Scripting Host has never really taken off. I mean, it's been around since the introduction of Memphis... Before WSH, any automated scripting had to be done through batch files. Batch files were nice in DOS, but they didn't have a world of flexibility under Windows, and they couldn't interact with the rest of the GUI. WSH fixed all that, and I don't think many windows programmers took advantage of it.

Oh well - Now it's a security issue and will get a bum rap because of it. It's a real waste...

-----------

"You can't shake the Devil's hand and say you're only kidding."

Re:WSH

[Tarnar]

Well, if seems to be a liability if it's so easily exploited. Scripting (like AppleScript) is a Good Thing(tm), but it's implementation has to be careful. Created locally, a script should have full permissions.. But a script that is being auto-execed from an attachment or something should NOT be so permissioned.

2 Cents.

Re:WSH

[Spruce+Moose]

Batch files weren't even that nice in DOS.

I'm amazed at how crappy the DOS command line interface has remained through versions 3.x up to Windows NT. No decent command line editing, or any useful shell type tools.

What a joke.

Re:WSH

WSH is simply too powerful. If windows were designed with file permissions it might be more safe. I recommend removing WSH completely under control panel, add/remove programs, windows setup, accessories.

Why is this called a virus?

[alannon]

To me, this seems more like a plain-old security exploit, no different than the dozen or so major security flaws in IE and Navigator found in the last 3 years or so.

There are thousands of pieces of code out there that exploit security flaws such as buffer overruns right now and most of them are labled as pieces of code that expose programming flaws in the targeted application/server.

How is this any different and why is it being branded as a 'virus'? It uses a security flaw in Microsoft code to introduce unexpected/unwanted behavior.

I don't see this as furthering the viewpoint of "Well, the day has come when people can catch a virus from reading their email" any more than web servers having buffer overrun probelms furthers the viewpoint of "the day has come when people can catch a virus from running a web server". If a piece of software is poorly written, it will be exploited.

Do you think perhaps it is because a good majority of computer users use email, but a very small number run server software susceptable to typical server attacks? Though if you remember the WinNuke exploit exposed in Win95 several years back, that is an example of a security flaw that could attack any Win95 machine attacked to the Internet.

Re:Why is this called a virus?

[Laven]

I believe it is classified as a virus, or more specifically a worm, because it replicates and spreads through a network. That's the normal definition of a worm.

Yes, I do agree it is exploiting a security flaw... but in this case it is exploiting a security flaw to create a worm.

virus in unixen?

[bendawg]

---- Warning...Maybe a little offtopic
This brings up a question I was wondering about the other day, and I think that I know the answer.

Is it possible for a virus to execute on a unix machine and do any damage?

I know that the same effect as the "bubbleboy" virus could be achieved by targeting pine users or something, if their were those sorts of weaknesses in pine.

In my opinion, though, a malicious virus, that did things such as deleting files, or whatever would have to have the ability to obtain root privileges, or it basically would only be able to delete or change files that the dummy user had access to in the first place.

I assume this is correct, since I have never seen any Virii targeted towards say an i386 Linux system, or any virus scanners for Linux.

Re:virus in unixen?

[howardjp]

There have been a couple that targetted i386 Linux. The only one I remember details of someway or another attached itself to DOOM, but I do not know how.

Re:virus in unixen?

[Abigail-II]

Is it possible for a virus to execute on a unix machine and do any damage?

Most certainly, Unix machines aren't magically protected against virusses. The best known example is Morris' worm in the late '80s. While classified as worm, there was nothing in particular that wouldn't make it a virus. Morris just had no intention to destroy things.

Here (well, that should have been a link, but slashdot decided to filter it out.... Try http://www.foad.org/%7Eabigail/Perl/virus.pl, and blame someone for not being able to click on a link.) is a little "virus" I hacked together in 5 minutes, using Perl. It won't do any harm, and it will only infect files ending in ".pl" in the current directory, but it will replicate - even if you just "compile" the code.

There are a few reasons why virusses on Windows are more common than on Unix. First is the permission system. A windows user or process typically has access to all files, so it's much easier to do damage once you are running. On Unix, you either have to hack root, or you can only do "limited" damage (although quite severe for a user). Secondly, there are many more Windows machines out there then Unix machines - besides, Unix is a twisty little maze of incompatible systems anyway. Third, there are more applications that will execute code without the using being aware. Fourth, "sneakernet" with cracked binaries of dubious source is more common. It might take a bit more effort, it's certainly not impossible to write virusses for Unix.

whatever would have to have the ability to obtain root privileges

Unix has almost 30 years of history of security holes that give you root access. Ever heard of scriptkiddies with "root kits"?

Virii

The correct plural is virusses.

-- Abigail

Re:virus in unixen?

http://linuxticker.com/artikel/459.html

Re:virus in unixen?

[Lifewolf]

I'm not a gamer and have never played or even installed DOOM, but I would guess it uses svgalib to run full screen. From what I understand, running such programs is a security risk because they need to run setuid root to gain direct access to the video hardware.

A quick search reveals several sites which offer a patch, svga_patch.tar.gz. I have not looked at the patch though, so I can't speak as to what it does.

Perhaps someone else can provide more information on both the original security hole and the patch.

Re:virus in unixen?

First, with respect to spelling:

The correct plural is virusses.

Actually, the correct plural is viruses.

The reason why viruses are not prevalent at all on Unix is precisely because to do any significant damage -- the type of damage that your average DOS/Win virus does, like for instance CIH, Michelangelo, or the plethora of other boot viruses -- is that root access must be obtained first.

The fellow who's cracking root on my system has different motivations than the fellow writing viruses. The first guy wants power; the second wants no more than to destroy or cause mischief. While the first may certainly do damage or cause trouble, he typically wants to get and keep root access. You don't get to do that if you draw attention to yourself by doing rm -rf /.

The virus writer, on the other hand, doesn't expect to take advantage of his handiwork; he only expects to cause trouble.

It seems to me that this difference in motivation explains things more than anything else. Because for the virus writer, he can't simply pass around his wares and get the same bang for his buck on Unix that he does with DOS/Win. The Unix model discourages virus writing. A properly secured NT machine can do the same, but as long as there are Win9x and DOS machines out there, boot viruses will continue to be written.

Eventually -- barring eradication of the bugs that permit things like "Bubbleboy" -- we'll see a destructive email virus and not just nuisance ones. I pity the DOS/Win9x users on that day (along with the NT users running insecure -- which is to say, default -- installations)

One other fact.

[bholmberg]

There apparently haven't been any known outbreaks according to ZDTV anyway. Now anti-virus companies will really be praised from keeping us safe from everyday things, now there is a full time danger and we must trust "HTML escorters" to surf around the internet. Gee Wiz.

Happily, Emacs Doesn't Suffer from this...

[Christopher+B.+Brown]

Oops. I set: (setq enable-local-variables T) ... and someone set up a mail message that deleted my home directory tree...

The above is, seriously, the big potential security hole in GNU Emacs. It is documented as such, in the documentation, and users are given suitable warning not to do so...

It seems reasonably likely that the only way to make "executable email" safe is the implementation of some sort of capabilities-based system that can strictly lock down what particular programs are permitted to do. Of course, as we learn more about capabilities, it is also likely that its powers of protection will prove quite finite...

Re:Happily, Emacs Doesn't Suffer from this...

[Abigail-II]

It seems reasonably likely that the only way to make "executable email" safe is the implementation of some sort of capabilities-based system that can strictly lock down what particular programs are permitted to do.

Yes, and I got the impression that was the case now. The problem are bugs in the implementation; this time wrongly marked modules. Next time, it's a buffer overflow in sendmail or an HTTP daemon...

-- Abigail

Re:Happily, Emacs Doesn't Suffer from this...

Except local variables aren't evalled when you read mail in gnus or RMail, so this won't happen unless you save the file and then open it again, or do something dumb like M-x normal-mode. The repeated warnings about enable-local-variables in the manual mean this is a pointless feature, rather than a security.

Re:Happily, Emacs Doesn't Suffer from this...

[stevey]

I took advantage of this to write a virus in Emacs lisp a while back - as a proof of concept thing.

Basically it would copy its code to ~/.virus append a line (enable-local-variables t) in your .emacs file, and then add a hook to enable it to spread when files were written.


When Emacs exited it would then remove ~/.virus.

Steve
---

E-Mail viruses

[Microlith]

This is the time where we all check back over our warnings and say "If you use Outlook Express 5, yes, you CAN get a virus just from reading an e-mail."

This shouldn't be true, in fact until now, it hasn't been. But hopefully this "feature" will be "fixed" by Microsoft. Until then, i'll just stick to pine.

Oh, can't this ALSO affect Hotmail or any other web based E-mail, since they ALL use IE to display the formatting?

Official Virus Information and Security Patch

[Laven]

It appears that Symantec has already analyzed this virus. This article mentions that the the virus may be protected by an August Microsoft IE5 ActiveX security patch.

Symantec posted this advisory of the VBS.BubbleBoy here
http://www.symantec.c om/avcenter/venc/data/vbs.bubbleboy.html.
It contains details of what the virus does, where it goes into the registry and how to protect yourself.

If you already do not have that security patch from Windows Update, you can download the patch from
http://www.microsoft.com/s ecurity/Bulletins/ms99-032.asp.

This is kinda scary... as we have always taught people that you cannot get a virus by reading mail, only opening attachments. I hope this doesn't become a growing trend.

Re:Official Virus Information and Security Patch

[|DaBuzz|]

This is kinda scary... as we have always taught people that you cannot get a virus by reading mail, only opening attachments. I hope this doesn't become a growing trend.

We told them this in a world before integration == innovation and our decisions were being made for us regarding what we want our software to do for us.

Consumer: But I don't want my toaster to automatically log into my bank and try to pay my bills for me.
Microsoft Toaster 4.0 project manager: Too bad.

Re:Official Virus Information and Security Patch

So do the latest downloads of IE5 contain all security patches up to that point ?

"Freedom to innovate..."

[WombatControl]

You know, now I understand where Microsoft is coming from. Imagine what would happen to the "freedom to innovate" exercised by virus authors and script kiddies if Microsoft were to somehow be made accountable for their lax security? What would bored pre-teens do with their l33t AOL connections? Learn something useful, like programming or writing?

What kind of world would that be, and where do I sign up for it?

Poor ISP support people.

[Cacophony]

I was working tech support for an ISP when "Melissa" hit. I spent all day explaining to people the truth about the virus..."As long as you don't download and run any attachments..." I can just hear them now "But, you said before that I couldn't get a virus by just reading my mail..."

I feel for you support boys, just keep your favorite UserFriendly strip on the screen to keep you from snapping.

-Al-

Fine how-do-you-do

[Foogle]

No, it's not a "feature", it's a real live bug. One that MS has acknowleged, so stop acting all smug about Netscape -- like they never had a security bug...

The fact is, if Netscape supported Windows Scripting Host, it would probably be succeptible to the same flaw. I don't care for MS anymore than the rest of us, but I can't stand baseless garbage.

-----------

"You can't shake the Devil's hand and say you're only kidding."

Re:Fine how-do-you-do

um... you obviously missed the sarcasm in that post, didn't you?

Re:Fine how-do-you-do

[Mark__]

hehee but netscape for windows is even buggier than IE 5 ... thats why it's winning the browser wars :)

Re:Fine how-do-you-do

While there was sarcasm, I think he responded appropriatly by combating the FUD that the first post was spreading.

Re:Fine how-do-you-do

>The fact is, if Netscape supported Windows Scripting Host, it would probably be succeptible to the same flaw. I don't care for MS anymore than the rest of us, but I can't stand baseless garbage.

Only if the bug was in the Windows Scripting Host software itself. I beleive the real bug is in how IE5 treats the Scripting Host. If I'm right, then there is no reason to beleive Netscape would handle the Scripting Host the same, and chances are, no bug...

Re:Fine how-do-you-do

[protagonist]

I don't think you should expose an E-mail client to any scripting "engine" that doesn't implement some kind of sandbox concept. HTML and JavaScript do all that is needed. I am not really into Netscape vs. Outlook. Outlook is fine if they would make a version that could never be configured to do anything beyond HTML and Javascript. In fact, no Javascript would be fine too.

A simple solution exists, of course

[babbage]

First off, don't use HTML mail. Problem solved. This will mean having to type or cute & paste URLs, but hey -- life's rough.

Now, how do you turn off HTML? Lemme see here, I'll show you...

Hang on, this is the first time I've ever opened up Outlook.

*rummage*

*rummage, rummage*

*dead end*

*thwack!*

Well how about that, the boneheads won't let you turn off mail formatting. Slick guys, good thinking.

Well I'm sorry folks, it looks like you're going to have to switch to a more sensible mail client. Try Eudora or Pine, both of which have Windows ports, or Mutt or Elm or something if they're available (not sure if they exist on Windows -- don't see why not but don't really want to bother verifying that at the moment).

It's funny how a scare like this comes along every few weeks ...and I find myself completely immune to it. "The Humdinger virus abuses your Outlook addressbook, eh? How tragic. Good thing I don't have one nor ever will. Keep safe though, try not to accept any infected mails there, pal!". heh heh

In the immortal words of the venerable Montgomery Burns, "Look at all these idiots!" Hahahaha

Re:A simple solution exists, of course

[Foogle]

Oh please. It's not like you avoided this virus through some incredible foresight of your own thinking. You just don't use Outlook -- that's fine, but a lot of people do.

And it's a freakin' good client too. I don't care if it's a MS product, if there was a version of Outlook for Linux (that was as good as the Windows one) I would use it in a heartbeat. KMail just isn't cutting it for me, and I really hate using an xterm for my email.

So you happen to be immune to these attacks because you're using software that less than 10% of the consumer desktop market uses. Believe me, Netscape under Linux has it's fair share of bugs -- they abound. You may not be succeptible to these attacks, but you're not invulnerable...

-----------

"You can't shake the Devil's hand and say you're only kidding."

Re:A simple solution exists, of course

[babbage]

Well actually, it was a sort of foresight -- ascii mail can't carry virii (correct me if I'm wrong, but I know of no examples, ever), so I trust it and won't use anything with any kind of markup. If it matters, I use Pine, usually on Windows, sometimes on Linux, telnetting via xterm to my account's Solaris server.

I'd also make the point that 90% of the market may be using the MS client, but how many of them deliberately chose to do so? I'll grant, maybe many slash most slash all of them just might have chosen to go with it anyhow. But they didn't choose, they were coerced.

Anyway, I know I'm not invulnerable, I know the hardware, o/s, and applications I use are not without flaws. But I also know that some of these flaws are avoidable, I know that some are exploitable, and I tend to avoid letting people take advantage of that when there are other options. In this case, there clearly are.

Re:A simple solution exists, of course

[protagonist]

Is the problem HTML and JavaScript in E-mail or is it really the insecure Visual Basic Script, Windows Scripting Host, and ActiveX? These are proprietary, Microsoft technologies.

I suppose there are exploits in HTML, but what are they? Does Netscape's implementation of JavaScript currently have any security problems? These are open standards, so are they more secure by design?

I find HTML useful in E-mail. I commonly put in tables, do bullited lists, colored text for emphasis, etc. I find it easy and productive. This is mostly on our internal LAN. I use more plain text on the internet unless I know the recipient.

Allen

Re:A simple solution exists, of course

[babbage]

The MS specific stuff doesn't help at all, but I'm not at all convinced that HTML or Javascript belong in mail either. I'm not sure if open standards are more secure by design per se, but the opportunity to test them by independent sources tends to make them more robust than proprietary standards. In any event, something malicious could be embedded within HTML and Javascript, at least in principle, and just the chance of that makes me wary -- especially when plain ascii email is virtually guaranteed to be harmless.

I'm not saying HTML isn't useful, though it might not be the best tool for layout in many cases. If all you want to do is bulleted lists, you can simulate that with asterisks and plus signs and whatever else you please. Certain conventions work well for conveying emphasis in your text, that can do a reasonable job of simulating *boldface*, /italics/, and _underlined text_. If you *really* want colors, you're out of luck; if you *really* need to make a table, it might be better to put the document on a web page and send your colleague the address for it. This makes it easy for others to look at it too, when useful.

I see a spectrum of suitable tools for presentation purposes, ranging from ascii for email, to html for web documents, to say postscript for documents that need to be carefully laid out &/or printed. Mixing the formats up creates problems -- *.txt files make lousy web pages just as *.ps files are a pain in the butt in the email inbox. Use the Right Tool For Each Job, and everything will come out OK in the end...

Re:A simple solution exists, of course

[Abigail-II]

ascii mail can't carry virii

Sure it can. (BTW, it's virusses). The character set is irrelevant. It's what you do with it that counts. If it contains code, and you execute it, and your sandbox contains a flaw, you are in danger. Regardless whether the code is in ASCII, ISO-LATIN-1, Unicode or something else.

-- Abigail

Re:A simple solution exists, of course

[jonathan_ingram]

You can say virusses if you want (although just writing that makes me shudder...) - I'll stick with virii.

Oh, and you knew what he meant when he said "ascii mail" - no need to get so picky.

Re:A simple solution exists, of course

[monstar]

html isn't the issue. "active content" is

tools -> options -> security.

no *rummage* or *dead ends* at all. quite simple really. even for a windows user i should think.

Re:A simple solution exists, of course

[jafac]

TURN OFF hyperlinks?

Hell, on the Mac, there's a little extension thingie that recognizes email addresses and internet addresses, and automagically turns them into a hyperlink, without forcing the document to be in HTML. It's sort of a layer between the user and any displayed text on the screen. Just click on the link and the OS tells your browser to go there.

Probably a better solution. Wish I could remember what it was called.

I wish I had a nickel for every time someone said "Information wants to be free".

Re:A simple solution exists, of course

[Corrado]

Yes, but doesnt that also turn off active content in IE as well? I don't want JavaScript executing in my eMail, but it's kinda handy for the Web.
Later...

Re:A simple solution exists, of course

[smileyy]

IceTe is one of them

Re:A simple solution exists, of course

[ductape_pro]

It's called Apple Data Detectors.... It's an add-on to AppleScript. Been around for awhile, except it never really got a lot of PR. Nice idea, should have been utilized more... It seems to have fallen by the wayside of interesting but little used technologies.

Meander over to Apple's site and go to http://www.apple.com/applescript/d ata_detectors/ to get it or look at it.

Not really a solution to the whole email based virus proliferation problem though, that's only going to be solved by the software corporations of the world giving a shit about security concerns and the average Joe on the street expecting them and holding them responsible to addressing security concerns from v1.0 and not as a bugfix in v5.0 of their products after the implications of their actions bite them in the ass.

True, but still...

[howardjp]

There is an implicit assumption that there will never be a virus for the first poster's OS and that simply isn't true.

Re:one word::Mutt

[javac]

Mutt,

Barks like a puppy,

Bites like a Dog.

geach

(mutt user)

(mutt is an E-mail client for the Enlightened)

(mutt is a productivity device)

(mutt is the end all be all)

(mutt is truly open)

(mutt is good for chasing of bad cat>'s)

(mutt is man's best friend)

(mutt it does a body good)

Get Your fix for Win98 Here:

[savaget]

The easiest way to get your fix for Win98 is here: Just use Windows update on your start menu.

YOUR BRAIN IS _small_!!

[freddie]

In my opinion, though, a malicious virus, that did things such as deleting files, or whatever would have to have the ability to obtain root privileges, or it basically would only be able to delete or change files that the dummy user had access to in the first place.

It sure sounds like you're confused boy! Answer me this question: do you need root privileges to create or delete files?

The reason you don't see viruses on linux is not because they need root privileges but because it's a fairly well designed system...

Re:YOUR BRAIN IS _small_!!

Answer me this question: do you need root privileges to create or delete files?

Well yes, appart from my home directory and /tmp, I need root privileges to create or delete files on my linux box...

Re:YOUR BRAIN IS _small_!!

[bendawg]

oh, so I guess if you type "rm -Rf /"
and you're logged in as, say, "fredf", do you think you will be able to delete critical system files?
Sure, you'll probably delete /home/fredf, but unless you login as root, you'll most likely do no damage to anything else.
Maybe my previous statement wasn't perfectly clear, but gimme a break, it's late!

Re:YOUR BRAIN IS _small_!!

[Abigail-II]

Sure, you'll probably delete /home/fredf, but unless you login as root, you'll most likely do no damage to anything else.

Well, yes, but /home/abigail is were the interesting files are. I can restore the system in a few hours; just pop in the CD and reinstall. Everything else needs to come from backup - whenever that was made the last time. And the backup might contain the dormant virus.

-- Abigail

Re:YOUR BRAIN IS _small_!!

[-brazil-]

Well, yes, but /home/abigail is were the interesting files are. I can restore the system in a few hours; just pop in the CD and reinstall.

Dunno about you, but my system contains many more hours of work than just the installation - mainly configuration, new software, etc.

Everything else needs to come from backup - whenever that was made the last time.

"Data that is not backed up is worthless"
-- the Unix Sysadmin Guide, IIRC

And the backup might contain the dormant virus.

If you spotted the virus, it should not be too difficult to prevent it from spreading again, if you have a clue.

Re:YOUR BRAIN IS _small_!!

[Abigail-II]

Dunno about you, but my system contains many more hours of work than just the installation - mainly configuration, new software, etc.

"Data that is not backed up is worthless"

Configuration is data.

-- Abigail

bah

HTML doesn't belong in email.

I can just see it...

[Zule_Boy]

I just cannot wait to see my Work Email filled by the pointless drone of our Windows NT "Administrator" preaching about Security on windows boxen.

Gee- What a suprise for Microsoft- A buggy insecure product.

IE5 was made for Micro$oft by the devil.

This is *not* just another email virus

[ToLu+the+Happy+Furby]

Read the article, folks. This is the email virus.

That is, it runs on its own, without the recipient having to open any attachments. All they have to do is open the email itself (or, in Outlook Express, just point at the email so that it shows up in the preview pane), and they're infected.

This is a big deal.

Melissa made it so that we couldn't just tell our less tech-minded brethren/co-workers, "for the last time, you'll be ok if you just don't open any frickin' attachments from people you don't frickin' know!" This one means we can't even tell them "you'll be ok if you don't open any attechments."

Now, this particular virus (well, technically it's more of a worm) isn't too malicious (except that, like Melissa, it could clog the hell out of mail servers), and mails itself under a goofy subject line so that you can be on the lookout for it. (Of course, I'm not sure what being on the lookout for it would accompish if you're running Outlook Express, since there's really no way to delete it from your inbox without first selecting it...which is enough to run the virus.)

But it's a proof-of-concept, and a scary one at that. It just changes the name and organization your computer is registered to and forwards itself to your address book, but the point is that it was screwing around with your registry, and it could have done whatever the hell it wanted to.

Now...there is some good news here.

Namely, this is perhaps the first time in history when Microsoft actually had a patch for a new exploit *before it was released to the public*!! Yes, that's right, this email virus works in exactly the same manner as one of those web-page exploits a couple months back, for which MS has had a critical update patch on Windows Update for several weeks now. Essentially what it does is take advantage of some very very stupidly permissioned ActiveX commands that lets an untrusted source save a certain type of file (.HTA) to your Startup directory...thus allowing them to run arbitrary code upon reboot (shouldn't have to wait too long...ok, so that was a cheap shot).

So, the good news is that my Win98 partition was already immune from this exploit, and hopefully so are many other people's. Of course, I can understand people not wanting to be on the bleeding edge of MS's security patches, because running everything MS throws at you can get you burned as well.

As for what I'm sure the mainstream /. response to this will be--i.e., this sort of thing is inevitable with HTML email, why can't everyone just use Pine for email and ftp instead of attachments, and while we're at it let's replace all our PC's with teletypes hooked up to a PDP-11--I'm not so sure. IMO, it's a Good Thing that feature-rich email is here to stay, and in the long run there's not so much reason for email to be any more secure than browsing; if a computer can be compromised through its browser, then that's unacceptable right there.

On the other hand, I have very little doubt that, as we expand into XML and all these other new technologies, short-sided security permissions are going to bite us (especially those of us that use MS products) in the ass again and again and again, probably with no end in sight until we stop coming up with new features. It's a rather scary trade-off to have to make, and even scarier that 95% of the world has Microsoft making all the decisions for them...

Re:This is *not* just another email virus

[Thagg]

A couple of comments on Tolu's good post, and then something more.

I hate getting HTML mail, but I can see the point. It is the new ASCII, to some extent. A browser is a better way to read text; although I'll stick with ASCII mail myself for quite a while now. I do think that /.'s restricted HTML is just fine for mail, though.

I disagree, though, that XML and other formats will unleash further viruses. Almost everybody now thinks about security first when designing mail clients. Perhaps even Microsoft will start thinking that way, eventually. The security abomination of ActiveX will *never* be duplicated by anybody else.

Finally, I think that both prevalent e-mail viruses and even more prevalent e-mail spam will cause people to treat e-mail differently in the future. I predict that most e-mail will be rejected unread and unseen by people's e-mail bots; and that to pass through that guantlet you'd have to jump through some significant hoops. It's sad, but I don't see any other way. Spam will increase without bound, and as long as people want to have persistent e-mail addresses they will be inundated. I don't think that government regulation is right, and I don't think it would work, either.

So, if you have good email screening, then these viruses shouldn't be a problem, either.

thad

Re:This is *not* just another email virus

[dimator]

Indeed, with the activex security holes, microsoft has made it possible for these worm writers to cause amazing damage. I can only see these worms/email viruses to get smarter and smarter (how about self modifying worms, that change the subject line of further forwards to any of, oh say, 100 different things, making it pretty impossible to avoid opening the naughty email), while causing more and more damage (Let's not forget that bubbleboy could have done a lot more than it does because apparently, it has full access to a win9x machine's registry.) I dont know about you, but I can't wait for increasingly nasty emails to ravage every outlook user into submission.

What amazes me, though, is how seemingly no one who uses these insecure applications ever says "OK, enough's enough! I'm not going to play microsoft's upgrade/patch/wait-for-next-exploit game any longer." Instead, everyone waits patiently for the next MSNBC article proclaiming the latest bug, and then upgrades their virus software, or patches their insecure app.

It feels good to run an OS with an actual security model (and no, I'm not talking about NT)...


-----------------
Your attention please everyone, if I could just say a few words... I would be a better public speaker.

Re:This is *not* just another email virus

[ViGe]

Namely, this is perhaps the first time in history when Microsoft actually had a patch for a new exploit *before it was released to the public*!! Yes, that's right, this email virus works in exactly the same manner as one of those web-page exploits a couple months back, for which MS has had a critical update patch on Windows Update for several weeks now.

Well, another IE bug was posted on the bugtraq, was it yesterday? I wonder who'll be the first: Microsoft releasing a patch, or someone coding an email virus using that hole..
--

Re:This is *not* just another email virus

[cabalamat]

Melissa made it so that we couldn't just tell our less tech-minded brethren/co-workers, "for the last time, you'll be ok if you just don't open any frickin' attachments from people you don't frickin' know!" This one means we can't even tell them "you'll be ok if you don't open any attechments."

That's fine, just tell them "You'll be OK if don't use BillyShit rubbish. Use Liunx instead!"

Re:This is *not* just another email virus

[Gleef]

ToLu the Happy Furby wrote:

Melissa made it so that we couldn't just tell our less tech-minded brethren/co-workers, "for the last time, you'll be ok if you just don't open any frickin' attachments from people you don't frickin' know!" This one means we can't even tell them "you'll be ok if you don't open any attechments."

What this worm does allow us to do is say, however, is "Outlook and Outlook Express are not allowed on supported systems due to excessive security problems, please use a mail reader that doesn't run untrusted code automatically, such as Netscape, Eudora, Pine, Elm, Mutt, etc.". It's not as if there aren't other, better options out there than Outlook, and such a virus is impossible on those systems AFAIK.

----

Re:This is *not* just another email virus

[jafac]

Oh, you don't even have to highlight the mail. If you have an empty inbox, with preview "on", and the message list pane has the focus, the first message that appears will automatically be highlighted. In this (admittedly rare scenario), the user doesn't even have to do anything!

Or, alternatively, if Bubbleboy arrives in the inbox while the user is reading other mail, and the user trashes the previous message, highlight in the box automatically goes to the next message on the list, and BOOM, another unintentional way to lauch the virus. Personally, I never went in for the preview pane thing, I thought it slowed things down, and took up too much real estate. I generally select all my unread messages that I want to read at once and open them in a group so they all get their own windows.

Anyone know how this thing behaves with the other form of preview activated, the one where the first three lines or so of each unread message shows up in the message list window? If THAT executes the payload, then we're all fucking doomed, because I think that's the default setup for Outlook, and nobody has to highlight anything. The message just has to be in the inbox, and unread. But since it only displays like the first three lines or so, I'm not sure if that will execute the payload.

I wish I had a nickel for every time someone said "Information wants to be free".

Re:This is *not* just another email virus

[tietokone-olmi]

The security abomination of ActiveX will *never* be duplicated by anybody else.

Wishful thinking. People will forget, PHBs will forget faster. "This new powerful embedded E-mailable application system will enhance our product value!" I can already smell the drool.

Re:This is *not* just another email virus

[David+Roundy]

how about self modifying worms, that change the subject line of further forwards to any of, oh say, 100 different things, making it pretty impossible to avoid opening the naughty email

Actually, this would be the least of your problems. The easiest and most effective tactic would be to actually forward an actual email that was on the user's machine, chosen at random. Of course, you would have to insert the worm, but that couldn't be too hard. This should be almost trivial to do, and would result in a message that had no distinguishing characteristics, and really looked like the sort of email you might receive from that person.

lol

[BobLenon]

God i love this crap. And people persist using IE/Windoze. And we wonder why they waste soo much time on fixing computers in the business world. Why dont they wake up and smell the coffe. Perhaps they will soon...

MS = Monolopy != Good For You

Read that one, it's funny

[Wench]

A message to a moderator. Ignore me..

If you are exposed....

Microsoft posted a fix for this particular instance

http://www.m icrosoft.com/msdownload/iebuild/scriptlet/en/scrip tlet.htm

A quick rant

[Matt-69]

I hate virii, or viruses, or whatever and the paranoia that goes along with them. We have reasonably nice computers at school (P2/266, 32mb, etc etc) that run win95 with Netscape 4 and Word 97. One would think the systems would be reasonably fast, but NO!!!! The stupid admins for the network here load not 1, not 2, but 3 virus scanners into memory! (you know, the gay little ones that scan every file that you open) Netscape takes over a minute (yes I timed it) to load on those decent machines. Takes less time to load on my old 486/66 box. Damn it all to hell


PS - HTML is gay for anything except web pages. In point of fact, I don't even like the simple HTML formatting on /., but that's just me

Re:A quick rant

[normiep]

I've had netscape take a minute to load even without any virus scanners...

Although three virus checkers sounds like a bit of over kill.

I actually kind of like html formatting... well at least I like having active links available... cutting and pasting can be a real pain in the ass.

Re:A quick rant

Join the club. Ours are P2/333 running win 98 on a novel network. However our network is CRAP the workstations crash every odd time you close Netscape. I have been tring to convince him to change to a Linux network however we may at least get NT Workstation due to a scummy deal microsoft only charges Queensland(Australia) schools around $85 australian per year to use the complete microsoft range(over 85 products). Microsoft's push to place software onto the students in high schools is just another way they are expanding there monopoly.

Re:A quick rant

around $85 australian per year to use the complete microsoft range(over 85 products). Microsoft's push to place software onto the students in high schools is just another way they are expanding there monopoly It's "their monopoly" but anyway, yeah that's a way to play monopolist, monopolies often reduce prices to almost nothing.

Re:A quick rant

[ben_]

Do you really want to use "gay" as a term of abuse? Do you really think that people will take your point, or take you seriously if you're so obviously homophobic? What a good way to convince people of your point of view. Maybe you don't like Jews as well, or perhaps coloured people. Maybe you should say "HTML is black for anything except web pages", or "HTML is jewish for anything but web pages". See how it sounds?

Re:A quick rant

lighten up bwana, stop being so hispanic

Re:A quick rant

[seesik]

My thoughts exactly. Anything positive this guy had to say was immediately dissmised due to his delivery. Try "lame" or "ineffective" or "fucking ignorant", but not "gay", "female", "oriental", "democrat", or so on. "He needs a magazine rack cuz he gotz issues".

Re:A quick rant

[smileyy]

You don't need HTML for clickable links. The standard (spelled out in an RFC, I believe -- I don't know the number offhand) method of denoting a URI* in text/plain is of the form:

<uri:http://slashdot.org/>

Then, al you need is an application that correctly implements this scheme, and you're well on your way to happy land.

*All URLs are URIs.

Ignorant Linux Users

It's one thing to bash an OS. It's another to be racist. Ignorance is not what Linux is about. Don't bring your shit in here.

Outlook 2K Instructions - Step by Step

[The_Myth]

Well how about that, the boneheads won't let you turn off mail formatting. Slick guys, good thinking

Actually it can be done.

Open Outlook
From the memu go to Tools | Options
Click on Mail Format tab in the dialogue box
Change message format to Plain text
Click OK then OK

You should be back at the normal screen - Problem solved

Re:Outlook 2K Instructions - Step by Step

[vectro]

I don't have a Windows box myself, so I can't confirm this, but IIRC this changes the default format of outgoing messages, and has nothing to do with processing HTML in incoming messages.

Re:Outlook 2K Instructions - Step by Step

[odaiwai]

Not in Outlook 97 though.

dave

Re:Outlook 2K Instructions - Step by Step

[Priestess]

well how about that, the boneheads won't let you turn off mail formatting. Slick guys,

Actually it can be done.

Hummm, unless I'm mistaken that turns off the formatting for OUTGOING mail, which may be a polite thing to do but really isn't any kind of security fix on your machine. What Babbage wants to do is stop Outlook ever displaying HTML formatting which quite different. I think it is possible to stop it executing any java/activex/javascript code though but only by playing with the "security" settings which are global and effect IE and the web too. It doesn't seem to be possible to say "I want to run scripting and applets in web pages but not in Email." At least not easily.

Pre....

Re:Outlook 2K Instructions - Step by Step

Unfortunately on my Outlook setup the drop-down to select plain mail text formatting is disabled, due to a stupid feature in the policy tools for Outlook admins.

Anyway, this is irrelevant as it only affects outbound mail formats. There seems to be no way to turn off HTML email inbound in Outlook - the best way IMO around this problem is to go to the Internet control panel item, Security tab, and disable anything to do with scripting.

Alice in Cyberspace

[Wayfarer]

Amazing(?) that MS didn't take precautions against this happening. Then again, they've got so many Windows extensions out there, that it's gotta be hard to keep track of the interactions... Seems like they're running as fast as they can just to keep up with the problems.

Then again, some of it is the responsibility (or lack thereof) of the end user. I find it depressing that people will mindlessly follow such simple directives as "Open Me". Even though the subject in this case wasn't quite that direct, it still would seem rather alien in my inbox.

Re:Alice in Cyberspace

[DanJose52]

Hi, guess what? You're wrong, there is an update out there, either download it and quit bitching, or use Linux and stay silent because it does not affect you...yet. Either way, quit bitching about Microsoft. I am a staunch Outlook advocate because it is the only e-mail client that my mother can use without asking my brother or myself a question every 2 seconds. It's simple, well-designed, and decently speedy. Use Windows Update on the Start Menu(TM)...it's not a problem. Take off your zealot-colored goggles and see the actual world for once.

Dan

Re:Alice in Cyberspace

[Wayfarer]

First off, I'd appreciate a more civil tone, should you choose to respond again.

Now to address your post:

Yes, Outlook is easy to use, and, as such, has its merits. But the issue at hand is one of security, not ease-of-use. An application that is user-friendly is not necessarily secure.

Note that I said "precautions" in my post. An update does exist, as stated by the article. However, that does not change the fact that the possibility of using such tight integration in an attack should have been addressed beforehand. To their credit (or folly--whatever have you), the flaw was in the security label for the affected controls, an accident--though I believe the labels shouldn't have been the sole determinant of the permissions granted them.

Staying silent on this issue is hardly an option for me. The article also states that there may be other HTML-email issues present, and I firmly believe security through obscurity is not the best defense.

Feature Vs. Bloat

[pos]

A while back (~3 months?) I read an article linked to by /. about bloated apps. The author was stating that users ask for and want bloated software. I see this argument time and time again in the press, newsgroups and so on...

Well, I think the point is really:

Does an app need to be bloated to have features?

Obviously, 90% of the people who read this will exclaim "NO!". So the quesion remains "why is software bloated?" This is the thing that is addressed in the Programmer's Stone as well as many books. Everyone on this site should read The UNIX Philosophy for a dissussion of the stages of software development as well as lots of discussion on why unix has developed into what it is. Only in the second growth stage of development does software become bloated. This is due to the addition of all of the requests for more features being implemented. They all are added withought thought until the software becomes too big and the app just about breaks. The UNIX Philosophy of code reuse and small applications still allow features to be added. An example would be the ability to pipe information from one app to another to gain more functionality. This same philosophy of code reuse still holds true in today's GUI world and is why I find KDE so interesting.

The problem comes when code has to be churned out on a deadline without planning or thought. This is usually driven by coporations and Marketing/management. Without artificial deadlines Open Source/*n*x apps can stay small and elegant.

They can also be trimmed back and restructured by anyone. As a community it is important to always grow as fast as possible by adding features but to also look back and take out the features that only benefit a small group of users. That part might hurt a little, but is very important to get the software into the 3rd stage of life. So look back thorough your code and rewrite some stuff every now and then. It makes your code smaller and you will be able to work faster. You get a net gain in the end.

-pos




The truth is more important than the facts.

Re:Feature Vs. Bloat

[copito]

I had this fortune today. It must be fate:

An architect's first work is apt to be spare and clean. He
knows he doesn't know what he's doing, so he does it carefully and with
great restraint.

As he designs the first work, frill after frill and
embellishment after embellishment occur to him. These get stored away
to be used "next time". Sooner or later the first system is finished,
and the architect, with firm confidence and a demonstrated mastery of
that class of systems, is ready to build a second system.

This second is the most dangerous system a man ever designs.
When he does his third and later ones, his prior experiences will
confirm each other as to the general characteristics of such systems,
and their differences will identify those parts of his experience that
are particular and not generalizable.

The general tendency is to over-design the second system, using
all the ideas and frills that were cautiously sidetracked on the first
one. The result, as Ovid says, is a "big pile".
-- Frederick Brooks, "The Mythical Man Month"

--

Re:Feature Vs. Bloat

[jafac]

While this thread is hopelessly off topic, I do have to disagree with something you said.
While we all love to hate the marketroids for pushing development schedules and feature specs beyond what's reasonable and sound from an engineering standpoint (causing the resulting unstable and bloated app), that cause itself has a cause, and ultimately, it goes back to the shareholders, media, and customers. The shareholders want their company's products to be a commercial success so that the value of their holdings will increase. The media compares software in these multi-page foldout "feature-matrix" reviews, which causes the customer to demand feature parity, even when it's not really important. The features have all been reduced to a visual checkmark on the matrix, and so all features bear the same weight at a glance, therefore, intelligent prioritization feedback goes by the wayside, and boom, this filters back through sales, to marketshare, to stock prices, to shareholders, to marketroids, to R&D, ultimately back to the customer.

I wish I had a nickel for every time someone said "Information wants to be free".

NEWS:email breakthru!

[jajuka]

NEWSFLASH:
In an amazing technological breakthrough, a hoard of new email programs have rendered themselves invulnerable to every concievable computer virus. By rendering email in plain text, ignoring worthless html formatting instructions and pesky attatchments which clog up the internet with unwanted and useless files, these programs, known by such arboreal names as pine and elm, sidestep the entire issue of computer viruses. Stay tuned for more details!

Re:NEWS:email breakthru!

[jezzball]

Um, hello. Many years pine wasn't secure - text sequences escaping to shells, etc.

Text ain't any securer than an html page. We just need better browsers.
So many things couldn't happen today
So many songs we forgot to play
So many dreams coming out of the blue

Re:NEWS:email breakthru!

[jajuka]

Um, hello. Many years pine wasn't secure - text sequences escaping to shells, etc.
Text ain't any securer than an html page. We just need better browsers.

I cant speak for pine's past bugs, but as far as your statement that text isnt inherently anymore secure than html...
1. it IS inherently easier to write a SAFE program to display plain text than it is to write a SAFE program to interpret and display html.
2. plain html is one thing, but when you start embeding dynamic objects, you're asking for trouble. :)
3. I was being funny. Lighten up.

Re:NEWS:email breakthru!

[Dusty]

Black and white film at ten.

Re:NEWS:email breakthru!

[WhatThe??]

Let me get out my chunk of stone and chisel. Somebody hand me a mallet and I'll write you a message.

I agree that plain text email is more virus proof, but the masses have already past that point, hence no turning back.

Re:NEWS:email breakthru!

[jezzball]

I know, I was tired and it was late :) I meant to be funny too, but I'm not :P

But the main point is that Pine had to be written safely. So does Outlook. Pine may be easier, but outlook can be more beneficial in the end. We just need good code.
So many things couldn't happen today
So many songs we forgot to play
So many dreams coming out of the blue

activex

[mcc]

i want to know how microsoft is getting away with this..
msnbc, as i'm sure a lot of other news sources will be doing, are centering really big on the word "VIRUS!" despite the fact the virus isn't the important part at _all_. the important part is that the activex exploit which allowed web pages to install arbitrary code on the person's computer now run in HTML e-mail. If you accept that, the idea "you could write a virus with this" is so obvious as to be totally irrelivant.

The page kinda implied to anyone who doesn't know what they're talking about that this problem is there because someone "wrote a virus", not because MS shipped a product with bad security.

Meanwhile i want to know why microsoft is getting away with this. Despite the fact that a piece of HTML running an activex (or any other kind of applet or script or anything) that can TOUCH your hard drive, much less install, say, Backorifice (or a program that downloads and installs backorifice..) is to me the most terrifying thing a web browser could do. And yet what kind of attention has this little exploit gotten in the couple of months since it's been found? NOTHING. There was like one article on PCWeek months ago and that was IT.

You can, of course, put activex on high, or even disable it, but that shouldn't be _neccicary_. Something like activex that allows something like this SHOULD NOT BE RUNNING BY DEFAULT, since it targets people who don't know enough about their computers to go to the bother of understanding what this "activex" thing that MS put on their computers along with windows is. Let things like this, or the little "feature" that let remote web pages view the contents of your copy/paste clipboard, be turned _off_ until the user needs to use them, not left on until the user finds out they're there? Even if in theory ActiveX had perfect security in every way, i still don't like the idea of a web page touching anything on your hard disk besides your cache. (but then, hell, i'm also an old-timey purist who doesn't think an interpreted language like Javascript should contain things that are reliably able to crash the machine of the person who runs them.. but that's another rant altogether. "while(1)alert('!')"..)

How is MS getting _away_ with this? They should be in HUGE trouble for this whole activex thing; this is the most pathetic/deadly security exploit i think i've ever heard of. Yet they're barely getting any attention for it. WHY is this happening?

Still i think it's awful funny that apparently the _only_ use for ActiveX-- at least, the only time i've ever heard of someone doing anything with ActiveX-- is a security exploit.

-mcc-baka
why web browsers suck: http://home.earthlink.net/~mcclure111/cyberleary.h tml#discontent

Re:activex

[quonsar]

i want to know how microsoft is getting away with this..

Me too! If Toshiba can bend over to the tune of 2 billion over a floppy controller bug which has never cost anybody anything, why the hell aren't those legal shysters from Texas filing class-actions against BillySoft?

Why, in the last week alone I have read stories about server outages, admin problems, etc etc that must have cost SOMEBODY a lot of bucks, and that shit goes on day after day!

======
"Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16

Patched two months ago!

[kaphka]

Win9x WinNT

Information is here.

I really should rant about how hypocritical and ignorant most of the posts here are, but I don't have the energy. How about checking to see whether MS has already fixed the bug, before you complain about the lack of a solution?

Now, if you want to bitch about MSNBC for sensationalizing this, that's another issue entirely...

Re:Patched two months ago!

[pvente]

Now those that think MSNBC can't be objective when reporting news about Microsoft better rethink that idea.

Curious, no ?

Too bad it doesn't have a payload

Perhaps if enough suits lost their PowerPoint, Word and Excell files they'd get pissed off enough about Microsith's apathy towards security to demand it get fixed.

Better yet, virri writers just need to create a ViralBasic virus that only triggers if you have "microsoft.com" in your e-mail address. If you do, then you loose all *.doc, *.ppt, *.htm, *.c, *.h, and *.cpp files followed by writing random garbage to the registry:) If one could figure out a way to make swiss cheese out of the FAT, it would be even better:)

Re:Too bad it doesn't have a payload

If I had the time and the 'doze know-how (and Windows + spare PC) - I'd make it do the following: The mails it would send out would use the recipient/subject info from the Sent Mail folder. Makes it harder to filter out and more likely for the recipient to open it. If I knew windows programming, it would modify random files of any kind, changing single bits or bytes. This would degrade the system slowly and people wouldn't notice for a while. Fun fun fun...

Superiority, gloating

[laertes]

"I think this story was sent down from heaven to give us Linux users a chance to gloat over windows users," is the gist of the few messages posted so far. I don't really think we should have that attitude at all. We need to understand that there are [l]users out there who think HTML email is really neat, the same way I think that the new kernel debugging features are cool. We have to understand that our tastes in all things computers are not absolute. So Microsoft f***ed it up yet again; all companies do it. One of the reasons linux has been so secure and powerful is the foundation for it's design: UNIX. Windows is much younger than UNIX. And anyway, UNIX had it's virus/security problems a (not so)long time ago. The Worm anyone?

All computer systems have security holes. Complex ones more so. If you want some more rhetoric on why secuity is never perfect, read Bruce Schneier's interview here.

I think Microsoft was rash in releasing software with this little hole in it, but it doesn't mean that we're better than users of HTML email. Besides, all of Microsoft's really good OS people are on NT(Win2000) which doesn't have this particular problem. Microsoft doesn't really take the security of Win9x seriously anyway.

I personally am waiting to see how linux stacks up to Win2000. After all, this is like comparing the newest NT to version 2.0.36(my first kernel!).

/bye

Re:Superiority, gloating

[BJH]

I think Microsoft was rash in releasing software with this little hole in it...

Try "gaping hole big enough to drive a truck through" and you'd be a little closer. MS has been playing fast and loose with security in its blind rush to integrate ActiveX (which was never designed with security in mind) with all its software products - including ones like IE and Outlook that by their very use require the transfer of unverifiable data to the user's computer. MS could have taken the time to try and do it right (i.e. security by default), but they didn't, and so everyone using their products ends up patching ActiveX every time somebody figures out a new way to get it to execute unverified content. If they'd just made sure in the beginning that such execution was not possible except in specific circumstances, there would have been no such problem.


Microsoft doesn't really take the security of Win9x seriously anyway.

And this is a good thing?!? You're trying to tell me that MS knowingly distributes defective software, and that we should just ignore it because they don't care? Ever heard of something called PL law? It requires manufacturers to take steps to ensure that their products are fit for the purpose for which they are sold. In other words, either MS is acknowleding that worms like this are legitimate use of its mail software, or they are deliberately distributing a product that fails to comply with product liability laws. Geez, get your head out of your ass.

Re:Superiority, gloating

[mrneutron]

And anyway, UNIX had it's virus/security problems a (not so)long time ago. The Worm anyone?


Uhhh... The !@#$%%^ worm was 10 years ago. That is very the definition of "a long time ago', especially when you convert to internet time. I'm sure there are slashdotters who weren't even born then.

If worm technology can hurt your Unix internet systems today, you've already got spammers, mp3 pirates, script kiddies, and wannabies partying like it's 1999 on them right now.

Re:Superiority, gloating

[Royster]

In other words, either MS is acknowleding that worms like this are legitimate use of its mail software, or they are deliberately distributing a product that fails to comply with product liability laws.

Take a look at a Microsoft EULA and tell me if you think that you would be able to last 5 minutes in court with a liability claim.

Re:Superiority, gloating

[ToLu+the+Happy+Furby]

One nitpick on an otherwise very insightful comment:

Besides, all of Microsoft's really good OS people are on NT(Win2000) which doesn't have this particular problem.

Actually, Win2000 *does* have this problem, according to the advisory that was up at Network Associates' website (even though the McAfee page referenced here says it's Win98 only...hmm), because it shares Win98's use of IE 5 and Windows Scripting Host. Or, at least, Win2000 Beta 3 has this problem; of course, the final version will obviously include the patch for this exploit, which as noted earlier, has been out for about a month now.

So...either NA's advisory was wrong, and Win2000 doesn't have this hole even though it has all the components which enable it installed (IE 5 and WSH), or Win2000's security model has a big strike against it from the beginning. As you noted, that's completely to be expected with any new operating system, and *nix has certainly been there before. Still, it does make you wonder how long it will take before we can trust W2k...

Re:Superiority, gloating

[ToLu+the+Happy+Furby]

Sorry for the repost; forgot to include the link...

One nitpick on an otherwise very insightful comment:

Besides, all of Microsoft's really good OS people are on NT(Win2000) which doesn't have this particular problem.

Actually, Win2000 *does* have this problem, according to the advisory that was up at Network Associates' website (even though the McAfee page referenced here says it's Win98 only...hmm), because it shares Win98's use of IE 5 and Windows Scripting Host. Or, at least, Win2000 Beta 3 has this problem; of course, the final version will obviously include the patch for this exploit, which as noted earlier, has been out for about a month now.

So...either NA's advisory was wrong, and Win2000 doesn't have this hole even though it has all the components which enable it installed (IE 5 and WSH), or Win2000's security model has a big strike against it from the beginning. As you noted, that's completely to be expected with any new operating system, and *nix has certainly been there before. Still, it does make you wonder how long it will take before we can trust W2k...

Re:Superiority, gloating

[BJH]

EULAs aren't exactly watertight - the validity of a contract in which one party has no power to alter the conditions of the contract is fairly iffy. Remember, this sort of thing is supposed to be decided by negotiation between the two parties.

Re:Superiority, gloating

[Royster]

The lack of ability to negotiate the terms of a contract do not make a contract unenforcable. There is a class of contracts in contract law called contracts of adhesion. Contracts of adhesion are contracts in which the terms are dictated by one party. Your insurance policy is a contract of adhesion.

Contracts of adhesion carry implication in law. Ambiguous terms are to be interpreted in favor of the party that did not draft the contract. Also, contract provisions which are against "public policy" are not enforcable.

The only real way to get around an EULA is to be able to demonstrate: that due to the presence of a preventable bug, you sufered some actual loss; that the claim that the software is not warranted to be suitable for any purpose whatsoever is belied by other public statments of the company; and you have to show that a disclaimer of liability is against public policy. Make sure you have a big bank account because this case will be appealed for years and the outcome is still not certain.

Make sure, also, that your state does not pass UCITA which specifically permits most EULA language, because your essential third claim goes away under it.

pattern?

[discore]

is anyone else starting to see a pattern here?
tons of corporate places have hundreds of computers running windows9x. and probably using IE along with outlook express. why is this? because it is the easiest way. the point and click enviorment.

this sort of "non-negotiable" enviorment is sort of dangerous. there are most likely tons of unknown holes (dare i say even a backdoor or two) in the windows operating systems.

how many hours of downtime does a place need to have before they realize windows isnt the way to go? thats one of those impossible to answer questions, obviously they have seen enough yet.

tyler

Re:pattern?

Maybe linux will settle on an easy point and click environment one of these days. But I doubt it. That's why.

Yes, but it's yet another ViralBasic for Apps bug

ViralBasic for Applications is just one huge cestpool of security firedrills waiting to happen. I hope someday someone brings about the shit-storm of all time with it, something that makes Morris' worm look like a kitten. If Microsith gave anything but lip service to security issues this would not have happened.

Heck, if Bill Gates had a nickel for every security hole, bug, and crappy design that company has shipped.... oh wait... never mind. He does.

Multiple Root Exploits last month

Don't give me crap about linux being more secure than windows. Everything can be hacked to shreds. If you are at all up to date with your security updates you will realize that there were multiple new remote root exploits for linux that were discovered last month. That's pretty bad. At least with windows everybody is so stupid they don't know how to exploit this stuff. :)

Re:Multiple Root Exploits last month

[kgasso]

quick comments:

1. it's rather nice not to have to wait [weeks,months,years] for m$ to release buggy patches, considering patches for *NIX are usually out within minutes or hours of a discovered vulnerability.
2. these exploits depend on the distribution/variant of your *NIX OS.. (some kiddie's 'redhat exploit-o-matic' probably won't work on a debian box, now will it.. same goes for *BSD variants)
3. the exploited software for most windows problems is integrated into the system ("what happens when we delete this IE dll.." *crash*).. with *NIX, say if crontab irks you, just disable it. no problem there.

of course, every user should stay up-to-date with their os's and third-party-software's latest bugs, fix them immediately, and rest easy knowing if you used a m$ product you would still be waiting for the official patches :D

-k
--

Re:Multiple Root Exploits last month

[XaOsGoth]

1) The reported exploit was fixed at the end of August. Rather nice to have the fixes in place BEFORE they happen, neh?

Microsoft is generally pretty damn quick with security fixes, and they're so widely reported, it's hard to fall prey to them.

2) Does this mean that all variants of *nix aren't interoperatable? What a horrible thing this must be for some people to face up to! (Keeping mind that I'm essentially *nix-ignorant, but will be correcting that soonish).

It's nice to know that Windows Update will inform me of the security fixes before I've even heard of the problem. Two clicks will generally install any necessary updates. Convenience and speed!

Yes, *nix users are generally more informed of their systems than MS users. Therefore, they are less suceptible.

Yes, *nix hasn't been targetted by many virii or worms, but that doesn't mean that it won't. I'm certain you'll see much more of this as it becomes more and more widespread. MS is just the biggest, most available target. (Much in the same way that AOL is the biggest, most available target for spam).

Re:Multiple Root Exploits last month

[Eric+The+Read]

Only recently have Microsoft gotten off their butts about security fixes-- but they have, and more power to them.

In answer to 2), no, it doesn't mean they're not interoperable. It just means they're not all using the same source code for everything. The biggest difference is between the *BSD flavours, and the SysV flavours (Linux started out SysV, as I understand it).

Also, OpenBSD is a BSD-based unix distribution that focuses tightly on security, and audits the software they distribute regularly to find and fix security holes before they're exploited.

Re:hahahaha

Why not take your racist comments else where.

Caution on Eudora

[VenTatsu]

By default Eudora Pro 4.0 uses Microsofts email viewer.

Turn it off by going to the 'Tools' menu
Selecting 'Options...'
Then 'Viewing Mail'
And unchecking 'Use Microsoft's viewer'

Only the beginning...

Having had a few weeks to play with Windows 2000, this type of exploit is going to become very dangerous, very quickly. Of great concern to me, as I must use WinNT for work, is the conversion of key OS utilities into COM servers they are calling "Snap-Ins."

When I set up my partition for testing this new OS, I needed to isolate my important partitions from the new OS. A utility called Disk Administrator (innovative name, no?) was standalone in NT4. In Win2000 it now runs as a COM service through the Control Panel which runs in Explorer, which equals IE [this utility is a GUI equivalent of Disk Druid]. With the scripting host is built in, and with Microsoft carefree attitude toward security, and the fact that if you use IE the browser detection from some web sites require you to enable ActiveX controls, means that I am feeling very vulnerable to the whims of whatever gets thrown out into the world next by the more clever script kiddies who will improve on this attack and find more security holes. Am I going to stumble on a site which will end up deleting all the partitions on my hard drive? I have no idea. If I were a cracker this would be the apex of virii.

While I understand the desire to script the OS, MS has a responsibility to isolate the world from my system (or maybe they don't with the new uniform legislation).

I have to use their OS, but I think I'll stick with NT4 and NS 3.02.

Re:Only the beginning...

[wilkinsm]

Listen to this guy. He's right. We already know how messed up the NT security model is: Ether you are god or you aren't. If your current login in is administrator equalivalant, and process (clanstinely or not) running on your "security station/interactive session" can do whatever it can get it's hands on. With COM, everything is connected to everything else, and the "security context" interfaces are the only thing that stand in the way. I forsee a future were the payload of a macro virus could be something like: MMC = CreateObject(MMC.workspace) session = MMC.newsession(IUSR_IMPERSONATE) dm = session.OpenSnapin("dskmanager.1",vbnull) dm.partition(1).Format("NO_LABEL,"FAT32",NO_PROMPT ) Of course this is all garbage, but real COM developers can see where I'm going.

Check the flametwrower...

[zantispam]

...bendawg is simply trying to check his understanding...

"Answer me this question: do you need root privileges to create or delete files?"

Irrelevant to the original post. The logic goes something like...

if (user.name == "root"){
program.delete("/usr/bin/something_really_import ant_to_the_system");
}else if (user.name == "Joe Luser"){
program.delete("/home/stuff_he_didn't_need_anywa y");
}else{
program.delete("nothing_because_it_can't_run");
}

It just doesn't seem to have come out that way. Be nice to germinating thoughts and you may find that they eventually germinate into really good insights...

In any event, yes *nix is a better designed system. But, if you have Joe Luser reading his mail as root, the system is just as vulnerable to attack as any Win* system.

What NA should do with the virus.

[jesser]

NA should release the virus in a way that it spreads quickly, but modify it:

1. Include a message explaining how to disable the exploit
2. Mention that the virus will probably be modified at some point, and may seem to act the same way but leave a time bomb on the computer, so keep watching the NA website for known variants (that way nobody is surprised when someone does)
3. Make the HTML code difficult to read so people don't make variants right away

Otherwise, someone is going to figure out how modify it RSN, and release a really bad virus to the wild, disabling 5-15% of all home computers.

Cause....

The article states that the 'Windows Scripting Host' is the cause of this vulnerability. It seems to me that if this were caused by a buffer overflow error that it should have been implemented with the buffer checks (of course). But perhaps a more fundamental problem might be that instead of using the buffer checks, why not use some sort of String class (assuming C++). I know that the MFC CString class is horrid, but wouldn't a String class as such kill the problem of a buffer overflow outright?

If it wasn't a buffer overflow exploit, then wouldn't something like the Java sandbox or the ActiveX equivalent be appropriate?

It seems to me that networking software should be implemented in a way that puts security over performance.

The problem is...

That MS makes things too powerful that don't need to be. ActiveX, MSOffice Macros...etc. And because MS embeds IE into the OS, your browser can affect the rest of your computer. Microsoft counters this by putting in warnings like "you may get a virus...etc" so that it isn't really their fault if you run these scripts on their page. But users want to see the cool dancing mouse pointer, so they will usually trust the website. Since Outlook automatically uses IE to render HTML email, people now have a way to be sure that the user views the page. That's pretty much the way it is with most MS software now, a bug in one that may be minor affects a whole bunch of others. Even the fix may set off something strange.

Here's an email virus that gets past IE4 security:

[Ctl-Alt-Del]

You don't need security flaws like the one mentioned in the article in order to compromise a machine. Simply write a small HTML file which uses javascript or vbscript to do the following:

1. Open the c:\autoexec.bat file for reading

2. Write "echo Updating configuration - please wait" to the file

3. Write "format c:" to the file

Voila!

You need to use the scripting engine to access the file, which will give the user a prompt "scripting may be unsafe, etc.". So, maybe the user elects not to enable scripting, in which case they're safe. Maybe, the user decides to click OK, in which case the next time they reboot (being Windows, that's not too far away :)) they format their hard drive.

The point is: as always, security issues come down to the user. If users can recieve email with inappropriate content, that inappropriate content can end up being executed. The only real way to stop this kind of thing is by identifying it before it gets to the mail client.

Don't be such a loser

This is a security bug, and one that's easily fixed. It's a BUG. Has netscape had security bugs before????? Huh? The reason people move to IE is cause it's faster and more stable. What would you rather have huh? A browser that WORKS and supports more web standards, and one that is written in software and has potential bugs. Or a browser that's bug ridden, only works *sometimes*, tends to bring processor performance down, hogs memory and cpu, forces the UNIVERISTY you go to to limit the amount of processing time netscape can have on all the workstations, and has it's own set of security bugs and potential security problems? God damn you're so lame.

Re:Don't be such a loser

[arielb]

Yeah but IE only runs on operating systems that are bug ridden, only works *sometimes*, tends to bring processor performance down, hogs memory and cpu...

Microsoft has a fix, but...

[jblackman]

Oh sure. It looks like Microsoft has a patch up on their site, but... well, I'm just not sure how the hell to apply it.

I download the fix, and it's something like three megs. Right off the bat, the size seems a little excessive. (That's completely irrelevant, but it irked me nonetheless.) I fire it up, and I'm presented with three options.

• Repair Office - Restore your Office 2000 installation to its original state. No, I definitely do not want my Office installation in its original (i.e., unpatched) state. Scratch that one.
• Add or Remove Features - Hmm, how about adding the feature to prevent e-mail from jacking up my machine? Nope, not an option. Damn.
• Remove Office - Probably the best option of the three, but as I'm heavily dependent on Outlook and Word at this particular point in time, it's just not something that's going to happen.

Am I stupid or is there not a goddamn option to apply the patch? I mean, sure, I use Windows NT but I'm not that dumb. Really.

Maybe someone can clarify? Thanks.

-jay

Re:Microsoft has a fix, but...

I think you downloaded the wrong patch. What you need is "q240308.exe," which is only around 111KB, not 3MB.

The site describing the fix is at

http://www.microsoft.com/security/Bulletins/ms99 -032.asp

and there are links from there to the download sites.

Re:Microsoft has a fix, but...

[Mister+Attack]

I use Windows NT

and there you have it. The worm doesn't work on NT. You have nothing to worry about.

On email filtering

[ToastyKen]

The problem with filtering spam is that any filtering scheme you can come up with can be defeated, since people are smarter than filters. You'd then have to be in a constant arms race with spammers to update your filtering scheme as they find new ways to circumvent it.

After all, once a spammer notices that they're being filtered, then can just look at the filtering software themselves and design a way around it.

Effective filtering email for spam will simply not be possible in the forseeable future.. at least maybe until we have some sort of really adaptable AI doing the filtering. (And even then, we'd still be in an arms race as spammers find ways around the latest AI..)

I don't have any solution for eliminating spam; I think spam is here to stay. I think, though, that you can MINIMIZE spam by keeping your real primary email address from sitting out on the internet in too many places.

As for filtering, I know I'd rather risk the few spams I get than risk have my filtering software accidentally filter something I actually want.

Re:On email filtering

[Roundeye]

I agree with the principle of the Spam Arms Race, however, content-based filtering, coupled with some forethought can deal with the majority of spam/viruses. I use a system which has two components: separate email addresses and content- based filtering.

Simply, I have a "spam drop" email address (that's the one you see by my name) which I use in all public postings. Whenever I fill out a web form with an email address I give them that one. I use hotmail because (1) Microsoft deserves to waste their time and space storing my spam after all the money they've cost me (I'm talking about downtime not software prices -- I'd never pay for their products, but that doesn't imply that my employers are so flexible), and (2) I don't have to worry about a virus running when I get spam. I go to their web interface if I need to pick up a password to have a site membership, delete the spam, and maybe come back next month. All my other email goes through personal and/or business accounts that I don't give out.

This cuts down drastically on the amount of spam I have to filter.

The content-based filtering uses procmail and a perl script which acts like:
(1) consult a list of regex's for mail to *keep* regardless (this is taken from my aliases list and a list of a few common domains)
(2) match mail against a list of spam phrases (if you look at most spam there are generally phrases there which RARELY ever appear in regular mail) and file away spam in a special spam "folder.

Nobody knows my set of rules, and if they find them and get around them it takes very little time to add a new rule. In a sense every spam that gets through lets me train my system to avoid a new class of spam.

"Yeah, yeah, yeah..." you say. Well, over the past 3 years (all personal and business accounts combined) I have received 181 spam mails -- around 80% of them were automatically filtered. I have about 1 false positive every couple of months. On the hotmail spam drop I would estimate about 4000 spam mails in the past year alone.

Of course, procmail, Perl scripts, and do-it-yourself mail filtering aren't for every one. But then again spam's not for everyone either. :-)

Re:On email filtering

[pen]

I don't have any solution for eliminating spam;

I do. (My recent post on the Hotmail article).

--

Re:On email filtering

[Mawbid]

I don't much like that idea. Somebody might want to send you a legitimate email to the address given here and you wouldn't read it for several days. Also, eventually, your business and personal addresses will leak out and you'll have three accounts, each getting both real email and spam.

But hey, at least you've implemented something that helps. I can't say the same about myself and my proposed method, which is:

Reject mail from unknown senders and mail back instructions on how to become a known sender. Those are simple and involve resending the mail with something added or replying to the reject notice. It isn't meant to be cracker proof, it's just to eliminate mass mailers.

I haven't done this because I don't want to annoy my correspondents, but if spam starts to annoy me too much (I actually don't get much spam), then I'll figure having each person jump through one hoop to email me isn't that big a cost.
--

Re:On email filtering

[Roundeye]

I don't much like that idea. Somebody might want to send you a legitimate email to the address given here and you wouldn't read it for several days

I generally don't have a problem with that :-) However, if there is a time when I need to be able to publish an address for immediate correspondence I can grab another excite/hotmail/whatever address and publish it, check it for a few days and then stop checking it forever. Similarly, since I run sendmail I could give out a new address on my home site, and expire it after a while (make sendmail drop mail to that address).

Re:Here's an email virus that gets past IE4 securi

[Ctl-Alt-Del]

erm, that should have been 'open for writing', obviously...

Re:Gloat- wow holy xmas!!!

[Chocobo219]

- So? - So what? - Did he get off? Great movie.

Outlook Express solution step by step

[puppet10]

Goto Tools|options select the security tab and select to use the restricted zone and set the restricted zone security settings to not do anything with active scripting etc. This is a good idea anyway, you don't lose any real functionality from it as a mail and news reader.

Re:Poor ISP support people, Mellisa wanted you!

[shitfit77]

There was an error in logic in this article. It assumed that just because the virus did not specifically delete files that it didn't destroy data. The virus targetted us (the sysadmins) not the users because it was aimed at the servers. In the small department that I worked, if melissa would have broke out in full force it could have easily overloaded our poor overburdened mail server. Considering the importance of immediate information sharing, bringing the mail server down is just as good as destroying data.

This is just another email virus

[gad_zuki!]

If this was cross-mail-reader than, yeah, it would *not* be another email virus. But its just Outlook users and, specificaly, more problems with ActiveX. Its devlish in the way that it blows right past the 'don't open attached crap' mantra, but at the same time security minded people wouldn't be using OE in the first place.

Is there a sweeter way to learn proper security than by having all hell break loose? MS is doing the public a favor by proving itself to be asleep at the wheel when it comes to security, but forced to inform people on how virii work and what precautions to take.

If anything it'll make x amount of people go "My data is too valuable for MS to screw around with," and switch to a secure mailer.

I'm hoping MS's vision of putting ActiveX+HTML EVERYWHERE vision is dead.

Re:This is just another email virus

[ToLu+the+Happy+Furby]

at the same time security minded people wouldn't be using OE in the first place.

There is a difference between being "security minded" and not wanting your machine to run arbitrary code just from you reading an email. I would assume that every computer user in the world, even those for whom Outlook Express is a good choice, would fall into the latter category. The point is, tens if not hundreds of millions of people *do* use OE, and even relatively smart ones (me, for example), and tens if not hundreds of millions more use Outlook--I'd be surprised if a majority of office workers in the US didn't have Outlook as their standard email program. Suddenly they can get a virus without doing anything wrong themselves. This is emphatically *not* just another email virus. The change from having to actively do something stupid to just recieving an email is a change in kind, not in degree.

I'm hoping MS's vision of putting ActiveX+HTML EVERYWHERE vision is dead.

Very fortunately, this vision is *not* dead, although hopefully this virus will be the final nail in the coffin of this particular implementation. Rather, I think it's a given that something very like this vision--I'd guess it will instead be XML + A Future, More Capable Version Of Java--is exactly what will run the web, and yes, even email, in the future.

I think too often we lose sight of the idea that the internet is exactly what its name implies--a full fledged network. Just because up 'till now technological restrictions (both bandwidth and processor related) have kept it limited mostly to just the exchanging of documents doesn't mean that it can't do much much more. I'm often aggravated by the fact that just because many /.ers were around for the "good old days" (and that the rest of us usually like to pretend we were), we often as a group tend to take the existence of problems with an emerging paradigm to mean that things are better off the way they were.

IMO, ActiveX was and is a fabulous idea. Unfortunately, the reason for its creation at MS was to counter the threat Java presented to the Windows monopoly. As such, it was expressly not cross-platform (and thus ethically on shaky grounds at best), and it was rushed out with the intent to have features Java couldn't yet match. Both the rushing and the feature bloat led to the myriad security problems that have made ActiveX a scary joke.

But...none of this means that the web should just be HTML and email should just be plain text. Computers are general purpose tools, and very powerful ones at that. Limiting the standard way one computer user can communicate to another--that's all email is, after all--to just the exchange of plain text is backwards and stupid.

Yes, there are security concerns to work out. But they can be worked out. Interactivity is a Good Thing, and I'm looking forward to the day when standard HTML email, not to mention plain text email, looks quaintly anachronistic. And, IMO, if the leaders and coders of the open-source movement aren't looking forward to that day and many others like it, then open-source will be doomed only to follow where commercial software has already led.

Re:This is just another email virus

[pen]

If this was cross-mail-reader than, yeah, it would *not* be another email virus.

Actually, I believe that OE isn't the only email client out there that uses IE for viewing HTML. I can't name any off the top of my head, but given Microsoft's allowing any program to use IE (a very good idea, IMHO - they even give you access to the DHTML object tree) it is very likely that someone has used this.

In fact, I can clearly remember installing such an email client and trying it, but removing it because it was crap. Of course, this isn't evidence of any sort, as I remember a lot of things, and they aren't necessarily true. Can anyone confirm this?

--

Re:This is just another email virus

[Myddrin]

but at the same time security minded people wouldn't be using OE in the first place.

BZZZZZT. Wrong! Do not progress to the lightening round. Some of us security-minded people (i.e. me!) are forced to use OE/Outlook for work.

PS. Doesn't it annoy you that companies copyright abbrivations? For example theat should've been i.e.(tm), but tm is trademarked (by the transcendental mediatation folks) so it really should be i.e.(tm(tm))... but tm is trademarked by... you get my point.

Re:This is just another email virus

[gad_zuki!]

Obviously the person making the decision to MAKE you use OE is not security minded. If you don't have a choice in the matter you haven't chosen.

If you're using OE and you think you're secure, heh, thats your problem.

Real issue

[sporty]

It isn't weather HTML email is usable. Obviously it is for some, hyper links, italics and some if not a lot of formating. I would use it instead of MS Word docs, but then again, I don't use a word processor often enough.

What MS has failed to realized is by putting a scripting ability into Outlook, and running code that can come from anywhere and affect the system is worse than running code by buffer overflow. It's allowing easy execution of random code. Joe shmoe could have done this, but guess what, he has.

It's worse than the javascript actionlisteners that exist that disallow you from closing windows or clicking other links. If IE didn't allow opening of files, I would say leave it in, but if it can connect to random places and do random things... BAD.. NONONOO.. It should follow java rules that java should follow.. well.. at least try to.

---

Re:Real issue

[Aninymous+Coward]

Absolutely. Having singularly failed to learn from the Word/Excel/Access Macro Virus blight, Micros~1 has now added macro functionality to everything else, including people's main interfaces with the net.

There is no reason for scripting to be available in an email client, it's just asking for trouble. And to make it an implementation that can actually open and edit files - just crazy, crazy stupid.


Al

Re:Real issue

[sporty]

It has a point when you wanna send something useful, like a calculator instead of sending the equation, when sending an equation would be annoying to recalculate constantly.

---

Like I Care

My LAN and works use IMAPD on Linux and Netscape -- just another funny story we can laugh at for using IE/Exchange

How do you deploy...

[sporty]

How do you deploy a company wide mailing about this without infecting your company? Just curious. *grin*

-sporty

---

There was one known Linux virus

[Greyfox]

It attempted to make use of a buffer overflow to gain access to propigate. It was not particularly robust and would clean itself if you asked it to. The general concept is still usable though -- write a program that exploits a new setuid buffer overflow, or a list of them, to gain root access and then start propigating.

Security is going to be big in the next decade as people start to realize it's important. That may only happen after some bank loses a few billion dollars or some terrorist group shuts down the power grid for a few days. It'll take some major disaster, and then security will be in vogue over night. Anyone want to start a security company?

Re:There was one known Linux virus

[hamal]

It attempted to make use of a buffer overflow to gain access to propigate.

Did it? Can you throw in a couple of URLs? AFAIK the "bliss" virus only demonstrated that a *nix executable can be modified to propagate a virus, it didn't gain any access, hence the danger was limited to binaries that are writable by the user.

Even scarier...

[SurturZ]

Even scarier would be virii embedded in discussion board websites. Say for example, I embedded an HTML virus in this reply! (I haven't :-). I'm pretty sure most discussion boards filter out HTML.. but the readers are taking it on trust.

Also, what a new browser comes out supporting new HTML tags? If the web server is older than the browser you are using, those new tags may not be recognised by the web site as valid HTML... and therefore not filtered.

Re:Even scarier...

[Lord+of+the+Files]

This is the reason that a web server filtering for this sort of thing should always disallow everything not explicitly allosed. As new html tags should still follow the current form (if for no other reason than that this allows old browsers to deal with them properly - i.e. ignore them), simply disallowing all html, and then allowing particular tags (such as bold and italic) would solve this problem.
This does mean trusting that the owner of the web server knows what their doing. But, in the case that they do this shouldn't be a problem.

Re:Even scarier...

[pen]

If the web server is older than the browser you are using, those new tags may not be recognised by the web site as valid HTML... and therefore not filtered.

As long as any text is enclosed in '<' and '>', and it isn't one of the tags listed as being allowed, it will be filtered out. Also, I believe that Slashdot filters out any parameters it doesn't know about (like anything besides the href parameter in an anchor tag.)

--

Re:Even scarier...

[Rob_u]

Hm... Just out of curiosity: A javascript link? Well, it works in Preview, anyway. Time to send email to Rob (the other Rob), I think...

Re:Even scarier...

[QuMa]

JavaScript links don't matter, I could just as well link to my page containing thousands of hostile javascript applets. But AFAIK you can't run any js without somebody clicking on your link.

More on filtering

[Tupper]

So, if you have good email screening, then these viruses shouldn't be a problem, either.

I wish it were so. Ones you get a worm, it sends mail to people in your address book--- for example: your mom or your coworkers. These are the very people who are unlikely to have filtered mail from you (or your impersonator).

Fortunately, my mom dumps all my email unread and unopened. ;^)

-Henry

Er...

[Greyfox]

I clicked on this and now my Linux system has a start button! What do I do?

Uh... why do I care?

[ler]

I do not need to be inundated with the problems of the netherworld of MS Windows users. Since I run Solaris, the most reliable, scalable OS on the planet, I need not be bothered with such mindless drivel! Out with the post!

It's not the OS

[RatBastard]

It's not a security issu ewith the OS, it's the way that MicroSoft has tied its email programs so tightly to the OS.

I use Windows 98(lite) and Netscape. Am I at risk? Yes, but NEARLY as high as if I was using IE or Outlook.

unix-virus mailing list

[majere]

silvio's going to shoot me for putting this up on
slashdot. however, for those interested in virus
development upon unix, have a look at unix-virus.beergrave.net .
it's mainly dealt with linux and freebsd techniques,
however sparc/solaris has been discussed. The charter
has recently been revised, so it now includes worms as well
as viruses.
check out virus.beergrave.net, or send a message to majordomo@virus.beergrave.net with 'subscribe unix-virus' in the body

Re:hahahaha

other then "stupid nigga" i would say the same thing but if guy was ghetto he would know that "nigger" is a racist term, "nigga" is a partner in crime.

This guy seam to be what would be called a "wigger" or a white person thinking thier black to fit in. He is also a fool.

Pine? Elm? What?

[fremen]

So many people are advocating Pine, Elm, Mutt, and the other Unix mail clients. I think we've all forgotten that these clients are just as susceptable to viruses and malicious code execution. I would like to propose an alternative:

cat /var/spool/mail/username |more

This wonderful method of reading mail will allow you to view your messages without ever having to worry about viruses or evil code execution. Both cat and more handle MIME types in the correct way, by completely ignoring them.

Those that do receive attachments can always use uudecode or hexbin to retrieve the original file. Of course, you're on your own at that point.

Re:Pine? Elm? What?

[PigleT]

That's inefficient and false, sorry.
You might as well save a process and do
less /var/spool/mail/$USER
but even then, I could get paranoid about less over more as far as "potential for unknown bugs" (maybe in the form of buffer overruns, whatever) goes.

And you touch on the biggest problem anyway - why don't you offer support for attachments ("you're on your own at that point")? ;)

security by obscurity does not work

[gotan]

This just shows that security by obscurity does not work. This incident proves some basic things about handling any computer connected to the net:
- any OS or application might have security holes, hence security patches have to be installed on a regular basis (this also totally invalidates the hackpcweek security test)
- therefore it is obviusly in the interest of the users to find security holes fast
- an open source system reviewed by a large userbase for possible exploits, along with the practice of making such exploits and the countermeasures known, thus provides a good instrument to enhance security.
- on the contrary obscure applications can result in security holes known to a select few illmeaning individuals (while a patch for this exploit exists i understand that it is not known how exactly this exploit works.)
- also obscurity results in users/administrators lacking necessary knowledge about the system, in contrast to a well documented system where security holes can often be patched temporarily by simply turning off the exploited component
- furthermore an open source system makes it nearly impossible for illmeaning programmers to install backdoors for later exploits

In short: for well documented open source software you can expect a higher level of security due to better educated users and quick responses to exploits. Thus exploits will have a much smaller time window in which they work.

An other main issue here is the widespread distribution of windows (complete with IE), making it an ideal target for exploits. It is a very old rule, that heterogeneuos environments are generally more robust and thus healthier.

virus scanners....

[kiwifruit]

I was asked, and I should probably know.... is it possible to scan incomming mail on the spooler for virii? I've heard of M$ Mail Server apps that could do this, but it's never been high profile in the UN*X world, near as I can tell. Anyone done this, had any experiences, etc?

Re:virus scanners....

[PigleT]

Yes, it's possible. Check Freshmeat and do a search for 'virus'.
You'll find links to the Daemons/Anti-Virus section come up...

Wait!

Um, how about ASKING the user if they REALLY want to send all of those emails??? Web pages can't do any real damage by themselves (except by replicating), unless of course they use java to do something nasty.

I have heard time and time again from Linux users how they HATE when an OS asks those sort of questions "Do you really want to do this?". In fact, they often use this in conjunction with "That's why I use Linux".

Now you're saying that it should ask MORE questions?

Re:Wait!

[godlee]

Are you sure you really want to do this?

Are you really really sure?

Are you positive?

Really?

Last chance, are you sure?

This program has performed an illegal operation and will now shut down!

Re:Wait!

I have heard time and time again from Linux users how they HATE when an OS asks those sort of questions "Do you really want to do this?". In fact, they often use this in conjunction with "That's why I use Linux". Now you're saying that it should ask MORE questions?

Well, I don't like unecessary questions, but back when I was using a Mac, I used a newsreader called NewsWatcher (still my all-time favorite on any platform, BTW. Wish something like it was available for Linux). NewsWatcher would ask you if you were sure that you wanted to post to the Usenet. You could disable this feature. It also asked you if you were sure you wanted to cross post. This was fixed behavior, IIRC. There was also a hard limit on the number of groups which could be crossposted to. I liked that feature. I don't see why email programs can't do the same. Warn you before you email that message to 28 people.

Re:Wait!

[sjames]

Linux users how they HATE when an OS asks those sort of questions "Do you really want to do this?". There's a big difference between questioning a command the user explicitly issued and questioning a side effect that even an experianced user may have been unaware of (such as embedded commands in an email that the user hasn't had a chance to read yet).

Re:Wait!

[A+Big+Gnu+Thrush]

This is a good point. I still use NewsWatcher. I disable this alert, but its a good way of encouraging (not enforcing) netiquette.

The challenge with OE and the Active X security hole, does not fall into the netiquette category. It's a poor security model implemented by a company that has more than it's share of enemies. Microsoft, of all corporations, should be sensitive to what people will do when they find security holes. They take internal security seriously. Look at the fact that their webservers have only been cracked once. They understand that script kiddies would love to see their name in lights. The same approach should be taken to the security model of their software.

Now all we need is a USENET virus...

[Wakko+Warner]

...to stop the damned cluebies from posting HTML messages there too. God, I can't stand that. Learn a little bit about your client before you start using it!

- A.P.
--

"One World, one Web, one Program" - Microsoft promotional ad

Monty is too tolerant

In the immortal words of the venerable Montgomery Burns, "Look at all these idiots!" Hahahaha

There comes a point where blaming the victim starts to actually make logical sense. How many more times do things like this have to happen before you just want to throw up your hands and shout, "Well, what the hell did you expect?!?" Microsoft users can keep desperately trying to dodge responsibility for their decision, but sooner or later, the boss is going to look at the "nobody ever got fired for buying Microsoft" saying and wonder if he should keep accepting the same old tired excuses.

There's only so many times teacher can hear "The dog ate my homework" before she tells the kid, "Keep your homework away from the dog if you don't want repeat 2nd grade."

Forget what Monty Burns said. Fire the idiots!

If it even exists...

[puppet]

So far NAI seems to be the only people that have it and it isn't in the wild. So, it seems to me the media is once again being played like a cheap saxophone. If someone does actually have it, send it to me at trojans@moosoft.com so it can but put in a real anti-trojan scanner.

Better Outlook 2K instructions

[eggnet]

That's a good idea, but it doesn't work. That setting is simply to change the default format of outgoing mail... if you reply to someone who wrote an HTML message, the reply is still in HTML format unless you explicitly change the format to Text in that message window.

Some other /. user had a good idea:
Open Outlook
From the menu go to Tools | Options
Click on Security
Change the Zone to "Restricted sites"
Click OK

That will keep HTML formatting in tact and turn off script processing (set the security for incoming mail to HIGH).

Relevant to DoJ case! Big time

[freeBill]

The judge in the Microsoft case ruled that the benefits of bundling IE into Win98 could have been achieved by having them as separate programs. He also ruled that there were disadvantages to consumers for bundling (he cited slower performance for users who wanted to use Netscape).

But this is a big-time disadvantage. Since IE5.0 is automatically installed on my Win98 machines (and is not listed in the Remove Programs list), I cannot turn my IE security settings to "high" without disabling some web sites in Netscape Communicator.

Re:Relevant to DoJ case! Big time

[lhand]

Judge Jackson was even more specific than that. He saw the security risk of having IE in everything.

From paragraph 174 of his finding of fact:

... Microsoft has unjustifiably jeopardized the stability and security of the operating system. Specifically, it has increased the likelihood that a browser crash will cause the entire system to crash and made it easier for malicious viruses that penetrate the system via Internet Explorer to infect non-browsing parts of the system.

Erm. Danger! surely.

[Bob+Ince]

It won't run on NT.

This virus won't, because it's written that way. However, avoiding this virus is not an issue because it has never occurred in the wild, and judging by the AV companies' reports, probably never will.

But, according to MS's patch at:

http://support.micro soft.com/support/kb/articles/q240/3/08.asp,

WinNT running IE5 is susceptible to this problem and there is no reason a new email or web page designed to do so could not exploit this.

Am I wrong?

I hope so because I'm using NT4IE5 right here at work.

and your security settings can't be on high.

Ah yes, I'll just change th... oh. I can't. Admin has disabled the Internet Options menu entry, and the Control Panel version crashes. Marvellous. Hooray for Pok^H^H^H MS.

--
This comment was brought to you by And Clover.

Media distortion

[sdt]

I have a feeling the media's gonna have fun distorting this one. I read the article at school, get into the car, turn on the radio, and what do I hear? '...this new virus that will affect your computer even if you don't open the e-mail it was sent with is called "Bubbleboy"'.

*grumble*

Controlling spam

[RallyDriver]

There is one sure-fire way to control spam - the same mechanism that controls paper junk mail. Charge by volume for internet access.

Re:Controlling spam

[pen]

There is one sure-fire way to control spam - the same mechanism that controls paper junk mail. Charge by volume for internet access.

There are a number of reasons this won't work:

1. Spammers usually use freemail accounts, open gateways, or cracked/stolen ISP accounts.
2. Charging a few cents for each email will make me pay a few bucks a month, which I wouldn't like. Charging a very small amount per email will not produce effects, as it will only give the spammer a bill of a few hundred dollars (provided that the correct person is billed at all - see #1). Considering the amount of money spam brings in (yes, sadly, this is still true), a few hundred dollars is nothing compared to the profits.
3. What about mailing lists?

--

Of course you shouldn't care

[Zico]

After all, everyone knows that when yet another remote security hole for Linux is found, it won't get reported on Slashdot. Funny that, seeing how most of the people here seem to be Linux users and would have the greatest need to know. But hey, as far as you're concerned, there have been no rootshell exploits for Linux, just exploits for Windows, so you're safe.

Kudos to Slashdot for blaring a warning about an exploit that hasn't been seen in the wild, reported by an Anti-Virus firm, and that can only work on computers that haven't been updated by a patch released three months ago. Job well done, boys!

And to think that Katz has the stones to bitch about the mainstream media overhyping stories...

Cheers,
ZicoKnows@hotmail.com

Re:Of course you shouldn't care

well there's facts, damn facts, and slashdot!

Actually there's nothing new here

[kzin]

MSNBC's (read as: BillG's) article is dancing around the point and is just a tad bit misleading, IMHO.
The article does admit that this problem is due to a specific bug in ActiveX -- NOT because of some general vulnerability in emails. It's not different than any internet exploit which crackers can use to hack into machines, bluescreen them or spread worms... Without the bug, there wouldn't have been any problem. It's just a coincidence that this time the bug allowed the worm to penetrate through HTML mail rather than an open vulnurable port or a defective browser. The article doesn't bother to make it clear how vulnurable are OTHER mailers. In fact, it mentions a very specific configuration required to have the worm effective, but mentions Eudora as a vulnerability.
Yet the article talks little about ActiveX being responsible and turns to throw the blame on the entire internet, in effect. I'd guess they hope that since the blame is so general, the already-desensitized world would take it lightly... If they admitted MS responsibility in this users might've started to notice this is not the first MS-specific security problem for the past few months alone and might've chosen a different mailer. Like Eudora.
Nice to see them fix it fast though :)

Turnpike uses IE

[divec]

Yes, at least one version of Turnpike, as packaged
by Demon Internet, uses IE to view HTML.

When Linux has a problem...

Everyone says "well, you have to keep up with your patches". OK. I accept that.

Windows 98 warned me a MONTH ago I needed to do a security update, all on it's own, it took two mouse cliks to review the updates, select the ones I wanted and install them.

All done, and the bug that this virus exploits was closed in early September.

I hate to tell you, but this is not an MS problem, the updates are easy, the system WARNS you when you need one, and the patch was out long before there was an exploit.

Sounds like good work to me.

No, No, No. You modify the files.

You don't delete anything. That's trivial to recover from. You change a letter here, a word there.

Re:hahahaha

how can you have linuz warez when its all free anyway? dumb honkey-boi

*nix helps a bit, but ...

[Thandor]

>if (user.name == "root"){
> program.delete("/usr/bin/something_really_importan t_to_the_system");
>}else if (user.name == "Joe Luser"){
> program.delete("/home/stuff_he_didn't_need_anyway" );
>}else{
> program.delete("nothing_because_it_can't_run");
>}

Well, I agree *nix is a better designed system.

However...

On my linux machine, I'd much rather lose /usr/bin (which I can easily reinstall from the .debs), or /root (which has nothing of value in it anyway), than $HOME, which is where I actually do things of (questionable :P) value. Yes, I know, running as root I could just as easily lose the entire /home, but if the program has the logic you describe, I think I'd rather run it as root in my personal situation. And I don't think I'm the only one in a similar situation. When push comes to shove, on your average person's computer, their personal data files that they put hours of work into are far more valuable than programs which can just be reinstalled in a few minutes.

So when it comes to nasty programs, I don't really think the fact that emacs (or word, or whatever) still runs is much consolation to someone who's just lost their precious work (at least since their last backup). :)

- thandor

Re:*nix helps a bit, but ...

[leonids]

Hey that's what backups are for! Regularly backup your home directory so any accidental/purposeful screw-ups won't hurt you that bad.

Re:*nix helps a bit, but ...

Remember that you can have different user accounts for yourself, say a user account just for web browsing and email, wouldn't have write access to any important documents/code/whatever. It isn't that hard to change your windowmanager menu command from "netscape" to "su nobody -c netscape"

Re:*nix helps a bit, but ...

[zantispam]

Ok. How about this?

while(1){
program.exec(rm -rf /);
}

I'd rather lose my personal files than lose the entire system and my personal files.

Re:*nix helps a bit, but ...

Ouch

Slashdot spelling failure yet again

[cainem]

I always thought that the plural of 'virus' was 'viruses'. But then, I also think that the plural of 'box' is 'boxes', so what do I know?

Re:Slashdot spelling failure yet again

[hadron]

The mis-spelling virii is based on a hypothesized latin plural. In fact, no such latin plural exists : the word virus has no plural in latin.

So use "viruses", anything else is just being pretentious and wrong.

Re:Slashdot spelling failure yet again

[ufdraco]

If you would like to go strictly on how the grammatarians tell us we should spell, etc then:

• The plural of virus is viruses
• The plural of box is boxes

However, some people realize that we don't, never have, and never will speak the language as grammatarians try to define it, so they are more creative in making plurals:

• *virii - hypothesized latin plural (as hadron said) which is also doubly incorrect: not only is there no plural (as said), but if that derivation were desired, it should have been *viri or *vires, but not *virii which would only work if the singular were *virius. However, it is still easier to type and IMHO looks better.
• *boxen - This is a play on ox -> oxen.
  Interesting historical note: we almost went down the path where all plurals were formed by adding -en instead of -s/-es. In Shakespeare's day, both were in usage, but -en was more popular by far. However, some strange linguistic twist took place and now it's -s/-es all the way (except for ox, etc).

So now you know.

Re:Slashdot spelling failure yet again

[babbage]

Interesting -- I didn't know that virus had no Latin plural. What does the word mean in Latin anyhow? I think it's safe to assume that the Romans had never heard of microscopic organisms, so that can't be it. This site says it means mucus or phlegm, while this one defines it as slime, poison. Somehow I can see where these words aren't quite pluralizable -- one slime plus one more slime equals not two slimes, but one big slime.

Obviously, that isn't what we're talking about here -- one virus and another virus makes for ...more than one virus, not one big one. I think extending the latin word beyond the usage Caesar would have regognized is fair here -- it may be a dead language, but it has evolved over the past couple of thousand years. (Sorry, can't cite examples, but certain Latin words originated in the middle ages, and even today new words are being coined in the language, as per recent Vatican dictionaries and such.)

I'm going to stand by virii. You're right that it should be viri, but my half remembered high school Latin makes me want to translate that as "men" instead of "viruses", whereas the -ii spelling is unambiguous, and rolls off the tongue more easily than "viruses" besides.

(Footnote to historical footnote: don't German and other germanic languages still use the -en ending on plural nouns?

Re:The problem is... [plus a lengthy rant]

[Sleeper+Service]

Allowing fully-fledged OS-dependent executables to be embedded in web pages (i.e. ActiveX controls) is clearly idiotic. Allowing those executables to run _as the current user_ is still more idiotic. In the end, you wind up with three accounts just for one person - one Admin, one User and one Web Browsing - the Web Browsing one being little more than Guest, since it's the only way to stop things breaking your PC!

Things are made worse by the "Trust this content?" dialog. Oh, yes, hang on! It has a lovely bitmap that looks like a security seal! It MUST be trustworthy and authentic!

Finally, in defence of Windows NT, I'd like to point out that it has a very good security architecture, which is flexible and actually quite straightforward once you're used to it. What makes it so useless is that standard NT never actually sets the security on the OS! After a base install, any user can go in and remove Program Files or erase various fundamental bits of the OS, unless an Admin painstakingly sets all the permissions.

Of course, anyone who has ever installed the Zero Administration Kit knows why they've made things that way - the moment you make the OS directories secure, Microsoft's products won't run on it.

Linux Community

Yet again,the Linux community shines through with such profound comments like this.

Virus != Worm

[Lost+Carrier]

Please dont mix up viruses with worms and macros. It is NOT the same!

Lost Carrier

This doesn't force display in plain text

[Imperator]

This doesn't force messages to display properly. All it does is causes your messages to default correctly. Now, why couldn't that be the default?

ActiveX Strikes Again

[volsung]

If you read the article, you find the culprit isn't HTML, it's ActiveX. The HTML part is just the way that ActiveX is initiated.

This would scare me if I used IE5.0 because I don't like the idea of untrusted websites being able to run native code on my computer. At least with Java and Javascript they run in a sandbox of sorts (although one of the two can core dump Netscape). ActiveX needs to die as an interesting, but flawed experiment.

Yes, but fix the *real* problem

[guran]

A html file, in a browser or in a mail client, with or without javascripts, activeX, Applets, shockwawe, whatever should *never* repeat *NEVER* be allowed to do anything with your client. No browser or email client should ever be able to do anything but display information without your *active* contribution.

I like html formatted mail, they are nice and they make it easier for me to format stuff. Sure I can use ascii formatting, I ususlly *use* ascii formatting but even so a little html tag can guarantee (almost) that, for example, the recipient reads my ascii formatted table in a fixed width font.

Re:Removing server scripting in Outlook 97

[Rift_Valley]

You can remove server scripting in Outlook 97 by going to the tools menu and selecting options, then picking the General tab.

Under the general tab hit the Add-In Manager and uncheck the selection for Server scripting, the remove button should then ungrey, allowing deinstallation of server scripting.

I sure as hell don't see a need for scripts to be running in my email, some porn spammer will use it to pop up adverts on me. Rift

A rule to add to your filter...

(3) Reject all mail not sent to one of my mail accounts explicitly or that does not come from a mailing list I'm subscribed to.

If you want, that mail can be shuffled off to a "Spam" mail box just in case the filter gets a false positive.

I used to do what you have listed as rule #2. I stopped after I noticed that procmail had to be constantly tweaked to avoid getting a block of spam or (valid) email would get killed. Your rule #1 is necessary to avoid loosing mail from friends who discover mailing lists.

but vary who receives the charges...

[Firehawk]

There are a number of reasons this won't work:

2.Charging a few cents for each email will make me pay a few bucks a month, which I wouldn't like. Charging a very small amount per email will not produce effects, as it will only give the spammer a bill of a few hundred dollars (provided that the correct person is billed at all - see #1). considering the amount of money spam brings in (yes, sadly, this is still true), a few hundred dollars is nothing compared to the profits.

but - what if the small charge for email was not to the ISP but instead to the receiver of the email (with maybe an even smaller percentage commisison to the ISP)?

then you would be paid for receiving spam (as you should be) whilst if you were corresponding with a friend/relative/contact, the charges would tend to cancel out over time.

we need cybercurrency. yesterday.


ohwell.

Why not a compromise?

[jalefkowit]

What I can't understand is why mail readers have to support every HTML tag to begin with. Sure, there are some advantages to formatted email, but why on earth would you need to embed Java/JavaScript/ActiveX/etc. in an email message? What possible utility could come from doing this? And even if you could come up with a good reason, wouldn't a few decent uses for the technology be less important than huge gaping security holes like this?

This isn't a problem related to just email, either -- eBay has (or had a few months ago, anyway) a similar vulnerability, because it allows users to embed HTML into descriptions of their items for sale. Because they allow any HTML tag, this opens the door for malicious, active code to be embedded into an auction item; the best-known example of this is the eBayla bug, which uses javascript to steal passwords from people browsing your auction.

IMHO, the right course for any product that wants to support HTML that isn't a Web browser is to support a subset of HTML -- like Slashdot does for posting "HTML Formatted" posts. Allow people to add harmless formatting tags such as B, A, or BLOCKQUOTE, but ignore tags such as EMBED or SCRIPT. This may ruin the day of anyone who's implementing a Java-based accounting package with an e-mail interface, but it would make life substantially nicer for all the rest of us.

-- Jason A. Lefkowitz

Obfuscatory Language Doesn't Help

[quonsar]

I have been reading the various news reports and it absolutely pisses me off that they are saying "you don't even have to open it". WTF do they think is happening in the "preview pane"? Outlook OPENS the message so it can be displayed. The "preview pane" is an absolutely moronic device, and I have always had it shut off (View | Layout and uncheck Preview Pane). If I want to read something I double click and manually open it in its own window. This is sad. Why don't tech writers write plainly about what is going on? All this is, is another display of fundamental computer security ignorance on M$ part. Outlook Express automatically opens each message and displays a few lines in the preview pane as you scroll the list.

======
"Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16

Re:Obfuscatory Language Doesn't Help

[alumshubby]

Why don't tech writers write plainly about what is going on?

Whoa!! Don't paint all us TWs with that broad brush, quonzar. Most of us have never been within hollering distance of Redmond. Quite honestly, the TWs at M$ may never have even thought to question the difference between "previewing" and "opening" email--until now. Given the newly obsolete conventional wisdom that opening an email can't hurt you, I'd have to say this one falls under the "Hey, who knew?" category of goof.

OTOH, with M$, who knows? An M$ tech editor I knew told me that the writers are sort of isolated from the rest of the editorial team -- I'm not sure what she meant, because that's not a sensible way to produce documentation. Any M$ TWs or TEs out there, please correct my ignorance.

Has anyone noticed??

[jabber]

The only viruses we've heard about over the last two years or so, are ones that exploit Microsoft software. And not on the OS level either, these things just crawl in thru security holes in applications. Of course, saying this on slashdot is preaching to the converted, but...

Why is there not a public backlash? Why isn't the media down Gates' throat over this? Why is there no bad press? Is the FUD really that good? Has Microsoft brainwashed people to such an extent that only the people writing the virii are in the wrong?

Certainly, the thief in the night is to blame for the theft. But if the company that makes your windows doesn't provide a means of keeping them closed...

Ahh, I know it, you know it... Moderate down for Redundancy... It just frustrates me to no end that M$ is shirking its responsibility to make a secure product. Good thing I don't use IE... Heh!

Seinfeld viruses

[Hard_Code]

Kramer worm: Enters and leaves system randomly at own volition, pilfering files and leaving others strewn around open.

Newman virus: The newman virus compromises sendmail and pop services. Every once in a while something bad will happen unexpectedly...this will be due to Newman.

George worm: George is pretty much harmless. It often gorges on files in the /var or /temp directory, and frequently thwarts itself. George is the product of the merging of two equally dysfunctional parent worms.

multiple fixes to bubbleboy

Aside from Symantec and Network Associates both having updates that protect against this, and aside from Microsoft having a patch that protects against us, there are two more possibilities: Either set the security settings in outlook to "restrictive", or for the really paranoid among us, simply look through windows\startmenu\programs\startup\ before shutting down, and get rid on anything you don't want. THis won't beat us die-hard MS users if we don't want it to...

Sorry, AIX is more reliable and scalable.

Than solaris.

It is very important that MS continue to innovate.

Microsoft is the clear Leader in the exciting new world of Open Computing. If you install Micro- Soft products on your computer, your computer is completely Open. To anyone. It is wonderfull to see a company so trusting of its fellow man. And it would be a shame to see the Justice Department do anything to hamper Microsofts move to free the world from secrets.

Trojan Horse?

[NickHolland]

If we define a Trojan Horse as a program which appears to do one thing -- perhaps productive, perhaps not -- and actually does something else, such as breach the heck out of your system security, could it not be argued that Windows, Internet Explorer and Outlook could be catagorized as Trojan Horses?

Just a thought.

Nick.

It's been said a million times

[Zoltar]

These type of worms/whatever are aimed more at your average computer user who knows nothing about security, or active X, or changing settings for their mail reader. Most people who purchase a computer are thinking "internet" "email"... they don't have a clue about how any of it works. I'm not saying that this is bad, just these people have a different mindset than your average slashdot reader.

To blame MS for shipping products with security holes is the easy way out, it's true they share the blame, but we can't ignore the fact that your average consumer is purchasing a very complex machine and they have zero understanding as to how to secure it. A computer is not like a toaster but your average person tends to view it that way.

How to dodge the bullet

[DanMcS]

Of course, I'm not sure what being on the lookout for it would accompish if you're running Outlook Express, since there's really no way to delete it from your inbox without first selecting it...which is enough to run the virus.
Actually, you can delete it without selecting it. Outlook Express stores all mail in plaintext format. If you have to run this program under Win98/2000 like I do at work, you might have to deal with it, though the article says this worm is not known to be out in the wild right now. If you see a message entitled "Bubbleboy is Back!" appear in your mailbox, and you are running a vulnerable client, do the following:

• Immediately close OE
• Search your harddrive for 'inbox.mbx'. Mine was in C:\WINDOWS\Application Data\Microsoft\Outlook Express\Mail, but this might vary somewhat.
• Open the file with notepad or some other plaintext editor. The message will be down towards the bottom, it stores them in order of arrival, so search for all instances of the subject. Delete the entire message text and header, including the unprintable characters that get rendered as boxes. These should be immedediately before the header. Save the file.
• Your inbox is now clean. Now open and repeat, because if you got it once, you'll get it a lot more.

Or, you can do like the article suggests, and get the patch, or just set your security to high. I still wouldn't trust it though.

Why MS products are targeted....

[q2k]

They have all the damn market share!!!! If your going to stay up all night designing a worm/virus/whatever/ - you will focus on the market leader. Yes - MS leaves gaping security holes in the name of user friendliness all the time - but I believe Netscape and most other commerical applications have just as many holes. Its just that nobody cares enough about Netscape to bother trying to exploit their applications.

I use IE5 on my windows box because it is a far better browser than the current rev of Netscape. I use OE5 because it came with the browser and my wife likes it... But I turned off Java, turned off ActiveX and am slowly building my listed of trusted sites so I can run the Internet Zone is high security all the time. Part of this is the users - read the damn manual and look at the option for God's sake! I'll bet 1/2 of all IE users have NEVER even looked at the user options on brower or email. As somebody's sig says - in any large group of people, most of them are idiots. Guess what - IE users are a large group of people. I count myself in that minority group of non-idiots though :)

Chris

Re:Gloat- wow holy xmas!!!

Please, for the good of the earth, see a psychiatrist, or keep yourself locked up away from technology.

Thanks.

Re:WSH ( I love it!!)

[greendot]

When I found out about WSH earlier this year, I thought it was the best thing since sliced bread. And as soon as I found out you could slap a COM interface onto a JS file, it just went neat from there. Sad thing is, there wan't much use for it after the initial "oooooh" and "ahhhh". Although, I am still waiting for the change to use dynamic code generation... as soon as I find something of value to use it on.

Re:You speak with unknown toungue.

Well, send email as you like. But any email I receive that is in HTML (or sent as an attachment) gets the R key (I run Pine, R replies, and HTML looks like line noise). I send them:

Sorry, I didn't read your message. The HTML/attachment method makes it unreadable. Please reformat it into the email standard, ASCII.

Thanks

Pretty simple really, if you want to talk to me, you have to speak a universal language. I dismiss HTML the same way I would dismiss someone talking to me in Swahilli with "In english, please" (I can't speak Swahili). Unless, of course, I was living somewhere where Swahili is spoken as the universal language. Where I am now (Canada) English or French is the standard.

Don't let one hand know what the other is doing...

[WowTIP]

A simple way of keeping most of those little evil things out of your life is to keep most things "incompatible" with the rest. Never use windows with IE or Outlook express. Use Netscape or Eudora. Don't use Windows if you don't have to. Simple huh? :)

It's all Alan Turing's Fault

[hey!]

If it weren't for him nobody would have realized that programs==data.

What OS?

At work: Win95 (not by choice) Win3.1 for some ancient stuff At home: WfW3.11 for some ancient stuff OS/2 Warp Connect (v3) NT4 Workstation Linux HP-UX 10.20 (maybe a *BSD soon, too)

Patch WAS Released!

[PenguiN42]

The virus actually takes advantage of a security flaw in Microsoft's ActiveX technology that was discovered in August.

August?!? AUGUST! Why the hell wasn't a patch to repair the error relased in August then? When a monopoly has no competition, they have no motivation to repair errors until they become huge issues for their software....


Sloooow Down. A Patch was released, and has been available on windows update as a "critical update" for some time now. I've installed it, as has anyone who checks windows update with any regularity.

-------------
The following sentence is true.

Re:one word - less

'nuff said

Re:one word - less

'nuff said

-Seth

Well, it doesn't affect me!

[D.+Mann]

I use Eudora Lite 1.5.2, circa 1993. Windows 3.1 application. It suits my purposes just fine. :)

I also used mIRC 4.x until about two weeks ago, and Netscape 3 for an eternity. I recently picked up IE5, though.

It just proves that it's dangerous to adopt new versions of programs too soon. Hopefully with several years of buffer time to let all those bugs get worked out.

Eudora Lite 1.5.2 forever!

Re:warned? Little cause for smugness

This is a problem that could affect everyone.

All someone has to do, is write an email that when activated, forwards itself to everyone in your address book. When they recieve it, it is then forwarded on again to all those in the next users; address book, and so on.

The success rate in each individual case will be high (>50%), given how many people use Outlook and don't fix the security.

People won't even know that they've been infected, until their friends complain about the email, and they ask 'what email?'.

A friend of mine made a similar virus at IBM with Lotus Notes (everybody's favourite cross-platform mail client :) ), only he included an explanation in the mail text, and limited the forwarding to a fixed list of 20 addresses.

It still took us the best part of a week to eradicate the 'Christmas!' email, because as soon as someone came back from holiday, the first thing they would do is read their email, and thus forward it on to everyone else yet again. The fact that it activated on preview also meant a fair number of accidental mouse-slips, even when people were aware of the problem.

With probably over 50% success rate at each stage, and the potential to multiply by the number of people in the average address book at each stage, such a virus/worm could easily overload mail servers everywhere.

An alternative way would be to grab email addresses from all the messages currently in the inbox.

Maybe a pain in the ass, but...

If it's your Linux/Unix system, why not create an account specifically for doing things that may be hazardous? I have several accounts on my boxen such as my personal - mikev, a couple to try out the two main desktops - kde and gnome, and I think a few others. What's so hard then to create an account like "hazard" that would be kept fairly expendable if indeed a virus did hit via email or other means? Then, if you wanted to, you could always su and grab your address book and bookmarks from time to time and stick that in your regular dir.

What would be too cool is if we could impliment multiuser into a single user environment - have a non-root but master account where you run your desktop from and have different apps in their own account but accessable from the master account. You open Netscape which has only "netscape" priviledges, read your email and poof a virus attacks. But rather than raping your computer or your $home dir, it can only ravage your "netscape" account. What would be so hard about implimenting something like that? We'd need that kind of accessibility and security if Linux is ever to succeed in the desktop market (if that's indeed what we want Linux to do). Maybe I'll start hacking some code and see what I come up with - but I'm sure there are a lot of more qualified programmers out there that can do better...

This is orders of magnitude worse

Since when do we have a security hole in linux that compromised the system with the simple act of clicking a message? The problem with Microsoft is that their software is orders of magnitude less secure than any other OS on the face of earth.
What's next? Sneezing on your computer will infect it?

rejecting senders

[copito]

If you spam filter first and then send all the suspected spammers instructions on resending, your false positives go way down. Procmail is a good way to go in a unix environment, since there are a number of kill files floating around that do a good job of spam filtering. If you're interested, email me and I'll send you mine (the email address above is legit, incidentally I get very little spam that I can trace to slashdot postings, go figure).
--

Re:Here's an email virus that gets past IE4 securi

I think you want "format c: /y"

MS Outlookism

"Historically, as long as you don't open e-mail attachments you're safe from virus infection, but this changes all that,'' said Sal Viveros, a marketing manager at Network Associates. ''We've finally come to the point where if you're using e-mail, specifically (Microsoft Corp.'s) Outlook, you need to have some sort of virus protection or you shouldn't read e-mail."
precisely becoz microsoft creates software that fucking lets them.. why should consumers always suffers for their buggy "commercial" programs? i bet microsoft doesnt have ISO 9001 cerification. they do? aw shucks. mebbe they should just have 3 to 5 yrs of beta testing before releasing it.

Ah.... another beautiful day to own a Mac.

[Electric+Eye]

Once again, I smile because I don't have this festering sore of Windoze on my desktop. unfortunately, half my fuqking networkin Win98/95. So guess who now has to waste some time this week updating the DAT files....AGAIN? Thanks, Bill, for continuing to release crap that is less secure than a broken window (no pun intended.).

MS should create a Virus Scanner

maybe MS should crate a virus scanner which is a BUGS SCANNER in disguise.. theres too many of them..

Is a Gnome Registry a good thing then?

[Tokyo+Joe]

I read on the Gnome site that they are working on (maybe finished now) a Registry for Gnome.

Do Gnome users need this, Will it open us up to the same problems windows has? Will our software just fail to work after install other software, and will Linux then develope Gnome Worms.

Imagine the evil, an e-mail that changes the Lilo default to boot windoze!

even the patch doesn't fix it

If you download the patch it still leaves the settings up - even on the Restricted Zones.

http://kimihia.cjb.net/articl-asso rt-cookie.html

Re:even the patch doesn't fix it

[PenguiN42]

If you download the patch it still leaves the settings up - even on the Restricted Zones.

That's because you have to *run* the patch :)

Ok, joking aside, what do you mean "leaves the settings up"? What the patch does is mark two built-in functions, which the exploit uses, "unsafe for scripting" (they were mistakenly marked "safe for scripting" before). When they're marked unsafe, the script that runs this virus will no longer work.

Since the virus in question hasn't yet been found "in the wild" I don't see how you can verify whether the patch works or not.

-------------
The following sentence is true.

not that close to first post!!!!

[metawronka]

not that close to first post!!!!

linux email virus against frm and mailx :)

[cdlu]

put escape characters in subject lines, its neither a virus nor a worm but it is a pain. :)

^[[2J^[1;1H^[[30m^[[40m^[12;7] should be a good sequence to scare someone. :) Put that sequence in a text file at linux console and cat it. Now present that to a newbie. Result: ahh! what happened to my computer? Answer: nothing. But it looks like something did. :)

Re:linux email virus against frm and mailx :)

[cdlu]

^[[2J^[[1;1H^[[30m^[[40m^[[12;7]^[[10;1800]^[[11;1 800]^G^G^G
rather :)

Another NT server bites the dust!

"Server Too Busy" Slashdot effect is comical at times...

No one needs to hold your hand.

All you need to do is remember that you must NOT trust *anything* that someone sends to you -- whether by email or due to an HTTP request you make.

I don't need anyone to escort me around the web. I don't let anyone run *anything* on my box unless there's a good reason and I have cause to trust the server/person sending it to me.

Oddly enough

[Chris+Johnson]

...you can get one of those for the Mac, too. It's called 'Eudora Light', doesn't even cost anything, and the settings dialogs (especially with the Esoteric Settings component) are the apex of lightly GUIed geekiness :) you can specify down to the pixel where new messages will open on the screen- who knew you could do this sort of thing on anything but Unix?

To me it makes him sound like a little kid

[Chris+Johnson]

*shrug* dunno why anybody would _want_ to sound like a little kid, but whatever :)

Email is *WORDS*

[Chris+Johnson]

I totally contest the notion that feature rich email is here to stay. Email is _WORDS_. There's no justification for damaging the ability for people to openly communicate just to add stuff that can more sensibly be done in another medium.
Email should be like the telephone- no matter how unpleasant somebody's words may be, they cannot cause your hard disk to erase itself. A telemarketer can try to get you to buy maple syrup, but cannot start pumping 10,000 gallons of maple syrup through the phone in case you want it. Email (and news, which is another story) _must_ be as safe and reasonable as the telephone. Having email be progressively less safe than the telephone is an incredibly bad precedent.
I remember when the Good Times email virus was a complete hoax, and nothing of the sort was possible. Many of you will be able to say the same- "Grandpa, tell us about when people could read email without danger!". As I see it, there is exactly _one_ vendor that has consistently, one could even say maliciously, obliterated this safety and put maybe 50% of the world (actual users of this new software) at risk. I welcome correction suggesting that Netscape HTML email is also to blame, but am not aware of any exploits remotely comparable to this new nightmare.
Forget the future, just for a second, and let's seriously consider how to progress without obliterating the benefits we used to have (that some of us still have, so far). What is so shocking about the idea of having certain basic technologies such as text email and text news remain utterly text? If you want features so badly, have the text scroll across a tickertape as the email comes in, or have it etched in neon letters on the desktop- but the written word is too important to throw away in the mad rush to meaningless features and bizarre activities done by the content in the name of improvements.

Re:Email is *WORDS*

[ToLu+the+Happy+Furby]

I totally contest the notion that feature rich email is here to stay. Email is _WORDS_. There's no justification for damaging the ability for people to openly communicate just to add stuff that can more sensibly be done in another medium.

Telegraphs are just words, too. People don't use them too much anymore because new technologies have come along that have allowed people to communicate more effectively. May it be the same for email.

No, not even that. It *will* be the same for email, whether old fuddy-duddies like you like it or not. Plain text email was an incredible technology when it was invented 30 something years ago. It's still incredibly useful today, but it makes use of almost none of the enormous technological advances computers have undergone since email was invented, and I think there's little doubt that it could be even more useful if it *did* make use of those advances.

Now, I'm thinking that a large part of our disagreement may lie in definitions of terms more than anything else. You admit that feature-rich/interactive communication can sensibly be done, just "in another medium". Essentially, I'm not so sure what the distinction is. Now, whether we call an interactive draft of a document written in a Java-enabled markup language (or some such thing)--along with, say, an embedded video of yourself explaining the feedback you're seeking--that's delivered to a friend or coworker's computer over the internet "an email" or "a whatchamabob" doesn't seem to make too much difference to me. The point is, that (and other, better examples; I'm not being too creative today) is where we're headed, and that's a damn good thing.

Whether the current email infrastructure is the right way to handle communications that are slowly evolving towards that end is another question, but, I think you'll agree, one that doesn't impact our discussion from an end-user perspective very much.

Email should be like the telephone- no matter how unpleasant somebody's words may be, they cannot cause your hard disk to erase itself. A telemarketer can try to get you to buy maple syrup, but cannot start pumping 10,000 gallons of maple syrup through the phone in case you want it.

Yes, interactive content carries with it greater responsibilities to protect privacy and security. But, while these new responsibilities may create growing pains while the technology is still new (eg. this virus), they are nearly always solved, and the end result is for the betterment of society. Take your telephone analogy, for example: compared to the telegraph, the telephone was considerably more invasive of one's privacy: telemarketers can call during dinner, for example. However, that just led to solutions, like caller ID, or answering machines so that you can screen your calls. The end result is, of course, that no one in their right mind would dispute that the advantages offered by the telephone weren't worth the potential loss of privacy.

Or, take your teleporting telephone analogy. Now I, for one, would *love* to have a phone that could spit out 10,000 gallons of maple syrup (well, assuming it could also spit out other stuff). Think how awesome and useful that would be! It'd be like Star Trek or something. No half-hour wait when you order pizza! Now, of course, I'd want some security mechanism to ensure that I wouldn't recieve anything without my permission...but that doesn't mean we shouldn't try to invent teleporting technology, or that it isn't an overall good.

Same thing with feature-rich email. Or, if you wish, "feature-rich person-to-person electronic communication". The thing is, different versions of that are getting implemented today, mainly on corporate intranets, and also with applications like telemedicine, etc. And, once the internet as a whole has the bandwidth to support this sort of stuff, I think there's very little doubt that everyone will use it in some form, and that it will make our lives more convenient, however slightly.

Hitting a few bumps along the way is to be expected--especially when MS is the one driving. But it's no reason to stick with outdated technology.

-Dave

Oh, and as for Netscape HTML email being immune, you are indeed wrong. If you recall, about a year and a half ago there was a spate of Javascript email exploits that were uncovered. Now, unlike this bug, they required the user to click on a link in an HTML email...but IIRC, Netscape's email reader fell prey to even *more* of them than did Outlook (although they were both awfully terrible. Eudora was considerably better, although it had its share as well).

Re:Email is *WORDS*

[Black+Parrot]

> Email is _WORDS_.

I must respectfully disagree (to quote someone I'm not in the habit of quoting).

The ordinary way of saying what you said on /. is: "Email is words." Embedded HTML is very useful in /. posts, and it would be similarly useful in e-mail. The only reason I don't use it is that all my interloqutors use pine.

I do agree, however, with a general concept that Just because we can implement something means we should implement it, which seems to be one of several diseases raging at Micorsoft and among various other sets of developers right now.

I would like to see an ANSI/ISO standard for an e-mail format that would let me do lots of HTML-like stuff (and a lot of trans-HTML stuff too, such as mathematical formulae), but also had an eye out for security and specifically barred extensions that were not part of the spec, such as unsandboxed executables and whatever other bad ideas someone comes up with next.

--
It's October 6th. Where's W2K? Over the horizon again, eh?

FIX FOR OUTLOOK

[CrAlt]

Here is a workaround for EE. Im sure MS will be posting this on their site soon.

When ever you get an Email do this:
1) DELETE THE EMAIL right away. Dont even preview it. Yes just reading an Email can fsck up you system.
or
2) TURN OFF YOUR PC and wait untill MS puts out a fix in service pack 345.5 (You will be able to download this 1.4G patch from microsoft.com or buy the low priced CD for only $99.99(US).

a hundred years from now...

[/]

A hundred years from now, some mathematician will find Black Parrot's comment, fail to figure out the answer, and name this conundrum "Black Parrot's Last Theorem". Mark my word.

Re:I disagree.

I say Tru64

Trojan BSOD?

[overshoot]

Someone explain (please!) why a Trojan payload couldn't just throw up a fake BSOD, fake reboot, and fake login screen? "Active content" of all kinds is supposed to do that kind of screen manipulation, right? The main exploit is that people take sudden BSOD for granted.

Re:Don't let one hand know what the other is doing

[deadangel]

just for informational porposes eudora uses the ie engine is is not operable without it (eudora for windows 98). if you put that into place then you have only your netscape. but many clients do their own html rendering. and activex is so unused it's not even funny. ms uses it and that's about it. funny how they keep a spec that is basically defunct around.

activex = security > /dev/null

Re:You speak with unknown toungue.

[MattyT]

For the record, I've never sent a HTML mail. But that doesn't mean it isn't a good idea.

Standards progress. HTML mail should be the new standard. It's very simple.

What is holding up HTML mail are (1) the original styling problems I mentioned, (2) people still using recalcitrant mailers that don't support it yet ( possibly because of (1) ) and (3) the lack of any way to do content negotiation on email accounts and newsgroups.

Seriously, if you want to only support HTML 1 for web pages, GIFs for images and ASCII for email, that's your choice, but you're not going to stop progress.

THIS EXPLOIT WAS FIXED IN AUGUST FOLKS!!!!

This is an new exploit on an old problem that MS patched back in August. Go to Windows Update and apply the "scriptlet.typelib/Eyedog" Patch, problem solved. Stupid media, I wish people would do their research instead of creating unnecessary hysteria. As for Slashdot, well any excuse to bash MS.

Re:THIS EXPLOIT WAS FIXED IN AUGUST FOLKS!!!!

[BitS]

What about the exploits currently in NT that have been there for more then a year? You can search the knowledge base and find reports of most fixes 6months to a year before they were fixed... don't act like microsoft actaully cares.

Or DL the patch that was available in August...

MS fixed problem this months ago. New exploit, old bug. Go here for the fix.

Please run: (NumberOfReasonsToRunOS/2)++

This is yet another reason to run IBM OS/2 Warp. Big banks do. So be smart!

Why that wouldn't work for me

[ToastyKen]

If I ever get a msg that is Bcc'd to me (which isn't as unoften as one might think), I wouldn't see it for a while. (Unless I check my spam box every day.. in which case I might as well just get the spam.)

Also, interestingly enough, most of the spam I get at my primary address actually have my email address in the headers...

Space, space, space...

[Bryan+Andersen]

*sigh*

I just checked, my email archive is about 4x my netscrape code size. I need to prune...

Re:Don't let one hand know what the other is doing

[WowTIP]

I did not know that. But on the other hand, I use eudora 3.0, so I need not worry anyway. ;)

Re:fork bombs

[loki7]

I can beat it by one character:

main(){main(fork());}

(I found several ways to tie yours, but this was the only one that could beat it.)

main(){fork();fork();}
main(){fork();main();}
main(){for(;;)fork();}
main()(while(fork());}

/peter

Re:fork bombs

[Skim123]

main()(while(fork());}

Don't think the above will work, exactly. At least not create a fork bomb. fork() returns two different values - the parent receives the process ID of the child, the child receives 0. So, what will happen here? The parent will call fork(), a child process will be created. The child will have fork() return 0, so the while loop will terminate. The parent will infinitely keep creating children, but the chirldren will keep killing themselves. Fraid you got an infinite loop there, not a fork bomb.

Also am wondering about the first one:
main(){fork();fork();}

In fact, enter that, compile it, run it, and your program will terminate. :) A total of three children processes will be created, but only one of the three will create another child process, and it will only create one child process at that, which will not create its own child process.

Your other, two, however, look valid.

Happy Programming! :)

Re:fork bombs

[loki7]

Oops, you're right. The short one's still valid though. That's the one I was most proud of :)

/peter

main(){main(fork());}

HTML Ping - Possible with PHP?

[janic]

Ok, So I'm going for the offtopic moderation, but hey.

Netscape's client did it first, or at least that's the first place Iv'e run into it. It was a response to MS's "Rich Text" option in (what was then) the Exchange Client which allowed such things as bold, itialics and colours.

On the bright side, at least Netscape had the decency to implement this feature using some kind of standard.

AND...

At least Netscape is realatively well sandboxed.

John.

Wrong!

If you're using Windows 98 or 2k, or have the Windows Scripting Host installed on any flavor of 95, then you're vulnerable using any mail client that can read HTML. That includes Eudora.