Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Virus Can Strike Via HTML E-Mail

Roblimo posted more than 14 years ago | from the submitted-over-and-over dept.

The Internet 334

cmeans and lots and lots of others have pointed us to this MSNBC article article about yet another e-mail virus. Quote from the story: "The virus can only run if Internet Explorer 5.0 with Windows Scripting Host is installed (standard in Windows 98 and Windows 2000 installations). If security settings for Internet Zone in IE5 are set to High, the worm will not be executed. It does not run on Windows NT." ZDNet also has a story about this "Bubbleboy" virus. Update: McAfee weighs in too. (Thanks, Jade.) Consider yourself warned.

cancel ×

334 comments

Sorry! There are no comments related to the filter you selected.

Gloat (1)

antizeus (47491) | more than 14 years ago | (#1547377)

Insert lots of gloating about not running MS software here.

Outlook Express Settings (2)

BlakeCoverett (102826) | more than 14 years ago | (#1547378)

Two obvious fixes, disabling scripting in the 'Internet Zone' for IE, and setting Outlook Express to use the 'Restricted Zone' for all content to start with. Anyone using those products should probably be doing both to start with.

-Blake

warned? (0)

Anonymous Coward | more than 14 years ago | (#1547379)

i'll consider myself immune, thanx ;)

Micro$haft security (1)

lubricated (49106) | more than 14 years ago | (#1547380)

Ok this one isn't even that bad (for micro$haft). It won't run on NT. and your security settings can't be on high.

Isn't there something like this going on constantly on windows machines? A new email, virus, thingy every week. Why is this even here? Most /.ers run linux don't they.

Which is worse? Virii or their names? (3)

JoeShmoe (90109) | more than 14 years ago | (#1547381)

You know, whenever I read some really good piece of science fiction, the terror is never caused by something called BubbleBoy...or Melissa, or Good Times, or any of these other stupid names.

At this rate, when some genetic mutagen is released that destroys all of mankind, it'll probably be called the Pokemon virus.

[/tongue in cheek]

- JoeShmoe

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=-=-=-=-=-=-=-

Re:Gloat (2)

howardjp (5458) | more than 14 years ago | (#1547382)

It is not about not running MS software. Any OS is going to be attackable. It is because UNIX users tend to know more about how their computers work and how to secure them. They also know what is a risky behaviour and avoid or only walk into it with extreme caution.

Even a well-maintained Windows system is not going to be attacked by a virus very easily. I have been running Microsoft software for going on 15 years now and have never had a problem. This is because I take good care and I know how things work. If Windows users were educated about how to properly manage a system, there would be few successful attacks.

oh boy (0)

bendawg (72695) | more than 14 years ago | (#1547383)

Just another one of those "features" that make Internet Explorer so much better than Netscape...No wonder it's winning the browser war.

one word (1)

lubricated (49106) | more than 14 years ago | (#1547384)

pine

A security flaw in Microsoft software????? (3)

ywwg (20925) | more than 14 years ago | (#1547385)

"In fact, it's unclear exactly how users of HTML-enabled e-mail readers can protect themselves from such viruses."

Um, how about ASKING the user if they REALLY want to send all of those emails??? Web pages can't do any real damage by themselves (except by replicating), unless of course they use java to do something nasty.

Of course this begs the question, who _needs_ html email? I mean, do you actually spend hours designing a page to send to someone? HTML emails are big downloads and irritating. Email readers should only look at basic tags (a la slashdot), and not "embed" tags.

Oh, I'm sorry, the users _requested_ that feature bloat for IE 5.0! How silly of me!

Re:Outlook Express Settings (2)

Black Parrot (19622) | more than 14 years ago | (#1547386)

> Two obvious fixes,

You neglect to mention a third, which will immediately occur to most /.ers. (It's so simple I could write it in the margin, if only this input box had a margin.)

--
It's October 6th. Where's W2K? Over the horizon again, eh?

Re:one word (0)

Anonymous Coward | more than 14 years ago | (#1547387)

Except for all those buffer overflow bugs that made it possible to run arbitrary code on a victim's machine if he was using Pine, of course.

pine (0)

Anonymous Coward | more than 14 years ago | (#1547388)

I never see problems like this with my email client of choice, pine [washington.edu] .

And yes, pine does read HTML email.

(Pine Is Not Elm!)

Re:Gloat (1)

bartyboy (99076) | more than 14 years ago | (#1547389)

Werd.

I don't run anything that I haven't compiled, or any binary that came from a reputable source/mirror. And because I use Linux, if another user on this system decides to compile and run crap they don't understand, they're the only ones affected.

Maybe it's a practice left over from the good old days of MS-DOS and the virus paranoia associated with it.

Bart.

Active content in emails. (3)

FauxPasIII (75900) | more than 14 years ago | (#1547390)

I'm increasingly worried about the ability to send active content in emails... above and beyond people who blindly execute attached files (user stupidity), it's getting to the point where just
READING email can actually spread a virus. Remember the big scare when people realized that Eudora would open up Java applets without asking permission ? I always wondered how netscape mail or Eudora would handle Meta refresh tags...

Anyway, I avoid the whole thing by sticking to good old-fashioned ASCII-mail. Now if only all my co-workers could do the same... *sigh*

on NT... (1)

Barbarian (9467) | more than 14 years ago | (#1547391)

From what I read on Microsoft's advisory on this bug [microsoft.com] , the same bug exists in NT.

I guess that Bubbleboy isn't exploiting it for NT, though.

NAI's page on Bubbleboy is here [nai.com] .

I read a news story which said that the author emailed the worm to Antivirus companies. So I guess that it was more of a demonstration of a serious problem than something malicous.


It comes back to Micro$oft's incompedence... (2)

Xenex (97062) | more than 14 years ago | (#1547392)

This is what we get from Micro$oft's "innovations".....

----------
The virus can only run if Internet Explorer 5.0 with Windows Scripting Host is installed (standard in Windows 98 and Windows 2000 installations).

This is one of those "advantages" M$ talk about in the anti-trust case. Because the OS already comes with a browser, security flaws such as this are built in!
----------

If security settings for Internet Zone in IE5 are set to High, the worm will not be executed.

And IE 4/5 default to medium setting. Wonderful work, Micro$oft! You really know your stuff....
----------

The virus actually takes advantage of a security flaw in Microsoft's ActiveX technology that was discovered in August.

August?!? AUGUST! Why the hell wasn't a patch to repair the error relased in August then? When a monopoly has no competition, they have no motivation to repair errors until they become huge issues for their software....
----------

This is what we get with M$ winning the "browser wars", software with security holes that don't get fixed until they are a real risk. Fortunatly, most sane PC don't use IE, and don't have to worry about ActiveX flaws. However this is one more reason why M$ should not be ruler of the browsers...

err (1)

toaster13 (36774) | more than 14 years ago | (#1547393)

gee IE5 with a bug??!! how could that be? anywayz, this is just another reason that netscape/linux rules

Re:A security flaw in Microsoft software????? (1)

SPorter (83284) | more than 14 years ago | (#1547394)

You are so right!

I don't know who came up with that, MS or Netscape... either way, it is stupid. Next thing you know we'll have HTML ping.

At least this evil genius is anti-MS (2)

gad_zuki! (70830) | more than 14 years ago | (#1547395)

Bah, Bubbleboy isn't a Seinfeld episode, its the AUTHOR. What would you do sealed up all day but write malicious virii?

Re:Micro$haft security (2)

Anomie-ous Cow-ard (18944) | more than 14 years ago | (#1547396)

Why is this even here? Most /.ers run linux don't they.

Several reasons. For one, it's "News for Nerds. Stuff that matters." Hard as it may be to believe, some /.ers actually do use windoze. Others use *BSD, or other operating systems. Maybe Linux is the majority, maybe not (still almost certainly the major minority then).

Even for those of us who don't use Windows, we all know people who do. Coworkers, friends, family, lusers on our systems. If we know about this potential problem with windows, perhaps we can help them avoid falling for it, or at least be quicker on cleaning up afterwards...

i'd guess that most of us are the curious sort, who'll learn something interesting (New email worm? How's it work, what does it affect, and what could be done to stop it?) even if it has no practical application in our lives. Why else do we so love nanotech, quantum computing, good fiction, and all the other things posted on /.?

And finally, don't neglect the gloat factor ;)

-----

Not again (2)

EvlG (24576) | more than 14 years ago | (#1547397)

I was hoping that Melissa would make companies wake up and rethink the "lets move everything to Outlook/Exchange/IE" philosophy. Apparently IT people forget quickly...

Now we have time and time again exploits against IE due to its extreme integration with Windows and such. How long until one of these gets really nasty? How long until someone gets bitted a little too hard, and then they want to bite back?

WSH (1)

Foogle (35117) | more than 14 years ago | (#1547398)

I know this is Windows tech, but it's ontopic so I just thought I'd say it:

What's a real shame is that, in the world of Windows, the Windows Scripting Host has never really taken off. I mean, it's been around since the introduction of Memphis... Before WSH, any automated scripting had to be done through batch files. Batch files were nice in DOS, but they didn't have a world of flexibility under Windows, and they couldn't interact with the rest of the GUI. WSH fixed all that, and I don't think many windows programmers took advantage of it.

Oh well - Now it's a security issue and will get a bum rap because of it. It's a real waste...

-----------

"You can't shake the Devil's hand and say you're only kidding."

Re:Gloat (1)

rmull (26174) | more than 14 years ago | (#1547399)

Any OS is going to be attackable? That is simply not true. The problem is a bug in Microsoft's scripting code. This bug is not present in other email clients. Therefore, it will not affect other operating systems.

Why is this called a virus? (1)

alannon (54117) | more than 14 years ago | (#1547400)

To me, this seems more like a plain-old security exploit, no different than the dozen or so major security flaws in IE and Navigator found in the last 3 years or so.

There are thousands of pieces of code out there that exploit security flaws such as buffer overruns right now and most of them are labled as pieces of code that expose programming flaws in the targeted application/server.

How is this any different and why is it being branded as a 'virus'? It uses a security flaw in Microsoft code to introduce unexpected/unwanted behavior.

I don't see this as furthering the viewpoint of "Well, the day has come when people can catch a virus from reading their email" any more than web servers having buffer overrun probelms furthers the viewpoint of "the day has come when people can catch a virus from running a web server". If a piece of software is poorly written, it will be exploited.

Do you think perhaps it is because a good majority of computer users use email, but a very small number run server software susceptable to typical server attacks? Though if you remember the WinNuke exploit exposed in Win95 several years back, that is an example of a security flaw that could attack any Win95 machine attacked to the Internet.

Re:pine (1)

jfunk (33224) | more than 14 years ago | (#1547401)

(Pine Is Not Elm!)

IIRC, it's "Pine Is No longer Elm."

At least that was what the Slackware installation said.

virus in unixen? (1)

bendawg (72695) | more than 14 years ago | (#1547402)

---- Warning...Maybe a little offtopic
This brings up a question I was wondering about the other day, and I think that I know the answer.

Is it possible for a virus to execute on a unix machine and do any damage?

I know that the same effect as the "bubbleboy" virus could be achieved by targeting pine users or something, if their were those sorts of weaknesses in pine.

In my opinion, though, a malicious virus, that did things such as deleting files, or whatever would have to have the ability to obtain root privileges, or it basically would only be able to delete or change files that the dummy user had access to in the first place.

I assume this is correct, since I have never seen any Virii targeted towards say an i386 Linux system, or any virus scanners for Linux.

One other fact. (1)

bholmberg (82216) | more than 14 years ago | (#1547403)

There apparently haven't been any known outbreaks according to ZDTV anyway. Now anti-virus companies will really be praised from keeping us safe from everyday things, now there is a full time danger and we must trust "HTML escorters" to surf around the internet. Gee Wiz.

Happily, Emacs Doesn't Suffer from this... (2)

Christopher B. Brown (1267) | more than 14 years ago | (#1547404)

Oops. I set: (setq enable-local-variables T) ... and someone set up a mail message that deleted my home directory tree...

The above is, seriously, the big potential security hole in GNU Emacs. It is documented as such, in the documentation, and users are given suitable warning not to do so...

It seems reasonably likely that the only way to make "executable email" safe is the implementation of some sort of capabilities-based system that can strictly lock down what particular programs are permitted to do. Of course, as we learn more about capabilities, it is also likely that its powers of protection will prove quite finite...

E-Mail viruses (1)

Microlith (54737) | more than 14 years ago | (#1547405)

This is the time where we all check back over our warnings and say "If you use Outlook Express 5, yes, you CAN get a virus just from reading an e-mail."

This shouldn't be true, in fact until now, it hasn't been. But hopefully this "feature" will be "fixed" by Microsoft. Until then, i'll just stick to pine.

Oh, can't this ALSO affect Hotmail or any other web based E-mail, since they ALL use IE to display the formatting?

Official Virus Information and Security Patch (4)

Laven (102436) | more than 14 years ago | (#1547406)

It appears that Symantec has already analyzed this virus. This article [excite.com] mentions that the the virus may be protected by an August Microsoft IE5 ActiveX security patch.

Symantec posted this advisory of the VBS.BubbleBoy here
http://www.symantec.c om/avcenter/venc/data/vbs.bubbleboy.html [symantec.com] .
It contains details of what the virus does, where it goes into the registry and how to protect yourself.

If you already do not have that security patch from Windows Update [windowsupdate.com] , you can download the patch from
http://www.microsoft.com/s ecurity/Bulletins/ms99-032.asp [microsoft.com] .

This is kinda scary... as we have always taught people that you cannot get a virus by reading mail, only opening attachments. I hope this doesn't become a growing trend.

"Freedom to innovate..." (1)

WombatControl (74685) | more than 14 years ago | (#1547407)

You know, now I understand where Microsoft is coming from. Imagine what would happen to the "freedom to innovate" exercised by virus authors and script kiddies if Microsoft were to somehow be made accountable for their lax security? What would bored pre-teens do with their l33t AOL connections? Learn something useful, like programming or writing?

What kind of world would that be, and where do I sign up for it?

Poor ISP support people. (1)

Cacophony (16125) | more than 14 years ago | (#1547408)

I was working tech support for an ISP when "Melissa" hit. I spent all day explaining to people the truth about the virus..."As long as you don't download and run any attachments..." I can just hear them now "But, you said before that I couldn't get a virus by just reading my mail..."

I feel for you support boys, just keep your favorite UserFriendly strip on the screen to keep you from snapping.

-Al-

Fine how-do-you-do (1)

Foogle (35117) | more than 14 years ago | (#1547409)

No, it's not a "feature", it's a real live bug. One that MS has acknowleged, so stop acting all smug about Netscape -- like they never had a security bug...

The fact is, if Netscape supported Windows Scripting Host, it would probably be succeptible to the same flaw. I don't care for MS anymore than the rest of us, but I can't stand baseless garbage.

-----------

"You can't shake the Devil's hand and say you're only kidding."

A simple solution exists, of course (2)

babbage (61057) | more than 14 years ago | (#1547410)

First off, don't use HTML mail. Problem solved. This will mean having to type or cute & paste URLs, but hey -- life's rough.

Now, how do you turn off HTML? Lemme see here, I'll show you...

Hang on, this is the first time I've ever opened up Outlook.

*rummage*

*rummage, rummage*

*dead end*

*thwack!*

Well how about that, the boneheads won't let you turn off mail formatting. Slick guys, good thinking.

Well I'm sorry folks, it looks like you're going to have to switch to a more sensible mail client. Try Eudora or Pine, both of which have Windows ports, or Mutt or Elm or something if they're available (not sure if they exist on Windows -- don't see why not but don't really want to bother verifying that at the moment).

It's funny how a scare like this comes along every few weeks ...and I find myself completely immune to it. "The Humdinger virus abuses your Outlook addressbook, eh? How tragic. Good thing I don't have one nor ever will. Keep safe though, try not to accept any infected mails there, pal!". heh heh

In the immortal words of the venerable Montgomery Burns, "Look at all these idiots!" Hahahaha



True, but still... (1)

howardjp (5458) | more than 14 years ago | (#1547411)

There is an implicit assumption that there will never be a virus for the first poster's OS and that simply isn't true.

Re:virus in unixen? (1)

howardjp (5458) | more than 14 years ago | (#1547412)

There have been a couple that targetted i386 Linux. The only one I remember details of someway or another attached itself to DOOM, but I do not know how.

Re:Why is this called a virus? (1)

Laven (102436) | more than 14 years ago | (#1547413)

I believe it is classified as a virus, or more specifically a worm, because it replicates and spreads through a network. That's the normal definition of a worm.

Yes, I do agree it is exploiting a security flaw... but in this case it is exploiting a security flaw to create a worm.

Re:It comes back to Micro$oft's incompedence... (1)

Starselbrg (45165) | more than 14 years ago | (#1547414)

Alright, Xenex, you have some good thoughts, but tone it down a little. Lay off the exclamation point for every sentence. Stop using all caps for words, and using the $ in Microsoft is really just getting old.

Please keep slashdot a nice place by posting your ideas (which were good) in a clear (started good), sane (not so good), and non-hostile manner. Everyone will love you for it, and you'll get better Karma guaranteed.

Re:Outlook Express Settings (0)

Anonymous Coward | more than 14 years ago | (#1547415)

the most obvious fix:

format C: /Q

-phuzz

Re:one word::Mutt (1)

javac (21689) | more than 14 years ago | (#1547416)

Mutt,

Barks like a puppy,

Bites like a Dog.

geach

(mutt user)

(mutt is an E-mail client for the Enlightened)

(mutt is a productivity device)

(mutt is the end all be all)

(mutt is truly open)

(mutt is good for chasing of bad cat>'s)

(mutt is man's best friend)

(mutt it does a body good)

YOUR BRAIN IS _small_!! (1)

freddie (2935) | more than 14 years ago | (#1547418)

In my opinion, though, a malicious virus, that did things such as deleting files, or whatever would have to have the ability to obtain root privileges, or it basically would only be able to delete or change files that the dummy user had access to in the first place.

It sure sounds like you're confused boy! Answer me this question: do you need root privileges to create or delete files?

The reason you don't see viruses on linux is not because they need root privileges but because it's a fairly well designed system...

bah (0)

Anonymous Coward | more than 14 years ago | (#1547419)

HTML doesn't belong in email.

I can just see it... (1)

Zule_Boy (45951) | more than 14 years ago | (#1547420)

I just cannot wait to see my Work Email filled by the pointless drone of our Windows NT "Administrator" preaching about Security on windows boxen.

Gee- What a suprise for Microsoft- A buggy insecure product.

IE5 was made for Micro$oft by the devil.

Re:A simple solution exists, of course (1)

Foogle (35117) | more than 14 years ago | (#1547421)

Oh please. It's not like you avoided this virus through some incredible foresight of your own thinking. You just don't use Outlook -- that's fine, but a lot of people do.

And it's a freakin' good client too. I don't care if it's a MS product, if there was a version of Outlook for Linux (that was as good as the Windows one) I would use it in a heartbeat. KMail just isn't cutting it for me, and I really hate using an xterm for my email.

So you happen to be immune to these attacks because you're using software that less than 10% of the consumer desktop market uses. Believe me, Netscape under Linux has it's fair share of bugs -- they abound. You may not be succeptible to these attacks, but you're not invulnerable...

-----------

"You can't shake the Devil's hand and say you're only kidding."

This is *not* just another email virus (5)

ToLu the Happy Furby (63586) | more than 14 years ago | (#1547422)

Read the article, folks. This is the email virus.

That is, it runs on its own, without the recipient having to open any attachments. All they have to do is open the email itself (or, in Outlook Express, just point at the email so that it shows up in the preview pane), and they're infected.

This is a big deal.

Melissa made it so that we couldn't just tell our less tech-minded brethren/co-workers, "for the last time, you'll be ok if you just don't open any frickin' attachments from people you don't frickin' know!" This one means we can't even tell them "you'll be ok if you don't open any attechments."

Now, this particular virus (well, technically it's more of a worm) isn't too malicious (except that, like Melissa, it could clog the hell out of mail servers), and mails itself under a goofy subject line so that you can be on the lookout for it. (Of course, I'm not sure what being on the lookout for it would accompish if you're running Outlook Express, since there's really no way to delete it from your inbox without first selecting it...which is enough to run the virus.)

But it's a proof-of-concept, and a scary one at that. It just changes the name and organization your computer is registered to and forwards itself to your address book, but the point is that it was screwing around with your registry, and it could have done whatever the hell it wanted to.

Now...there is some good news here.

Namely, this is perhaps the first time in history when Microsoft actually had a patch for a new exploit *before it was released to the public*!! Yes, that's right, this email virus works in exactly the same manner as one of those web-page exploits a couple months back, for which MS has had a critical update patch on Windows Update for several weeks now. Essentially what it does is take advantage of some very very stupidly permissioned ActiveX commands that lets an untrusted source save a certain type of file (.HTA) to your Startup directory...thus allowing them to run arbitrary code upon reboot (shouldn't have to wait too long...ok, so that was a cheap shot).

So, the good news is that my Win98 partition was already immune from this exploit, and hopefully so are many other people's. Of course, I can understand people not wanting to be on the bleeding edge of MS's security patches, because running everything MS throws at you can get you burned as well.

As for what I'm sure the mainstream /. response to this will be--i.e., this sort of thing is inevitable with HTML email, why can't everyone just use Pine for email and ftp instead of attachments, and while we're at it let's replace all our PC's with teletypes hooked up to a PDP-11--I'm not so sure. IMO, it's a Good Thing that feature-rich email is here to stay, and in the long run there's not so much reason for email to be any more secure than browsing; if a computer can be compromised through its browser, then that's unacceptable right there.

On the other hand, I have very little doubt that, as we expand into XML and all these other new technologies, short-sided security permissions are going to bite us (especially those of us that use MS products) in the ass again and again and again, probably with no end in sight until we stop coming up with new features. It's a rather scary trade-off to have to make, and even scarier that 95% of the world has Microsoft making all the decisions for them...

lol (1)

BobLenon (67838) | more than 14 years ago | (#1547423)

God i love this crap. And people persist using IE/Windoze. And we wonder why they waste soo much time on fixing computers in the business world. Why dont they wake up and smell the coffe. Perhaps they will soon...

MS = Monolopy != Good For You

Read that one, it's funny (1)

Wench (9309) | more than 14 years ago | (#1547424)

A message to a moderator. Ignore me..

A quick rant (1)

Matt-69 (50913) | more than 14 years ago | (#1547426)

I hate virii, or viruses, or whatever and the paranoia that goes along with them. We have reasonably nice computers at school (P2/266, 32mb, etc etc) that run win95 with Netscape 4 and Word 97. One would think the systems would be reasonably fast, but NO!!!! The stupid admins for the network here load not 1, not 2, but 3 virus scanners into memory! (you know, the gay little ones that scan every file that you open) Netscape takes over a minute (yes I timed it) to load on those decent machines. Takes less time to load on my old 486/66 box. Damn it all to hell


PS - HTML is gay for anything except web pages. In point of fact, I don't even like the simple HTML formatting on /., but that's just me

Ignorant Linux Users (0)

Anonymous Coward | more than 14 years ago | (#1547427)

It's one thing to bash an OS. It's another to be racist. Ignorance is not what Linux is about. Don't bring your shit in here.

Outlook 2K Instructions - Step by Step (2)

The_Myth (84113) | more than 14 years ago | (#1547428)

Well how about that, the boneheads won't let you turn off mail formatting. Slick guys, good thinking

Actually it can be done.

Open Outlook
From the memu go to Tools | Options
Click on Mail Format tab in the dialogue box
Change message format to Plain text
Click OK then OK

You should be back at the normal screen - Problem solved

Alice in Cyberspace (1)

Wayfarer (10793) | more than 14 years ago | (#1547429)

Amazing(?) that MS didn't take precautions against this happening. Then again, they've got so many Windows extensions out there, that it's gotta be hard to keep track of the interactions... Seems like they're running as fast as they can just to keep up with the problems.

Then again, some of it is the responsibility (or lack thereof) of the end user. I find it depressing that people will mindlessly follow such simple directives as "Open Me". Even though the subject in this case wasn't quite that direct, it still would seem rather alien in my inbox.

Re:It comes back to Micro$oft's incompedence... (2)

ToLu the Happy Furby (63586) | more than 14 years ago | (#1547430)

August?!? AUGUST! Why the hell wasn't a patch to repair the error relased in August then? When a monopoly has no competition, they have no motivation to repair errors until they become huge issues for their software....

Actually, they have released a patch to repair the error. Here's [microsoft.com] the security bulletin detailing the problem; it was last updated on October 12, which I'm pretty sure is the day the patch to fix this problem was considered safe enough to be released for download at the Windows Update site, where it was indeed marked a critical update. (IIRC, they released a beta patch a couple days after the flaw was discovered.)

Now, there's no question that someone at MS was insanely stupid to give untrused sources permissions to use ActiveX controls that could write to the Startup directory (that's how this sucker works), and you can argue that the fact that it took 6 weeks before their fix was trusted enough to get on Windows Update is pretty shady as well. But it has been fixed by now.

Feature Vs. Bloat (2)

pos (59949) | more than 14 years ago | (#1547431)

A while back (~3 months?) I read an article linked to by /. about bloated apps. The author was stating that users ask for and want bloated software. I see this argument time and time again in the press, newsgroups and so on...

Well, I think the point is really:

Does an app need to be bloated to have features?

Obviously, 90% of the people who read this will exclaim "NO!". So the quesion remains "why is software bloated?" This is the thing that is addressed in the Programmer's Stone [ftech.net] as well as many books. Everyone on this site should read The UNIX Philosophy [amazon.com] for a dissussion of the stages of software development as well as lots of discussion on why unix has developed into what it is. Only in the second growth stage of development does software become bloated. This is due to the addition of all of the requests for more features being implemented. They all are added withought thought until the software becomes too big and the app just about breaks. The UNIX Philosophy of code reuse and small applications still allow features to be added. An example would be the ability to pipe information from one app to another to gain more functionality. This same philosophy of code reuse still holds true in today's GUI world and is why I find KDE so interesting.

The problem comes when code has to be churned out on a deadline without planning or thought. This is usually driven by coporations and Marketing/management. Without artificial deadlines Open Source/*n*x apps can stay small and elegant.

They can also be trimmed back and restructured by anyone. As a community it is important to always grow as fast as possible by adding features but to also look back and take out the features that only benefit a small group of users. That part might hurt a little, but is very important to get the software into the 3rd stage of life. So look back thorough your code and rewrite some stuff every now and then. It makes your code smaller and you will be able to work faster. You get a net gain in the end.

-pos




The truth is more important than the facts.

NEWS:email breakthru! (2)

jajuka (75616) | more than 14 years ago | (#1547432)

NEWSFLASH:
In an amazing technological breakthrough, a hoard of new email programs have rendered themselves invulnerable to every concievable computer virus. By rendering email in plain text, ignoring worthless html formatting instructions and pesky attatchments which clog up the internet with unwanted and useless files, these programs, known by such arboreal names as pine and elm, sidestep the entire issue of computer viruses. Stay tuned for more details!

activex (2)

mcc (14761) | more than 14 years ago | (#1547433)

i want to know how microsoft is getting away with this..
msnbc, as i'm sure a lot of other news sources will be doing, are centering really big on the word "VIRUS!" despite the fact the virus isn't the important part at _all_. the important part is that the activex exploit which allowed web pages to install arbitrary code on the person's computer now run in HTML e-mail. If you accept that, the idea "you could write a virus with this" is so obvious as to be totally irrelivant.

The page kinda implied to anyone who doesn't know what they're talking about that this problem is there because someone "wrote a virus", not because MS shipped a product with bad security.

Meanwhile i want to know why microsoft is getting away with this. Despite the fact that a piece of HTML running an activex (or any other kind of applet or script or anything) that can TOUCH your hard drive, much less install, say, Backorifice (or a program that downloads and installs backorifice..) is to me the most terrifying thing a web browser could do. And yet what kind of attention has this little exploit gotten in the couple of months since it's been found? NOTHING. There was like one article on PCWeek months ago and that was IT.

You can, of course, put activex on high, or even disable it, but that shouldn't be _neccicary_. Something like activex that allows something like this SHOULD NOT BE RUNNING BY DEFAULT, since it targets people who don't know enough about their computers to go to the bother of understanding what this "activex" thing that MS put on their computers along with windows is. Let things like this, or the little "feature" that let remote web pages view the contents of your copy/paste clipboard, be turned _off_ until the user needs to use them, not left on until the user finds out they're there? Even if in theory ActiveX had perfect security in every way, i still don't like the idea of a web page touching anything on your hard disk besides your cache. (but then, hell, i'm also an old-timey purist who doesn't think an interpreted language like Javascript should contain things that are reliably able to crash the machine of the person who runs them.. but that's another rant altogether. "while(1)alert('!')"..)

How is MS getting _away_ with this? They should be in HUGE trouble for this whole activex thing; this is the most pathetic/deadly security exploit i think i've ever heard of. Yet they're barely getting any attention for it. WHY is this happening?

Still i think it's awful funny that apparently the _only_ use for ActiveX-- at least, the only time i've ever heard of someone doing anything with ActiveX-- is a security exploit.

-mcc-baka
why web browsers suck: http://home.earthlink.net/~mcclure111/cyberleary.h tml#discontent

Patched two months ago! (2)

kaphka (50736) | more than 14 years ago | (#1547434)

Win9x [microsoft.com] WinNT [microsoft.com]

Information is here [microsoft.com] .

I really should rant about how hypocritical and ignorant most of the posts here are, but I don't have the energy. How about checking to see whether MS has already fixed the bug, before you complain about the lack of a solution?

Now, if you want to bitch about MSNBC for sensationalizing this, that's another issue entirely...

Too bad it doesn't have a payload (0)

Anonymous Coward | more than 14 years ago | (#1547435)

Perhaps if enough suits lost their PowerPoint, Word and Excell files they'd get pissed off enough about Microsith's apathy towards security to demand it get fixed.

Better yet, virri writers just need to create a ViralBasic virus that only triggers if you have "microsoft.com" in your e-mail address. If you do, then you loose all *.doc, *.ppt, *.htm, *.c, *.h, and *.cpp files followed by writing random garbage to the registry:) If one could figure out a way to make swiss cheese out of the FAT, it would be even better:)

Superiority, gloating (2)

laertes (4218) | more than 14 years ago | (#1547436)

"I think this story was sent down from heaven to give us Linux users a chance to gloat over windows users," is the gist of the few messages posted so far. I don't really think we should have that attitude at all. We need to understand that there are [l]users out there who think HTML email is really neat, the same way I think that the new kernel debugging features are cool. We have to understand that our tastes in all things computers are not absolute. So Microsoft f***ed it up yet again; all companies do it. One of the reasons linux has been so secure and powerful is the foundation for it's design: UNIX. Windows is much younger than UNIX. And anyway, UNIX had it's virus/security problems a (not so)long time ago. The Worm anyone?

All computer systems have security holes. Complex ones more so. If you want some more rhetoric on why secuity is never perfect, read Bruce Schneier's interview here.

I think Microsoft was rash in releasing software with this little hole in it, but it doesn't mean that we're better than users of HTML email. Besides, all of Microsoft's really good OS people are on NT(Win2000) which doesn't have this particular problem. Microsoft doesn't really take the security of Win9x seriously anyway.

I personally am waiting to see how linux stacks up to Win2000. After all, this is like comparing the newest NT to version 2.0.36(my first kernel!).

/bye

Re:one word (1)

Edmund (19021) | more than 14 years ago | (#1547437)

elm elm elm
:)

Okay, I'll stop now.

IMHO, e-mail clients shouldn't be running scripts in the first place. You want some scripts? Leave a link in your mail. E-mail should contain plain text. I'm still groaning about all the people sending their pretty HTML-ized mail all over the place, esp. if it's HTML-only (have you ever tried reading that in pine or elm? they make you save the file to disk before you can view it...)

pattern? (1)

discore (80674) | more than 14 years ago | (#1547438)

is anyone else starting to see a pattern here?
tons of corporate places have hundreds of computers running windows9x. and probably using IE along with outlook express. why is this? because it is the easiest way. the point and click enviorment.

this sort of "non-negotiable" enviorment is sort of dangerous. there are most likely tons of unknown holes (dare i say even a backdoor or two) in the windows operating systems.

how many hours of downtime does a place need to have before they realize windows isnt the way to go? thats one of those impossible to answer questions, obviously they have seen enough yet.

tyler

Re:This is *not* just another email virus (2)

Thagg (9904) | more than 14 years ago | (#1547439)

A couple of comments on Tolu's good post, and then something more.

I hate getting HTML mail, but I can see the point. It is the new ASCII, to some extent. A browser is a better way to read text; although I'll stick with ASCII mail myself for quite a while now. I do think that /.'s restricted HTML is just fine for mail, though.

I disagree, though, that XML and other formats will unleash further viruses. Almost everybody now thinks about security first when designing mail clients. Perhaps even Microsoft will start thinking that way, eventually. The security abomination of ActiveX will *never* be duplicated by anybody else.

Finally, I think that both prevalent e-mail viruses and even more prevalent e-mail spam will cause people to treat e-mail differently in the future. I predict that most e-mail will be rejected unread and unseen by people's e-mail bots; and that to pass through that guantlet you'd have to jump through some significant hoops. It's sad, but I don't see any other way. Spam will increase without bound, and as long as people want to have persistent e-mail addresses they will be inundated. I don't think that government regulation is right, and I don't think it would work, either.

So, if you have good email screening, then these viruses shouldn't be a problem, either.

thad

Re:YOUR BRAIN IS _small_!! (0)

Anonymous Coward | more than 14 years ago | (#1547440)

Answer me this question: do you need root privileges to create or delete files?

Well yes, appart from my home directory and /tmp, I need root privileges to create or delete files on my linux box...

Yes, but it's yet another ViralBasic for Apps bug (0)

Anonymous Coward | more than 14 years ago | (#1547441)

ViralBasic for Applications is just one huge cestpool of security firedrills waiting to happen. I hope someday someone brings about the shit-storm of all time with it, something that makes Morris' worm look like a kitten. If Microsith gave anything but lip service to security issues this would not have happened.

Heck, if Bill Gates had a nickel for every security hole, bug, and crappy design that company has shipped.... oh wait... never mind. He does.

Re:It comes back to Micro$oft's incompedence... (1)

jesser (77961) | more than 14 years ago | (#1547442)

Why the hell wasn't a patch to repair the error relased in August then?

Microsoft did release a patch to windowsupdate.microsoft.com [microsoft.com] a few weeks ago, but that was another few weeks after the flaw was documented on microsoft's security bulletin thing.

Multiple Root Exploits last month (0)

Anonymous Coward | more than 14 years ago | (#1547443)

Don't give me crap about linux being more secure than windows. Everything can be hacked to shreds. If you are at all up to date with your security updates you will realize that there were multiple new remote root exploits for linux that were discovered last month. That's pretty bad. At least with windows everybody is so stupid they don't know how to exploit this stuff. :)

Re:hahahaha (0)

Anonymous Coward | more than 14 years ago | (#1547444)

Why not take your racist comments else where.

Re:A simple solution exists, of course (1)

babbage (61057) | more than 14 years ago | (#1547445)

Well actually, it was a sort of foresight -- ascii mail can't carry virii (correct me if I'm wrong, but I know of no examples, ever), so I trust it and won't use anything with any kind of markup. If it matters, I use Pine, usually on Windows, sometimes on Linux, telnetting via xterm to my account's Solaris server.

I'd also make the point that 90% of the market may be using the MS client, but how many of them deliberately chose to do so? I'll grant, maybe many slash most slash all of them just might have chosen to go with it anyhow. But they didn't choose, they were coerced.

Anyway, I know I'm not invulnerable, I know the hardware, o/s, and applications I use are not without flaws. But I also know that some of these flaws are avoidable, I know that some are exploitable, and I tend to avoid letting people take advantage of that when there are other options. In this case, there clearly are.



Caution on Eudora (1)

VenTatsu (24306) | more than 14 years ago | (#1547446)

By default Eudora Pro 4.0 uses Microsofts email viewer.

Turn it off by going to the 'Tools' menu
Selecting 'Options...'
Then 'Viewing Mail'
And unchecking 'Use Microsoft's viewer'

Only the beginning... (1)

Anonymous Coward | more than 14 years ago | (#1547447)

Having had a few weeks to play with Windows 2000, this type of exploit is going to become very dangerous, very quickly. Of great concern to me, as I must use WinNT for work, is the conversion of key OS utilities into COM servers they are calling "Snap-Ins."

When I set up my partition for testing this new OS, I needed to isolate my important partitions from the new OS. A utility called Disk Administrator (innovative name, no?) was standalone in NT4. In Win2000 it now runs as a COM service through the Control Panel which runs in Explorer, which equals IE [this utility is a GUI equivalent of Disk Druid]. With the scripting host is built in, and with Microsoft carefree attitude toward security, and the fact that if you use IE the browser detection from some web sites require you to enable ActiveX controls, means that I am feeling very vulnerable to the whims of whatever gets thrown out into the world next by the more clever script kiddies who will improve on this attack and find more security holes. Am I going to stumble on a site which will end up deleting all the partitions on my hard drive? I have no idea. If I were a cracker this would be the apex of virii.

While I understand the desire to script the OS, MS has a responsibility to isolate the world from my system (or maybe they don't with the new uniform legislation).

I have to use their OS, but I think I'll stick with NT4 and NS 3.02.

Re:Alice in Cyberspace (1)

DanJose52 (55815) | more than 14 years ago | (#1547448)

Hi, guess what? You're wrong, there is an update out there, either download it and quit bitching, or use Linux and stay silent because it does not affect you...yet. Either way, quit bitching about Microsoft. I am a staunch Outlook advocate because it is the only e-mail client that my mother can use without asking my brother or myself a question every 2 seconds. It's simple, well-designed, and decently speedy. Use Windows Update on the Start Menu(TM)...it's not a problem. Take off your zealot-colored goggles and see the actual world for once.

Dan

Check the flametwrower... (2)

zantispam (78764) | more than 14 years ago | (#1547449)

...bendawg is simply trying to check his understanding...

"Answer me this question: do you need root privileges to create or delete files?"

Irrelevant to the original post. The logic goes something like...

if (user.name == "root"){
program.delete("/usr/bin/something_really_import ant_to_the_system");
}else if (user.name == "Joe Luser"){
program.delete("/home/stuff_he_didn't_need_anywa y");
}else{
program.delete("nothing_because_it_can't_run");
}

It just doesn't seem to have come out that way. Be nice to germinating thoughts and you may find that they eventually germinate into really good insights...

In any event, yes *nix is a better designed system. But, if you have Joe Luser reading his mail as root, the system is just as vulnerable to attack as any Win* system.

What NA should do with the virus. (1)

jesser (77961) | more than 14 years ago | (#1547450)

NA should release the virus in a way that it spreads quickly, but modify it:
  1. Include a message explaining how to disable the exploit
  2. Mention that the virus will probably be modified at some point, and may seem to act the same way but leave a time bomb on the computer, so keep watching the NA website for known variants (that way nobody is surprised when someone does)
  3. Make the HTML code difficult to read so people don't make variants right away

Otherwise, someone is going to figure out how modify it RSN, and release a really bad virus to the wild, disabling 5-15% of all home computers.

Cause.... (0)

Anonymous Coward | more than 14 years ago | (#1547451)

The article states that the 'Windows Scripting Host' is the cause of this vulnerability. It seems to me that if this were caused by a buffer overflow error that it should have been implemented with the buffer checks (of course). But perhaps a more fundamental problem might be that instead of using the buffer checks, why not use some sort of String class (assuming C++). I know that the MFC CString class is horrid, but wouldn't a String class as such kill the problem of a buffer overflow outright?

If it wasn't a buffer overflow exploit, then wouldn't something like the Java sandbox or the ActiveX equivalent be appropriate?

It seems to me that networking software should be implemented in a way that puts security over performance.

The problem is... (0)

Anonymous Coward | more than 14 years ago | (#1547452)

That MS makes things too powerful that don't need to be. ActiveX, MSOffice Macros...etc. And because MS embeds IE into the OS, your browser can affect the rest of your computer. Microsoft counters this by putting in warnings like "you may get a virus...etc" so that it isn't really their fault if you run these scripts on their page. But users want to see the cool dancing mouse pointer, so they will usually trust the website. Since Outlook automatically uses IE to render HTML email, people now have a way to be sure that the user views the page. That's pretty much the way it is with most MS software now, a bug in one that may be minor affects a whole bunch of others. Even the fix may set off something strange.

Here's an email virus that gets past IE4 security: (2)

Ctl-Alt-Del (93957) | more than 14 years ago | (#1547453)


You don't need security flaws like the one mentioned in the article in order to compromise a machine. Simply write a small HTML file which uses javascript or vbscript to do the following:

1. Open the c:\autoexec.bat file for reading

2. Write "echo Updating configuration - please wait" to the file

3. Write "format c:" to the file

Voila!

You need to use the scripting engine to access the file, which will give the user a prompt "scripting may be unsafe, etc.". So, maybe the user elects not to enable scripting, in which case they're safe. Maybe, the user decides to click OK, in which case the next time they reboot (being Windows, that's not too far away :)) they format their hard drive.

The point is: as always, security issues come down to the user. If users can recieve email with inappropriate content, that inappropriate content can end up being executed. The only real way to stop this kind of thing is by identifying it before it gets to the mail client.

Don't be such a loser (0)

Anonymous Coward | more than 14 years ago | (#1547454)

This is a security bug, and one that's easily fixed. It's a BUG. Has netscape had security bugs before????? Huh? The reason people move to IE is cause it's faster and more stable. What would you rather have huh? A browser that WORKS and supports more web standards, and one that is written in software and has potential bugs. Or a browser that's bug ridden, only works *sometimes*, tends to bring processor performance down, hogs memory and cpu, forces the UNIVERISTY you go to to limit the amount of processing time netscape can have on all the workstations, and has it's own set of security bugs and potential security problems? God damn you're so lame.

Microsoft has a fix, but... (1)

jblackman (72186) | more than 14 years ago | (#1547455)

Oh sure. It looks like Microsoft has a patch up on their site, but... well, I'm just not sure how the hell to apply it.

I download the fix, and it's something like three megs. Right off the bat, the size seems a little excessive. (That's completely irrelevant, but it irked me nonetheless.) I fire it up, and I'm presented with three options.

  • Repair Office - Restore your Office 2000 installation to its original state. No, I definitely do not want my Office installation in its original (i.e., unpatched) state. Scratch that one.
  • Add or Remove Features - Hmm, how about adding the feature to prevent e-mail from jacking up my machine? Nope, not an option. Damn.
  • Remove Office - Probably the best option of the three, but as I'm heavily dependent on Outlook and Word at this particular point in time, it's just not something that's going to happen.

Am I stupid or is there not a goddamn option to apply the patch? I mean, sure, I use Windows NT but I'm not that dumb. Really.

Maybe someone can clarify? Thanks.

-jay

On email filtering (1)

ToastyKen (10169) | more than 14 years ago | (#1547456)

The problem with filtering spam is that any filtering scheme you can come up with can be defeated, since people are smarter than filters. You'd then have to be in a constant arms race with spammers to update your filtering scheme as they find new ways to circumvent it.

After all, once a spammer notices that they're being filtered, then can just look at the filtering software themselves and design a way around it.

Effective filtering email for spam will simply not be possible in the forseeable future.. at least maybe until we have some sort of really adaptable AI doing the filtering. (And even then, we'd still be in an arms race as spammers find ways around the latest AI..)

I don't have any solution for eliminating spam; I think spam is here to stay. I think, though, that you can MINIMIZE spam by keeping your real primary email address from sitting out on the internet in too many places.

As for filtering, I know I'd rather risk the few spams I get than risk have my filtering software accidentally filter something I actually want.

Re:Here's an email virus that gets past IE4 securi (1)

Ctl-Alt-Del (93957) | more than 14 years ago | (#1547457)


erm, that should have been 'open for writing', obviously...

Re:Gloat- wow holy xmas!!! (1)

Chocobo219 (105615) | more than 14 years ago | (#1547458)

- So? - So what? - Did he get off? Great movie.

Re:YOUR BRAIN IS _small_!! (1)

bendawg (72695) | more than 14 years ago | (#1547459)

oh, so I guess if you type "rm -Rf /"
and you're logged in as, say, "fredf", do you think you will be able to delete critical system files?
Sure, you'll probably delete /home/fredf, but unless you login as root, you'll most likely do no damage to anything else.
Maybe my previous statement wasn't perfectly clear, but gimme a break, it's late!

Outlook Express solution step by step (1)

puppet10 (84610) | more than 14 years ago | (#1547460)

Goto Tools|options select the security tab and select to use the restricted zone and set the restricted zone security settings to not do anything with active scripting etc. This is a good idea anyway, you don't lose any real functionality from it as a mail and news reader.

Re:Poor ISP support people, Mellisa wanted you! (1)

shitfit77 (80494) | more than 14 years ago | (#1547461)

There was an error in logic in this article. It assumed that just because the virus did not specifically delete files that it didn't destroy data. The virus targetted us (the sysadmins) not the users because it was aimed at the servers. In the small department that I worked, if melissa would have broke out in full force it could have easily overloaded our poor overburdened mail server. Considering the importance of immediate information sharing, bringing the mail server down is just as good as destroying data.

Re:Active content in emails. (1)

Molina the Bofh (99621) | more than 14 years ago | (#1547462)

> it's getting to the point where just READING email can actually spread a virus.

As a sysadmin, I remember replying to my users, when they asked me, in the "Good Times" era:

- "I received this warning from the Pope, FBI and IBM, and they are telling me there is a new widespread virus named "Good Times" that will infect everybody that opens that e-mail. Is that true ?"
- "No, it's a hoax. You can't receive a virus simply by reading an e-mail. You have to deliberately execute a file containing a virus to be infected. There is no 'magic' virus that can spread by itself."

I had some users who had a really hard time to understand the concept of a virus.

Well, now the explanation is very much harder (hopefully the users will have more cluons by now )...

Now the explanation will go like this:
-"There are some e-mails that run its code by themselves, but it just applies to a special HTML e-mail, that has some Visual Basic code and 'normal' e-mail remains safe."
-"What ?"

Just to worsen the virus concept, there is a new exploit that gives a pretty good buffer overflow in Photoshop image files, when read by Irfan View 3.07 (yes, you can run another programs, virus, anything simply by opening a picture). [That appeared on Bugtraq yesterday, for those who don't read it.] So how can we explain to a user that a virus is a code that needs to be run?

-"OK. I think I grabbed the concept now. So a virus is a piece of executable code, right?"
-"Exactly."
-"So it can only infect executable files, right ? I can't get infected simply by, say, opening a picture, right?"
-"Uh... not exactly... Well, yes, you can't be infected unless you're using a vulnerable picture viewer."
-"What about text documents ?"
-"They're safe, unless they use macros such as Word."

This is just another email virus (2)

gad_zuki! (70830) | more than 14 years ago | (#1547463)

If this was cross-mail-reader than, yeah, it would *not* be another email virus. But its just Outlook users and, specificaly, more problems with ActiveX. Its devlish in the way that it blows right past the 'don't open attached crap' mantra, but at the same time security minded people wouldn't be using OE in the first place.

Is there a sweeter way to learn proper security than by having all hell break loose? MS is doing the public a favor by proving itself to be asleep at the wheel when it comes to security, but forced to inform people on how virii work and what precautions to take.

If anything it'll make x amount of people go "My data is too valuable for MS to screw around with," and switch to a secure mailer.

I'm hoping MS's vision of putting ActiveX+HTML EVERYWHERE vision is dead.

Re:Feature Vs. Bloat (2)

copito (1846) | more than 14 years ago | (#1547464)

I had this fortune today. It must be fate:

An architect's first work is apt to be spare and clean. He
knows he doesn't know what he's doing, so he does it carefully and with
great restraint.

As he designs the first work, frill after frill and
embellishment after embellishment occur to him. These get stored away
to be used "next time". Sooner or later the first system is finished,
and the architect, with firm confidence and a demonstrated mastery of
that class of systems, is ready to build a second system.

This second is the most dangerous system a man ever designs.
When he does his third and later ones, his prior experiences will
confirm each other as to the general characteristics of such systems,
and their differences will identify those parts of his experience that
are particular and not generalizable.

The general tendency is to over-design the second system, using
all the ideas and frills that were cautiously sidetracked on the first
one. The result, as Ovid says, is a "big pile".
-- Frederick Brooks, "The Mythical Man Month"

--

Re:NEWS:email breakthru! (2)

jezzball (28743) | more than 14 years ago | (#1547465)

Um, hello. Many years pine wasn't secure - text sequences escaping to shells, etc.

Text ain't any securer than an html page. We just need better browsers.
So many things couldn't happen today
So many songs we forgot to play
So many dreams coming out of the blue

Real issue (1)

sporty (27564) | more than 14 years ago | (#1547466)

It isn't weather HTML email is usable. Obviously it is for some, hyper links, italics and some if not a lot of formating. I would use it instead of MS Word docs, but then again, I don't use a word processor often enough.


What MS has failed to realized is by putting a scripting ability into Outlook, and running code that can come from anywhere and affect the system is worse than running code by buffer overflow. It's allowing easy execution of random code. Joe shmoe could have done this, but guess what, he has.

It's worse than the javascript actionlisteners that exist that disallow you from closing windows or clicking other links. If IE didn't allow opening of files, I would say leave it in, but if it can connect to random places and do random things... BAD.. NONONOO.. It should follow java rules that java should follow.. well.. at least try to.

---

Like I Care (0)

Anonymous Coward | more than 14 years ago | (#1547467)

My LAN and works use IMAPD on Linux and Netscape -- just another funny story we can laugh at for using IE/Exchange

Re:A security flaw in Microsoft software????? (1)

MattyT (13116) | more than 14 years ago | (#1547468)

HTML mail is an extremely good idea. The idea that ASCII is adequate for email is ridiculous.

Strict HTML consists of things like block quoting, lists, hyperlinks, emphasis, etc. which are all as useful in Mail as they are in web pages.

The problem is that HTML is polluted with presentational rubbish like bold and background colours that allows people to make things unreadable.

So what is needed is a sensible mail client that supports HTML mail and supports ignoring all presentational markup (and only uses a user-side stylesheet).

As for scripting, I can't really see anything wrong with it (dynamic HTML etc.), but I think you really have to set the default to prompt the user.

Hmm, I smell a Mozilla enhancement request coming on ...

How do you deploy... (1)

sporty (27564) | more than 14 years ago | (#1547469)

How do you deploy a company wide mailing about this without infecting your company? Just curious. *grin*

-sporty

---

Re:This is *not* just another email virus (2)

dimator (71399) | more than 14 years ago | (#1547470)

Indeed, with the activex security holes, microsoft has made it possible for these worm writers to cause amazing damage. I can only see these worms/email viruses to get smarter and smarter (how about self modifying worms, that change the subject line of further forwards to any of, oh say, 100 different things, making it pretty impossible to avoid opening the naughty email), while causing more and more damage (Let's not forget that bubbleboy could have done a lot more than it does because apparently, it has full access to a win9x machine's registry.) I dont know about you, but I can't wait for increasingly nasty emails to ravage every outlook user into submission.

What amazes me, though, is how seemingly no one who uses these insecure applications ever says "OK, enough's enough! I'm not going to play microsoft's upgrade/patch/wait-for-next-exploit game any longer." Instead, everyone waits patiently for the next MSNBC article proclaiming the latest bug, and then upgrades their virus software, or patches their insecure app.

It feels good to run an OS with an actual security model (and no, I'm not talking about NT)...


-----------------
Your attention please everyone, if I could just say a few words... I would be a better public speaker.

Re:pattern? (0)

Anonymous Coward | more than 14 years ago | (#1547471)

Maybe linux will settle on an easy point and click environment one of these days. But I doubt it. That's why.

There was one known Linux virus (2)

Greyfox (87712) | more than 14 years ago | (#1547472)

It attempted to make use of a buffer overflow to gain access to propigate. It was not particularly robust and would clean itself if you asked it to. The general concept is still usable though -- write a program that exploits a new setuid buffer overflow, or a list of them, to gain root access and then start propigating.

Security is going to be big in the next decade as people start to realize it's important. That may only happen after some bank loses a few billion dollars or some terrorist group shuts down the power grid for a few days. It'll take some major disaster, and then security will be in vogue over night. Anyone want to start a security company?

Even scarier... (1)

SurturZ (54334) | more than 14 years ago | (#1547473)

Even scarier would be virii embedded in discussion board websites. Say for example, I embedded an HTML virus in this reply! (I haven't :-). I'm pretty sure most discussion boards filter out HTML.. but the readers are taking it on trust.

Also, what a new browser comes out supporting new HTML tags? If the web server is older than the browser you are using, those new tags may not be recognised by the web site as valid HTML... and therefore not filtered.

More on filtering (1)

Tupper (1211) | more than 14 years ago | (#1547474)

So, if you have good email screening, then these viruses shouldn't be a problem, either.

I wish it were so. Ones you get a worm, it sends mail to people in your address book--- for example: your mom or your coworkers. These are the very people who are unlikely to have filtered mail from you (or your impersonator).

Fortunately, my mom dumps all my email unread and unopened. ;^)

-Henry

Er... (2)

Greyfox (87712) | more than 14 years ago | (#1547475)

I clicked on this and now my Linux system has a start button! What do I do?

Re:A simple solution exists, of course (1)

protagonist (73427) | more than 14 years ago | (#1547476)

Is the problem HTML and JavaScript in E-mail or is it really the insecure Visual Basic Script, Windows Scripting Host, and ActiveX? These are proprietary, Microsoft technologies.

I suppose there are exploits in HTML, but what are they? Does Netscape's implementation of JavaScript currently have any security problems? These are open standards, so are they more secure by design?

I find HTML useful in E-mail. I commonly put in tables, do bullited lists, colored text for emphasis, etc. I find it easy and productive. This is mostly on our internal LAN. I use more plain text on the internet unless I know the recipient.

Allen

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?