Scot Mc Pherson wrote:
I believe the one of the most important holes is html based mail, because
the e-mail is processed as a webpage which can be used to download
undesirable content. If you configure your e-mail browser to display all
messages as text you will close this hole...You will notice my e-mails are
nearly 100% text
Downloading content is also a form of receipt notification and
capabilities discovery, which mass e-mailers love to know. Barnes and
Noble have done mass e-mailings learning to tailor future content,
whether you want it or not.
Another case is teenpicks.com (teen sexual pictures). If we suppose a
CEO, CFO, or directors of a corporation received sexually oriented
HTML e-mail and that e-mail deposited cookies then a claim of a
sexually hostile atmosphere by an employee can be hard to dispute.
Scot
-----Original Message-----
From: Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu
[mailto:Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu]
Sent: Thursday, May 11, 2000 9:45 AM
To: Castro, Edison M. (PCA)
Cc: 'Steven M. Bellovin'; Stef(_at_)NMA(_dot_)COM; Brant Knudson;
ietf(_at_)ietf(_dot_)org
Subject: Re: VIRUS WARNING
On Thu, 11 May 2000 08:24:11 EDT, "Castro, Edison M. (PCA)" said:
That is exactly the same way that all Windows virus work. As a Windows
user (as well as other OSes), I can say that people have to be responsible
for their actions. Whenever you receive any Email attachment, the only
way
that attachment can produce any damage is if you run it.
Well, it's worse. Melissa, the Love Bug, and the Christmas worm all
required
the user to take an action (click/open/run the payload).
However, there's apparently ANOTHER hole....
Seen on a SANS posting yesterday:
/Valdis
-- 10 May 2000 Email viruses are now spreading WITHOUT THE USER
OPENING ANY ATTACHMENT.
Personal computers running Internet Explorer (IE) version 5.0 and/or
Microsoft Office 2000 are vulnerable to virus attacks using most email
systems, even if the email recipient opens no attachments. You don't
even have to use IE; just have it installed with the default security
settings. If you have not closed the hole, you can receive viruses (and
spread them) by viewing or previewing malicious email without opening
any attachment, or by visiting a malicious web site. The problem is
caused by a programming bug in an Internet Explorer ActiveX control
called scriptlet.typelib. This is by far the fastest growing virus
distribution problem and ripe for a hugely destructive event - at least
as large as the ILOVEYOU virus. Updating your virus detection software,
while important, is not an effective solution for this problem. You must
also close the hole. The hole can be closed in five minutes or less
using tools available at Microsoft's security site:
http://www.microsoft.com/security/bulletins/ms99-032.asp
The correction script may be run directly from:
http://www.microsoft.com/msdownload/iebuild/scriptlet/en/scriptlet.htm
Editor's Note: Thanks to Jimmy Kuo of Network Associates and Nick
FitzGerald of Computer Virus Consulting Ltd. for raising the visibility
of this dangerous problem.
--
Dennis Glatting
Copyright (c) 2000 Software Munitions