From Steven M. Bellovin's message Thu, 11 May 2000 07:40:26 -0400:
}
}In message <13901(_dot_)958019788(_at_)nma(_dot_)com>, Einar Stefferud writes:
}
[snip]...
}
}>Seems to me that this beloved "feature" (giving root privs to random
}>EMail messages) should (by now) now be fully discredited, and should
}>be destined for extinction, if only the customers will accept its
}>disappearance in trade for an absence of a continuing flood of these
}>$6,000,000,000 economic loss episodes.
}
}See http://catless.ncl.ac.uk/Risks/5.80.html#subj1 for details on how
}it worked -- but it didn't involve any analog to 'root' privileges.
}
I believe the distintion between USER Privs and ROOT Privs in Windows
is almost negligable, in that the typical user opening an attachment
in USER space allows major modifications of basic ROOT funtions and
data tables, hence in Windows (and probablby other PC environments
without multi-user system barriers) ther is very little TOOT
protection from USER run processes.
And, therein lays the "root" of the problem;-)...
This is of course aggravated by attachment of such PCs to the Internet
where all end users are responsible for protecting themselves, while
their software does not help them to protect themselves. It takes a
considerable wizard to do all the complex things that need to be done
to close the security holes.
But, whay large Fortune 2000 companies put up with all this is a great
mystery to me, and of course, intil they get the message here, they
will continue to fatten the MS purse while buying such trouble as
these problems will cause.
To repeat my mantra, it's the customer's fault, cause vendors insist
on selling what people will buy;-)...
How can any vendor do othersise?????? Cheers...\Stef
}
}When the recipient got a copy, there was an included (or attached; I
}don't quite remember) REXX file. (REXX was a scripting language for VM/
}CMS.) The message told you that it would display a Christmas card if
}you ran it; most users did just that, since the note appeared to come
}from someone they knew. And then the file replicated itself; you all
}know the rest.
}
}Note the two crucial points -- it ran with the user's permissions, and
}it was explicitly run by the user, rather than by any automatic
}mechanism.
}
} --Steve Bellovin
Cheers...\Stef