From owner-freebsd-chat Wed Nov 10 15:19:23 1999 Delivered-To: freebsd-chat@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id C32DD14EB4; Wed, 10 Nov 1999 15:19:16 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id AD5181CD44C; Wed, 10 Nov 1999 15:19:16 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Wed, 10 Nov 1999 15:19:16 -0800 (PST) From: Kris Kennaway To: Sean Michael Whipkey Cc: Greg Lehey , Jonathan Chen , freebsd-chat@FreeBSD.ORG Subject: Re: "Good times" `virus' now a real possibility... In-Reply-To: <3829DDDE.9882F9E7@cstone.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 10 Nov 1999, Sean Michael Whipkey wrote: > There was a discussion on this at the USENIX Security Symposium in > August in DC. > > Basically, Outlook uses IE to view certain types of mail. It's possible > to use Visual Basic and/or ActiveX to force Internet Explorer to execute > arbitrary commands on the receiving computer - simply by viewing the > HTML that the e-mail is written in. > > There are ways to disable it, but they're rather obscure at times. Joe > Average-User won't know to do it. This sounds like a different problem. IE (especially IE5) has been plagued by security vulnerabilities since it came out - many of them are of this sort (or Java sandbox escape strategies, etc), but there have also been found a couple of nastier (but more traditional) buffer overflows. This one sounds like it exploits an overflow in the message downloading part of MSOE (similar vulnerabilities existed in old versions of Eudora, at least, and I think Pine had one too). So you get hit at the time you /download/ the message (POP3, etc), not when you actually read it. Check the bugtraq archives on www.securityfocus.com (excellent site!) for more information. It doesn't help that Microsoft often takes weeks for the patches to make their way onto windowsupdate.microsoft.com, and that doesn't help the millions of win95 users (or win98 users who haven't enabled critical update notification) at all. I've long thought that this is going to be the next wave in computer security threats: software which aggressively searches for many kinds of common buffer overflows, and probes networks to spread. Historically most worms have been single-vectored and so relatively easy to defend against (single vendor patch), which isn't so if you have to patch n different security holes on all your machines (client and server). Client exploits (especially active ones like this, not passive ones like Melissa which relied on user stupidity) are particularly troublesome to defend against when you have hundreds of user machines. > Makes me glad I'm out of tech support. :-) Indeed :-) Kris ---- Cthulhu for President! For when you're tired of choosing the _lesser_ of two evils.. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message