Date: Wed, 10 Nov 1999 15:19:16 -0800 (PST) From: Kris Kennaway <kris@hub.freebsd.org> To: Sean Michael Whipkey <highway@cstone.net> Cc: Greg Lehey <grog@lemis.com>, Jonathan Chen <jonc@logisticsoftware.co.nz>, freebsd-chat@FreeBSD.ORG Subject: Re: "Good times" `virus' now a real possibility... Message-ID: <Pine.BSF.4.10.9911101507470.13560-100000@hub.freebsd.org> In-Reply-To: <3829DDDE.9882F9E7@cstone.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 10 Nov 1999, Sean Michael Whipkey wrote: > There was a discussion on this at the USENIX Security Symposium in > August in DC. > > Basically, Outlook uses IE to view certain types of mail. It's possible > to use Visual Basic and/or ActiveX to force Internet Explorer to execute > arbitrary commands on the receiving computer - simply by viewing the > HTML that the e-mail is written in. > > There are ways to disable it, but they're rather obscure at times. Joe > Average-User won't know to do it. This sounds like a different problem. IE (especially IE5) has been plagued by security vulnerabilities since it came out - many of them are of this sort (or Java sandbox escape strategies, etc), but there have also been found a couple of nastier (but more traditional) buffer overflows. This one sounds like it exploits an overflow in the message downloading part of MSOE (similar vulnerabilities existed in old versions of Eudora, at least, and I think Pine had one too). So you get hit at the time you /download/ the message (POP3, etc), not when you actually read it. Check the bugtraq archives on www.securityfocus.com (excellent site!) for more information. It doesn't help that Microsoft often takes weeks for the patches to make their way onto windowsupdate.microsoft.com, and that doesn't help the millions of win95 users (or win98 users who haven't enabled critical update notification) at all. I've long thought that this is going to be the next wave in computer security threats: software which aggressively searches for many kinds of common buffer overflows, and probes networks to spread. Historically most worms have been single-vectored and so relatively easy to defend against (single vendor patch), which isn't so if you have to patch n different security holes on all your machines (client and server). Client exploits (especially active ones like this, not passive ones like Melissa which relied on user stupidity) are particularly troublesome to defend against when you have hundreds of user machines. > Makes me glad I'm out of tech support. :-) Indeed :-) Kris ---- Cthulhu for President! For when you're tired of choosing the _lesser_ of two evils.. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9911101507470.13560-100000>