Email Clients and digital signatures

Neil Williams
Sat Jul 5 20:47:02 2003

Content-Type: text/plain;
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Saturday 05 Jul 2003 5:45 pm, CL Gilbert wrote:
> I don't comprehend this.  A script is not allowed to run local programs.

Of course it is allowed - the default action is to allow execution of any=20
program, local or not. If it was just Javascript it wouldn't be a problem.=
But VBScript/ActiveX is involved and therefore so is the system registry, t=
main windows API and through that the CPU. Windows scripting worms are=20
capable of downloading malicious code completely without intervention:
(other than allowing HTML emails to be viewed as HTML).

This works because HTML emails are rendered using IE and therefore the usua=
IE vulnerabilities are added to the mail client. So by constructing a=20
deliberate page that automatically loads the code, then constructing a=20
matching email worm to load that URL in the email preview, the trojan can b=
installed. As noted in the quote below, the malicious web page could simply=
be emailed directly, cutting out one step but still exposing the true=20
vulnerability: IE and it's propensity to help malicious HTML email.

The Windows Script Engine provides Windows operating systems with the abili=
to execute script code. Script code can be used to add functionality to web=
pages, or to automate tasks within the operating system or within a program=
Script code can be written in several different scripting languages, such a=
Visual Basic Script, or JScript.=20

A flaw exists in the way by which the Windows Script Engine for JScript=20
processes information. An attacker could exploit the vulnerability by=20
constructing a web page that, when visited by the user, would execute code =
the attacker's choice with the user's privileges. The web page could be=20
hosted on a web site, or sent directly to the user in email.

It has already been done, email worms are currently out there that can and=
have performed exactly these operations. (Not always with the niceity of=20
obeying the user's privileges - which are weakly enforced at best.)

The people who write these mailicious pages and scripts are not short of ti=
intent or ability. You might think it isn't worth it, but there are plenty =
people who see it as extremely entertaining.

There are tips available to bolster Windows poor security, including on my =

Other info:

> ~ And certainly NOT automatically.  Anything you start on your own is

Not true. Automation is easy. Automation IS THE DEFAULT ACTION! The Windows=
Scripting Engine is always loaded within Windows (Win95/98 allowed=20
uninstallation, later versions try to reinstall at reboot) and is always=20
ready to execute ANY active code that is passed along. IE will, by default,=
ALWAYS pass on ALL active code to WSE. This is ostensibly because IE and=20
Explorer are meant to operate together and this is the source of the=20
problems. Explorer is meant to operate WSE and run local macros, automate=20
desktop tasks, load programs silently, etc. Netscape doesn't have these=20
vulnerabilities because it isn't part of Explorer. IE cannot easily avoid=20
calling WSE. If it did, Outlook would not become vulnerable in turn.

The core problem is that Windows treats all users as the system administrat=
and assumes that all users have the authority to e.g. format the C: drive.=

Unix/Linux realise that not all users can be trusted not to do this - least=
all automated tasks running in what should be the 'user' environment. When=
running Linux as an ordinary user (99.9999% of the time), I cannot delete=20
anything except what is in my own user space. I cannot overwrite system=20
files, I cannot amend or add to system settings. I cannot run programs that=
have the authority to change any of these things.=20

A simple example. From the command line (DOS), type:
del c:\windows\win.ini
del c:\windows\system\user.exe
del c:\progra~1\intern~1\iexplore.exe

What, you can delete all three? In Unix/Linux you get:
$ rm /etc/shadow
Permission denied
$ rm /usr/bin/gcc-3.2.2
Permission denied
$ rm /usr/bin/mozilla
Permission denied

Any program I execute in Windows runs with full privileges. Any program I=20
execute in Linux runs only as a user. (And before you mention Windows user=
logins and user passwords, there are known ways around these too.)

> your own fault.  The only scripting I am aware of that is allowed is
> javascript or vbscript, and its just as limited as if it were on a web
> page.  like i said, its in a sandbox.  the worse trick people have been

Not true. The sandbox doesn't exist - it was never even conceived. Windows3=
the basis of the system and was never intended to be opened up to the outsi=
world. The sandbox was to be the entire PC, but by the time MS grudgingly=20
admitted that users actually wanted the internet, the box was already looki=
like swiss cheese.

> |>~ Outlook is not supposed to automatically *run* arbitrary scripts.  Wh=
> |>it does, thats an error.

Exactly. Error.

> still disagree.  that has nothing to do with outlook, and Linux even has
> a fileroler or something that can start programs based on extensions.

Within the user space, not within the system space. Plus all Linux clients=
DEFAULT to not running these extensions and provide warnings that doing so=
could compromise system security.

The program you are thinking of depends on which environment the user choos=
Nautilus in Gnome or Konqueror in KDE. Neither executes arbitrary code on a=
web page or in HTML email within the local environment.


Neil Williams

Content-Type: application/pgp-signature
Content-Description: signature

Version: GnuPG v1.2.1 (GNU/Linux)