Email Clients and digital signatures

[Neil Williams]

--Boundary-02=_42xB/YSK9OJ4oNu
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

On Saturday 05 Jul 2003 5:45 pm, CL Gilbert wrote:
> I don't comprehend this.  A script is not allowed to run local programs.

Of course it is allowed - the default action is to allow execution of any=20
program, local or not. If it was just Javascript it wouldn't be a problem.=
=20
But VBScript/ActiveX is involved and therefore so is the system registry, t=
he=20
main windows API and through that the CPU. Windows scripting worms are=20
capable of downloading malicious code completely without intervention:
http://www.winguides.com/security/display.php/315/
(other than allowing HTML emails to be viewed as HTML).

This works because HTML emails are rendered using IE and therefore the usua=
l=20
IE vulnerabilities are added to the mail client. So by constructing a=20
deliberate page that automatically loads the code, then constructing a=20
matching email worm to load that URL in the email preview, the trojan can b=
e=20
installed. As noted in the quote below, the malicious web page could simply=
=20
be emailed directly, cutting out one step but still exposing the true=20
vulnerability: IE and it's propensity to help malicious HTML email.

<quote>
The Windows Script Engine provides Windows operating systems with the abili=
ty=20
to execute script code. Script code can be used to add functionality to web=
=20
pages, or to automate tasks within the operating system or within a program=
=2E=20
Script code can be written in several different scripting languages, such a=
s=20
Visual Basic Script, or JScript.=20

A flaw exists in the way by which the Windows Script Engine for JScript=20
processes information. An attacker could exploit the vulnerability by=20
constructing a web page that, when visited by the user, would execute code =
of=20
the attacker's choice with the user's privileges. The web page could be=20
hosted on a web site, or sent directly to the user in email.
</quote>

It has already been done, email worms are currently out there that can and=
=20
have performed exactly these operations. (Not always with the niceity of=20
obeying the user's privileges - which are weakly enforced at best.)

The people who write these mailicious pages and scripts are not short of ti=
me,=20
intent or ability. You might think it isn't worth it, but there are plenty =
of=20
people who see it as extremely entertaining.

There are tips available to bolster Windows poor security, including on my =
own=20
site:
http://www.codehelp.co.uk/html/winemail.html
http://www.codehelp.co.uk/html/winprotect.html

Other info:
http://antivirus.about.com/library/blemail.htm
http://www.oreillynet.com/pub/a/network/2000/05/22/security.html

> ~ And certainly NOT automatically.  Anything you start on your own is

Not true. Automation is easy. Automation IS THE DEFAULT ACTION! The Windows=
=20
Scripting Engine is always loaded within Windows (Win95/98 allowed=20
uninstallation, later versions try to reinstall at reboot) and is always=20
ready to execute ANY active code that is passed along. IE will, by default,=
=20
ALWAYS pass on ALL active code to WSE. This is ostensibly because IE and=20
Explorer are meant to operate together and this is the source of the=20
problems. Explorer is meant to operate WSE and run local macros, automate=20
desktop tasks, load programs silently, etc. Netscape doesn't have these=20
vulnerabilities because it isn't part of Explorer. IE cannot easily avoid=20
calling WSE. If it did, Outlook would not become vulnerable in turn.

The core problem is that Windows treats all users as the system administrat=
or=20
and assumes that all users have the authority to e.g. format the C: drive.=
=20
Doh!=20

Unix/Linux realise that not all users can be trusted not to do this - least=
 of=20
all automated tasks running in what should be the 'user' environment. When=
=20
running Linux as an ordinary user (99.9999% of the time), I cannot delete=20
anything except what is in my own user space. I cannot overwrite system=20
files, I cannot amend or add to system settings. I cannot run programs that=
=20
have the authority to change any of these things.=20

A simple example. From the command line (DOS), type:
del c:\windows\win.ini
del c:\windows\system\user.exe
del c:\progra~1\intern~1\iexplore.exe

What, you can delete all three? In Unix/Linux you get:
$ rm /etc/shadow
Permission denied
$ rm /usr/bin/gcc-3.2.2
Permission denied
$ rm /usr/bin/mozilla
Permission denied

Any program I execute in Windows runs with full privileges. Any program I=20
execute in Linux runs only as a user. (And before you mention Windows user=
=20
logins and user passwords, there are known ways around these too.)

> your own fault.  The only scripting I am aware of that is allowed is
> javascript or vbscript, and its just as limited as if it were on a web
> page.  like i said, its in a sandbox.  the worse trick people have been

Not true. The sandbox doesn't exist - it was never even conceived. Windows3=
 is=20
the basis of the system and was never intended to be opened up to the outsi=
de=20
world. The sandbox was to be the entire PC, but by the time MS grudgingly=20
admitted that users actually wanted the internet, the box was already looki=
ng=20
like swiss cheese.

> |>~ Outlook is not supposed to automatically *run* arbitrary scripts.  Wh=
en
> |>it does, thats an error.

Exactly. Error.

> still disagree.  that has nothing to do with outlook, and Linux even has
> a fileroler or something that can start programs based on extensions.

Within the user space, not within the system space. Plus all Linux clients=
=20
DEFAULT to not running these extensions and provide warnings that doing so=
=20
could compromise system security.

The program you are thinking of depends on which environment the user choos=
es,=20
Nautilus in Gnome or Konqueror in KDE. Neither executes arbitrary code on a=
=20
web page or in HTML email within the local environment.

=2D-=20

Neil Williams
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
http://www.codehelp.co.uk
http://www.dclug.org.uk

http://www.wewantbroadband.co.uk/


--Boundary-02=_42xB/YSK9OJ4oNu
Content-Type: application/pgp-signature
Content-Description: signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA/Bx24iAEJSii8s+MRAuagAJ42y17v1bigHJUk/ikK5DSb//Ap3gCdF+iy
Se3WX3LbhEdXmDgGz8a2vrE=
=VtVJ
-----END PGP SIGNATURE-----

--Boundary-02=_42xB/YSK9OJ4oNu--