Email Clients and digital signatures

CL Gilbert Lamont_Gilbert@RigidSoftware.com
Sun Jul 6 06:21:04 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Well I have been away from the scripting for a while so I will say that
what you say makes no sense if that is true.

I know Java could Never do anything like that, even though the program
can run automatically when you visit a web page or download an email.

Same with javascript.  It just does not have access to these things.

and we are all the way to XP and windows is doing something stupid as that.

also the default action is NOT to allow arbitrary code to execute.  It
depends on the certificate of the code or website.

If this is so, why do I still get malicious emails that require me to
run a program.  why dont I get sent ones that just run automaticaly??


CL



Neil Williams wrote:
| On Saturday 05 Jul 2003 5:45 pm, CL Gilbert wrote:
|
|>I don't comprehend this.  A script is not allowed to run local programs.
|
|
| Of course it is allowed - the default action is to allow execution of any
| program, local or not. If it was just Javascript it wouldn't be a
problem.
| But VBScript/ActiveX is involved and therefore so is the system
registry, the
| main windows API and through that the CPU. Windows scripting worms are
| capable of downloading malicious code completely without intervention:
| http://www.winguides.com/security/display.php/315/
| (other than allowing HTML emails to be viewed as HTML).
|
| This works because HTML emails are rendered using IE and therefore the
usual
| IE vulnerabilities are added to the mail client. So by constructing a
| deliberate page that automatically loads the code, then constructing a
| matching email worm to load that URL in the email preview, the trojan
can be
| installed. As noted in the quote below, the malicious web page could
simply
| be emailed directly, cutting out one step but still exposing the true
| vulnerability: IE and it's propensity to help malicious HTML email.
|
| <quote>
| The Windows Script Engine provides Windows operating systems with the
ability
| to execute script code. Script code can be used to add functionality
to web
| pages, or to automate tasks within the operating system or within a
program.
| Script code can be written in several different scripting languages,
such as
| Visual Basic Script, or JScript.
|
| A flaw exists in the way by which the Windows Script Engine for JScript
| processes information. An attacker could exploit the vulnerability by
| constructing a web page that, when visited by the user, would execute
code of
| the attacker's choice with the user's privileges. The web page could be
| hosted on a web site, or sent directly to the user in email.
| </quote>
|
| It has already been done, email worms are currently out there that can
and
| have performed exactly these operations. (Not always with the niceity of
| obeying the user's privileges - which are weakly enforced at best.)
|
| The people who write these mailicious pages and scripts are not short
of time,
| intent or ability. You might think it isn't worth it, but there are
plenty of
| people who see it as extremely entertaining.
|
| There are tips available to bolster Windows poor security, including
on my own
| site:
| http://www.codehelp.co.uk/html/winemail.html
| http://www.codehelp.co.uk/html/winprotect.html
|
| Other info:
| http://antivirus.about.com/library/blemail.htm
| http://www.oreillynet.com/pub/a/network/2000/05/22/security.html
|
|
|>~ And certainly NOT automatically.  Anything you start on your own is
|
|
| Not true. Automation is easy. Automation IS THE DEFAULT ACTION! The
Windows
| Scripting Engine is always loaded within Windows (Win95/98 allowed
| uninstallation, later versions try to reinstall at reboot) and is always
| ready to execute ANY active code that is passed along. IE will, by
default,
| ALWAYS pass on ALL active code to WSE. This is ostensibly because IE and
| Explorer are meant to operate together and this is the source of the
| problems. Explorer is meant to operate WSE and run local macros, automate
| desktop tasks, load programs silently, etc. Netscape doesn't have these
| vulnerabilities because it isn't part of Explorer. IE cannot easily avoid
| calling WSE. If it did, Outlook would not become vulnerable in turn.
|
| The core problem is that Windows treats all users as the system
administrator
| and assumes that all users have the authority to e.g. format the C:
drive.
| Doh!
|
| Unix/Linux realise that not all users can be trusted not to do this -
least of
| all automated tasks running in what should be the 'user' environment.
When
| running Linux as an ordinary user (99.9999% of the time), I cannot delete
| anything except what is in my own user space. I cannot overwrite system
| files, I cannot amend or add to system settings. I cannot run programs
that
| have the authority to change any of these things.
|
| A simple example. From the command line (DOS), type:
| del c:\windows\win.ini
| del c:\windows\system\user.exe
| del c:\progra~1\intern~1\iexplore.exe
|
| What, you can delete all three? In Unix/Linux you get:
| $ rm /etc/shadow
| Permission denied
| $ rm /usr/bin/gcc-3.2.2
| Permission denied
| $ rm /usr/bin/mozilla
| Permission denied
|
| Any program I execute in Windows runs with full privileges. Any program I
| execute in Linux runs only as a user. (And before you mention Windows
user
| logins and user passwords, there are known ways around these too.)
|
|
|>your own fault.  The only scripting I am aware of that is allowed is
|>javascript or vbscript, and its just as limited as if it were on a web
|>page.  like i said, its in a sandbox.  the worse trick people have been
|
|
| Not true. The sandbox doesn't exist - it was never even conceived.
Windows3 is
| the basis of the system and was never intended to be opened up to the
outside
| world. The sandbox was to be the entire PC, but by the time MS grudgingly
| admitted that users actually wanted the internet, the box was already
looking
| like swiss cheese.
|
|
|>|>~ Outlook is not supposed to automatically *run* arbitrary scripts.
  When
|>|>it does, thats an error.
|
|
| Exactly. Error.
|
|
|>still disagree.  that has nothing to do with outlook, and Linux even has
|>a fileroler or something that can start programs based on extensions.
|
|
| Within the user space, not within the system space. Plus all Linux
clients
| DEFAULT to not running these extensions and provide warnings that
doing so
| could compromise system security.
|
| The program you are thinking of depends on which environment the user
chooses,
| Nautilus in Gnome or Konqueror in KDE. Neither executes arbitrary code
on a
| web page or in HTML email within the local environment.
|


- --
Thank you,


CL Gilbert
Free Java interface to Freechess.org
http://www.rigidsoftware.com/Chess/chess.html
"Then said I, Wisdom [is] better than strength: nevertheless the poor
man's wisdom [is] despised, and his words are not heard." Ecclesiastes 9:16

GnuPG Key Fingerprint:
82A6 8893 C2A1 F64E A9AD  19AE 55B2 4CD7 80D2 0A2D
GNU Privacy Guard http://www.gnupg.org
Pretty Good Privacy (PGP) http://web.mit.edu/network/pgp.html, windows
users should try that.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/B6QHVbJM14DSCi0RAipHAJ4s4QyGlbOA5Xf1fsqZ9UPuoj1UxwCeK4+e
MilB+vfa2qPZrDQR2KRbQdQ=
=xYTL
-----END PGP SIGNATURE-----