Email Clients and digital signatures

CL Gilbert
Mon Jul 7 18:04:01 2003

Hash: SHA1

Neil Williams wrote:
| On Sunday 06 Jul 2003 2:00 pm, CL Gilbert wrote:
|>Well yes, activeX has full control.  But activeX is just another name
|>for COM/DCOM which still can not simply run automatically.  I turned off
|>HTML because I got tired of being *asked* to run code that I knew I
|>would not let run.  Always, "so and so script wants to run, this can be
|>dangerours", "Authorize?"  This is what I always get from outlook
|>express.  A request, not an automatic run of a program.  So much so that
|>when Norton would catch virused emails, sometimes I would just view them
|>anyway to see what they were going to try and do.  Never failed that
|>outlook express *asked* me if I wanted the script to run.
| That would be reassuring if it was always true. That alert box isn't 100%
| reliable. Do you think all vulnerabilities in IE have been patched? The
| problem lies deeper - IE shouldn't be passing ALL requests to WSE.
Don't rely
| on VBS detection to be the be all and end all protection. Behind the
| box is a mechanism that encourages trojans. Nimda was one those what
| the dialog and - on a DEFAULT system - would execute the payload.

I agree with this.  Its MS Bugs that let arbitrary code run, not MS
default behavior.  Today you are safe, when a new bug is found, your
wide open all over again.  Hope you find out the easy way and not the
hard way about your exposure.

|>My IE settings (which is the renderer outlook express is using say this
|>for security.
|>1. Download Signed ActiveX control                            ->Prompt
|>2. Download unsigned ActiveX controls                         ->Prompt
|>3. Initialize and script ActiveX controls not marked as safe  ->Prompt
|>4. Run ActiveX controls marked as safe for scripting          ->Prompt
| Only by changing these settings to DISABLE can you be protected from
the next
| generation of Nimda. Take an analogy to a firewall - you don't reject bad
| packets, that involves CPU cycles, you DROP bad packets. In the time
it takes
| to execute the CPU cycles to reject the bad packet and create a return
| to say what has happened, the packet is still active. You shouldn't
leave the
| virus hanging in memory whilst waiting for a prompt box - it should be
| disabled and a specific user action required before it can be activated.
| Windows default is to leave it pending but still in memory. Dump it
out of
| memory and get confirmation later. Windows sits there and waits for the
| dialog box to be answered, all the while the code is in memory. (Take
a look
| with a debugging memory pointer inspection tool.)
| That is an example of a default Windows action that simply doesn't
close the
| door. It just says: "Wait there, be a nice little thug and don't do
| while my back is turned." Doh!

I don't agree with the technical aspecs of what you are saying but I
agree with your point here.  I guess I am stubborn :)

|>These are default settings.  They mean for any ActiveX control I will be
|>asked first.  Its not automatic.
| You wish. Just because it's worked so far, or it works in 99.9% of
cases, are
| you so confident that all vulnerabilities are patched?

No, I think they will only be patched if/when MS is embarrased by them.

| The default is to keep the trojan in memory - active and able to
launch an IRQ
| or similar. Close the preview, close the file handle, release the
memory and
| de-allocate the pointers. NOW ask the user. Even better, display a
warning IN
| PLACE of the message instead of annoying the user by throwing up a pesky
| dialog box. In Scotland, there are road signs that say, "Frustation
| accidents - let others pass". In Windows, it's "Continuous generation of
| dialog boxes will inevitably lead to one being clicked OK when it
should have
| been Cancel!" It only takes one.

I agree.

|>Only time its automatic is when A bug is found that someone exploits to
|>make it automatic.
| And that's hard?
| That's your defence strategy??
| One slip and the default action takes over. That is what is so
dangerous - one
| hole and EVERYTHING becomes automated, available and erasable.
Security is
| not a dialog box, it is a process, a strategy under constant review.
| Security should acknowledge that there will ALWAYS be vulnerabilities and
| that protection needs therefore to catch problems in the next layer.
| use a single layer security that isn't even worth the name.

You are misunderstanding me.  I do not defend outlook as a quality
program.  I only disagree that its designed default behavior is to run
arbitrary code.  I do not disagree that a new 'hole' is found on an
almost constant basis.  And that while effectively everything you are
saying is true, technically it is not.

|>Yes, VBSCript runs automatically, but it can not access the stuff you
|>are worried about without invoking some other code like activeX that it
|>downloads first.  and as shown above you are asked about the download.
| It can open the door.
| From the I Love You records:
| 2.  The virus disables your Windows Scripting Host's ability to pause
| executing script code, effectively thwarting the efforts of any other
| that might be able to discern whether the code is malicious before
| executes it. For Outlook to have time to notice an email attachment's
| and send up a warning, or for an anti-virus program to have the time
to see
| which application has been loaded, there needs to be a pause in the
| Host's activity. Here, the virus takes away that pause. This makes it
| impossible for Outlook to stop itself and renders it more difficult
| not impossible) for an anti-virus program to step in and stop damage from
| happening.
| Next, the ILOVEYOU virus makes it possible for another virus or some
| script -- for instance, one embedded in a Web page -- to come into your
| system and potentially inflict significantly more damage. The virus
asks your
| computer for the name of the directory where Internet Explorer
downloads its
| files. Next, it checks for the presence of a file that theoretically
could be
| created by a second virus or by a "Trojan horse" script.
|>>Not true. A site does not need a certificate to execute ActiveX
|>>elements. Nor does it need to be on a website - as the quote showed,
it is
|>>easier to execute from an HTML email where certificates have no impact.
|>As I have shown above, my default IE settings disagree with you.  And as
|>I have said above, HTML emails are rendered using IE.
| I said that too. Only I meant that as a PROBLEM not a solution! The
| settings are not reliable. The settings themselves are stored in
| readable form and can be changed by any single attack that DOES get
| You would never know. One Nimda, one registry change, a flood begins. The
| dialog box could still be generated, this time by the trojan!!
|>Never had a virus.
| How do you know? Anti-virus scans never claim to catch 100%.
| 86% thought they were safe.
| 11% were.
| 91% of the computers had what AOL categorized as spyware installed.
|>I read the below email and Still just plain
|>disagree.  This is not the default behavior.  This is the behavior
| Default: Action that is taken unless settings are changed. I'm not saying
| Windows will do this in all installations - the risks can be reduced. A
| default system is not patched, it is not secure and it will execute
| code whilst sometimes giving the illusion of protection from a ridiculous
| dialog box. What is more dangerous - a false positive or a false
| The dialog box is a false negative. "Nothing is wrong" when it can
easily miss
| specific threats.
|>always indicated when a new bug is found. "so and so bug...may allow
|>user to run arbitrary code on users machine..."  These announcements
|>make no sense because you are saying anyone can at anytime run arbitrary
|>code on your machine anyway.
| I never said that. I maintain that the default action within Windows
is to
| execute code without even seeking permission. A few paper-thin single
| devices (like that dialog box) don't change what lies beneath. The
fact that
| this dialog box has already been evaded should illuminate the risk!
| What I did say was that 'running arbitrary code' does not mean a quick
game of
| Solitaire!
|>*Show me* some example code and I will believe you.
| Why? Are you going to wait for someone else with different intentions to
| finish the job before you do anything about it?
| (example code NOT sent to a publicly archived list!!)

Maybe we are more in agreement than disagreement.  We are on the same
team at least.  I do not recommend Outlook either.  However, I prefer to
characterize it as fragile instead of broken.

- --
Thank you,

CL Gilbert
Free Java interface to
"Then said I, Wisdom [is] better than strength: nevertheless the poor
man's wisdom [is] despised, and his words are not heard." Ecclesiastes 9:16

GnuPG Key Fingerprint:
82A6 8893 C2A1 F64E A9AD  19AE 55B2 4CD7 80D2 0A2D
GNU Privacy Guard
Pretty Good Privacy (PGP), windows
users should try that.
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla -