Email Clients and digital signatures
Mon Jul 7 18:04:01 2003
-----BEGIN PGP SIGNED MESSAGE-----
Neil Williams wrote:
| On Sunday 06 Jul 2003 2:00 pm, CL Gilbert wrote:
|>Well yes, activeX has full control. But activeX is just another name
|>for COM/DCOM which still can not simply run automatically. I turned off
|>HTML because I got tired of being *asked* to run code that I knew I
|>would not let run. Always, "so and so script wants to run, this can be
|>dangerours", "Authorize?" This is what I always get from outlook
|>express. A request, not an automatic run of a program. So much so that
|>when Norton would catch virused emails, sometimes I would just view them
|>anyway to see what they were going to try and do. Never failed that
|>outlook express *asked* me if I wanted the script to run.
| That would be reassuring if it was always true. That alert box isn't 100%
| reliable. Do you think all vulnerabilities in IE have been patched? The
| problem lies deeper - IE shouldn't be passing ALL requests to WSE.
| on VBS detection to be the be all and end all protection. Behind the
| box is a mechanism that encourages trojans. Nimda was one those what
| the dialog and - on a DEFAULT system - would execute the payload.
I agree with this. Its MS Bugs that let arbitrary code run, not MS
default behavior. Today you are safe, when a new bug is found, your
wide open all over again. Hope you find out the easy way and not the
hard way about your exposure.
|>My IE settings (which is the renderer outlook express is using say this
|>1. Download Signed ActiveX control ->Prompt
|>2. Download unsigned ActiveX controls ->Prompt
|>3. Initialize and script ActiveX controls not marked as safe ->Prompt
|>4. Run ActiveX controls marked as safe for scripting ->Prompt
| Only by changing these settings to DISABLE can you be protected from
| generation of Nimda. Take an analogy to a firewall - you don't reject bad
| packets, that involves CPU cycles, you DROP bad packets. In the time
| to execute the CPU cycles to reject the bad packet and create a return
| to say what has happened, the packet is still active. You shouldn't
| virus hanging in memory whilst waiting for a prompt box - it should be
| disabled and a specific user action required before it can be activated.
| Windows default is to leave it pending but still in memory. Dump it
| memory and get confirmation later. Windows sits there and waits for the
| dialog box to be answered, all the while the code is in memory. (Take
| with a debugging memory pointer inspection tool.)
| That is an example of a default Windows action that simply doesn't
| door. It just says: "Wait there, be a nice little thug and don't do
| while my back is turned." Doh!
I don't agree with the technical aspecs of what you are saying but I
agree with your point here. I guess I am stubborn :)
|>These are default settings. They mean for any ActiveX control I will be
|>asked first. Its not automatic.
| You wish. Just because it's worked so far, or it works in 99.9% of
| you so confident that all vulnerabilities are patched?
No, I think they will only be patched if/when MS is embarrased by them.
| The default is to keep the trojan in memory - active and able to
launch an IRQ
| or similar. Close the preview, close the file handle, release the
| de-allocate the pointers. NOW ask the user. Even better, display a
| PLACE of the message instead of annoying the user by throwing up a pesky
| dialog box. In Scotland, there are road signs that say, "Frustation
| accidents - let others pass". In Windows, it's "Continuous generation of
| dialog boxes will inevitably lead to one being clicked OK when it
| been Cancel!" It only takes one.
|>Only time its automatic is when A bug is found that someone exploits to
|>make it automatic.
| And that's hard?
| That's your defence strategy??
| One slip and the default action takes over. That is what is so
dangerous - one
| hole and EVERYTHING becomes automated, available and erasable.
| not a dialog box, it is a process, a strategy under constant review.
| Security should acknowledge that there will ALWAYS be vulnerabilities and
| that protection needs therefore to catch problems in the next layer.
| use a single layer security that isn't even worth the name.
You are misunderstanding me. I do not defend outlook as a quality
program. I only disagree that its designed default behavior is to run
arbitrary code. I do not disagree that a new 'hole' is found on an
almost constant basis. And that while effectively everything you are
saying is true, technically it is not.
|>Yes, VBSCript runs automatically, but it can not access the stuff you
|>are worried about without invoking some other code like activeX that it
|>downloads first. and as shown above you are asked about the download.
| It can open the door.
| From the I Love You records:
| 2. The virus disables your Windows Scripting Host's ability to pause
| executing script code, effectively thwarting the efforts of any other
| that might be able to discern whether the code is malicious before
| executes it. For Outlook to have time to notice an email attachment's
| and send up a warning, or for an anti-virus program to have the time
| which application has been loaded, there needs to be a pause in the
| Host's activity. Here, the virus takes away that pause. This makes it
| impossible for Outlook to stop itself and renders it more difficult
| not impossible) for an anti-virus program to step in and stop damage from
| Next, the ILOVEYOU virus makes it possible for another virus or some
| script -- for instance, one embedded in a Web page -- to come into your
| system and potentially inflict significantly more damage. The virus
| computer for the name of the directory where Internet Explorer
| files. Next, it checks for the presence of a file that theoretically
| created by a second virus or by a "Trojan horse" script.
|>>Not true. A site does not need a certificate to execute ActiveX
|>>elements. Nor does it need to be on a website - as the quote showed,
|>>easier to execute from an HTML email where certificates have no impact.
|>As I have shown above, my default IE settings disagree with you. And as
|>I have said above, HTML emails are rendered using IE.
| I said that too. Only I meant that as a PROBLEM not a solution! The
| settings are not reliable. The settings themselves are stored in
| readable form and can be changed by any single attack that DOES get
| You would never know. One Nimda, one registry change, a flood begins. The
| dialog box could still be generated, this time by the trojan!!
|>Never had a virus.
| How do you know? Anti-virus scans never claim to catch 100%.
| 86% thought they were safe.
| 11% were.
| 91% of the computers had what AOL categorized as spyware installed.
|>I read the below email and Still just plain
|>disagree. This is not the default behavior. This is the behavior
| Default: Action that is taken unless settings are changed. I'm not saying
| Windows will do this in all installations - the risks can be reduced. A
| default system is not patched, it is not secure and it will execute
| code whilst sometimes giving the illusion of protection from a ridiculous
| dialog box. What is more dangerous - a false positive or a false
| The dialog box is a false negative. "Nothing is wrong" when it can
| specific threats.
|>always indicated when a new bug is found. "so and so bug...may allow
|>user to run arbitrary code on users machine..." These announcements
|>make no sense because you are saying anyone can at anytime run arbitrary
|>code on your machine anyway.
| I never said that. I maintain that the default action within Windows
| execute code without even seeking permission. A few paper-thin single
| devices (like that dialog box) don't change what lies beneath. The
| this dialog box has already been evaded should illuminate the risk!
| What I did say was that 'running arbitrary code' does not mean a quick
|>*Show me* some example code and I will believe you.
| Why? Are you going to wait for someone else with different intentions to
| finish the job before you do anything about it?
| (example code NOT sent to a publicly archived list!!)
Maybe we are more in agreement than disagreement. We are on the same
team at least. I do not recommend Outlook either. However, I prefer to
characterize it as fragile instead of broken.
Free Java interface to Freechess.org
"Then said I, Wisdom [is] better than strength: nevertheless the poor
man's wisdom [is] despised, and his words are not heard." Ecclesiastes 9:16
GnuPG Key Fingerprint:
82A6 8893 C2A1 F64E A9AD 19AE 55B2 4CD7 80D2 0A2D
GNU Privacy Guard http://www.gnupg.org
Pretty Good Privacy (PGP) http://web.mit.edu/network/pgp.html, windows
users should try that.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----