Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Possibly yet another MS mail worm

  • From: Vivien M.
  • Date: Mon Mar 01 12:45:41 2004

> -----Original Message-----
> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On 
> Behalf Of Curtis Maurand
> Sent: March 1, 2004 10:38 AM
> To: Todd Vierling
> Cc: nanog@merit.edu
> Subject: Re: Possibly yet another MS mail worm
> 
> 
> My point is that the COM/DCOM/OLE/ActiveX is what allows for 
> a script in 
> an email message that gets executed to have access to the rest of the 
> system, rather than executing within a protected sandbox.  Of course 
> scripts within email messages shouldn't execute at all.  Once they do 
> execute, they have access to the OLE objects on the machine.  Its a 
> security hole big enough to drive a tank through. 

And I hate to point out the obvious, but that's not what we're discussing
here. If you receive a .zip attachment, save it to disk, open it up in
WinZip or the integrated ZIP utility (which I might add is a feature GUI
OSes made outside Redmond also share), extract the .exe in it, and open it
up, ActiveX/OLE/DCOM/etc has NOTHING to do with the fact that the thing is
destructive and that you were allowed to run it.

Sure, having an executable flag like on *NIX would make it a little harder,
but you know what? If I send you a shell script on *NIX called run-me.sh in
a tarball that does a rm -rf / if you're root, and tells you to be root if
you're not, then your session will look like this:
1. Save blah.tar.gz to disk.
2. tar zxf blah.tar.gz
3. chmod 755 run-me.sh
4. ./run-me.sh
5. "Error. This script must be run as root."
6. su -
7. ./run-me.sh
8. Wave byebye to your filesystems.

The problem then isn't technological: an alternative OS, with an
equally-determined (and idiotic) user as the Windows user, provides ZERO
protection against this type of attack. And if you think that step 3 or 5
provided any protection against a determined user, you're wrong.

Vivien
-- 
Vivien M.
vivienm@dyndns.org
Assistant System Administrator
Dynamic Network Services, Inc.
http://www.dyndns.org/ 





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.