North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
RE: Possibly yet another MS mail worm
- From: Vivien M.
- Date: Mon Mar 01 12:45:41 2004
> -----Original Message-----
> From: firstname.lastname@example.org [mailto:email@example.com] On
> Behalf Of Curtis Maurand
> Sent: March 1, 2004 10:38 AM
> To: Todd Vierling
> Cc: firstname.lastname@example.org
> Subject: Re: Possibly yet another MS mail worm
> My point is that the COM/DCOM/OLE/ActiveX is what allows for
> a script in
> an email message that gets executed to have access to the rest of the
> system, rather than executing within a protected sandbox. Of course
> scripts within email messages shouldn't execute at all. Once they do
> execute, they have access to the OLE objects on the machine. Its a
> security hole big enough to drive a tank through.
And I hate to point out the obvious, but that's not what we're discussing
here. If you receive a .zip attachment, save it to disk, open it up in
WinZip or the integrated ZIP utility (which I might add is a feature GUI
OSes made outside Redmond also share), extract the .exe in it, and open it
up, ActiveX/OLE/DCOM/etc has NOTHING to do with the fact that the thing is
destructive and that you were allowed to run it.
Sure, having an executable flag like on *NIX would make it a little harder,
but you know what? If I send you a shell script on *NIX called run-me.sh in
a tarball that does a rm -rf / if you're root, and tells you to be root if
you're not, then your session will look like this:
1. Save blah.tar.gz to disk.
2. tar zxf blah.tar.gz
3. chmod 755 run-me.sh
5. "Error. This script must be run as root."
6. su -
8. Wave byebye to your filesystems.
The problem then isn't technological: an alternative OS, with an
equally-determined (and idiotic) user as the Windows user, provides ZERO
protection against this type of attack. And if you think that step 3 or 5
provided any protection against a determined user, you're wrong.
Assistant System Administrator
Dynamic Network Services, Inc.