Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
Security /

Integration in your in-box equals insecurity

Jim Reavis
Network World on Security, 11/29/99

In a classic example of reaping what you sow, the efforts to integrate HTML readers and active content into e-mail have lead to dangerously simple avenues for the bad guys to deploy viruses and other forms of malicious code. As noted bug hunter Juan Carlos Garcia Cuartango recently reported, the combination of Microsoft Outlook, Internet Explorer and Active Scripting can be a lethal one.

It used to be that we would all laugh at the e-mail hoaxes that would warn us not to open a message with a scary title or it would delete your hard drive. You simply cannot get a virus infection by opening a message - it's what you do with the attachment, we said. Be careful with executable attachments such as programs or Word documents with macros, save it off to your hard drive for later examination has been the advice.

Advertisement:

However, a mail reader such as Outlook, which renders HTML with ActiveX or JavaScript, is making us rethink the standard safe practices. Although browser controls are supposed to have limits to what local machine services they can access, the latest vulnerability in the industry shows how a creative hacker can use the complexities of the integration between Outlook and Internet Explorer to overstep boundaries and damage a system.

The scenario constructed out of this latest vulnerability goes like this:

  • A nasty programmer creates a killer program that is designed to delete key system files. The program in this case is disguised as a Microsoft Cabinet file with a CAB extension.

  • The programmer also creates an HTML message with an ActiveX control. The purpose of the ActiveX control is to launch the disguised program when it is copied to the local TEMP directory. How is the malicious program copied to TEMP?

  • By using any number of creative methods, the HTML message convinces the user to open the attachment. Because the attachment is not of an executable type normally associated with viruses, the user's guard is down. When the attachment does not work correctly (it is not really a Cabinet file) the user gets an error message. However, during this time a copy of the attachment has been saved in the TEMP directory. (If you haven't looked in your TEMP lately, you might be surprised at the data files you find in there.)

  • The ActiveX control, which could be set up in a looping mode while looking for the file, now launches it.

  • The killer program deletes system files.

  • The user leaves the office, and begins happy hour a little early.

    • Technically, the culpable system component in this scenario is not Outlook, but Internet Explorer (IE). IE is rendering the HTML page and provides the execution environment for the ActiveX control. The patch produced by Microsoft for this problem fixes an ActiveX control within IE. The patch requires that CAB files be digitally signed. This is a tactical patch that addresses the problem as described by Cuartango, but leaves open the possibility that new HTML e-mail exploits could be designed for other file types. Using HTML e-mail leaves open the possibility of a new class of viruses that infect users who believe they are following safe e-mail practices.

    While it is popular to blame Microsoft for the problem, and the company certainly deserves its share, isn't this integration and capability to send HTML files to other users something many of us have requested? If you haven't wanted these features, certainly many Internet e-mail marketers have seen it as a strategic way to send you eye-catching content in a sea of e-mail messages.

    This condition for HTML-borne e-mail viruses has been speculated upon for some time. The desire for integration and rich content has led to a situation that can more easily be exploited by the bad guys. We must diligently apply browser patches for now, possibly disable browser Active Scripting and potentially prevent your e-mail system from rendering HTML messages.

    For the long term, we must look to the source and secure the operating system itself from hostile code.

    RELATED LINKS

    Jim Reavis, the founder of SecurityPortal.com, is an analyst with over 10 years' experience consulting with Fortune 500 organizations on networking and security-related technology projects. SecurityPortal.com is a Web site dedicated to providing IT professionals with comprehensive information about network security issues. Jim can be reached at jreavis@securityportal.com.

    MS bug opens door to your hard drive
    MSNBC, 11/15/99.

    Patch Available for "Active Setup Control" Vulnerability

    Archive of Network World on Security newsletters

    Network World Security Alert will keep you up to date on the latest security holes and patches, with daily updates from key vendors, security organizations and Network World reporters. See the latest dispatches from the security here.


    NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
    Click here to sign up!
    New Event - WANs: Optimizing Your Network Now.
    Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
    Attend FREE
    Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
    * HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

    Contact us | Terms of Service/Privacy | How to Advertise
    Reprints and links | Partnerships | Subscribe to NW
    About Network World, Inc.

    Copyright, 1994-2006 Network World, Inc. All rights reserved.