North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Virus Update

  • From: Eric A. Hall
  • Date: Thu May 04 17:45:55 2000

> Is Outlook Express immune to this or does it execute VB script too?

If you have VBS installed (Windows Scripting Host) and you execute the
attachment you will be in big trouble. This applies to all Windows
mailers, whether it be Eudora or Communicator or whatever. AFAIK, the
only mailer that automatically executes VBS is Outlook.

The real culprit here is the power that Microsoft apps (Outlook in
particular) give to VB Script. On the one hand, it's nice that Microsoft
gives companies workflow management capabilities over e-mail through the
use of a generic scripting service (VBS lets you do some pretty neat
things with client-side scripting).

On the other hand, this is way too much power to be providing to an
Internet-connected user base. The Java sandbox model is much more
appropriate for that specific context, given that the basic (non-NT)
Windows PC doesn't have any concept of system security. Even JavaScript
is much less harmful, but that's mostly because it has a failry limited
command structure, not because its inherently "more secure."

I think that Microsoft really needs to evaluate their security model for
mail in general. The simplest approach would be to do Zones like they
have for Web content, where mails from certain sites are "trusted" and
mails from other sites have varying degrees of distrust. Determining
"trust" with e-mail is hard though. Do I "trust" somebody in my Address
Book, even though that's where most of these viruses are coming from?

Maybe users should disable whatever Scripting Host services they have
installed. This isn't entirely possible since a lot of Microsoft apps
and services depend on Windows Scripting Host in order for them to even
function (the Windows Update service requires it, for example).
Obviously not everybody can do this.

Firewall filters that cull VBS attachments are another option, but of
course the same problems show up with EXE attachments (or with LNK
attachments as we saw with Eudora last week). AppleScript attachments
for Mac users  could easily be just as deadly given the access they
have. The only reason they're relatively safe is that nobody wants to
waste time writing scripts that only affect 10% of the user base. And of
course, any of the Unix mailers will gladly accept malicious attachments
too, so as a platform it's certainly no safer (although if you're
running a limited-rights account you won't be able to do as much damage
by running an untested attachment than if you run a highly privileged
account; I'm sure nobody here does that, right?).

It's just very hard to make e-mail secure, unless you're doing virus
scans on every message at every way-station. In the meantime, don't open
unknown attachments, and don't run Outlook.

Eric A. Hall                                            [email protected]