From: David Nicholls (David.Nicholls at domain ashling.com)
Date: Tue 09 May 2000 - 14:05:00 IST
Wait just a second....
The tone of this message is that LOVEBUG gets run automatically by Outlook.
Is this really the case? My understanding was that the reason it was
propagating was that people were double-clicking on the attachment which was
associated with Windows Scripting Host.
The problem is that, in versions of Outlook without the latest patches it
doesn't warn you that this is a dangerous action.
IMHO this is no different than sending around a malicious shell script and
asking users to run it. The main difference is that users of packages such
as outlook have developed a bad habit of opening any attachments they are
sent.
I know this because I received a copy of the virus from a mailing list I am
on and it caused me no ill effects because I knew straight away that it was
very suspect. Afterwards I tested my version of outlook with a dummy script
to see what would happen if I had double-clicked on it and found that warned
me to save it to disk as there was a strong risk of it being a virus.
Of course I could be wrong! Does anyone on the list know of a case where
LOVEBUG can be run just by downloading the e-mail or opening the e-mail
without opening the attachment.
B.T.W. I do acknowledge that it would be very easy to write a virus which
autoruns when opened by outlook but I just didn't think that this was one of
them.
My 2p,
Dave.
-----Original Message-----
From: ilug-admin at domain linux.ie [mailto:ilug-admin at domain linux.ie]On Behalf Of
Justin Mason
Sent: 09 May 2000 13:45
To: Paul Jakma
Cc: Justin Mason; Martin Donlon; Donncha O Caoimh; ilug at domain linux.ie
Subject: Re: [ILUG] Fwd: will the love ever cease? <unix now targeted>
Paul Jakma said:
> > BTW Paul are you serious about older versions of pine running attached
> > shell scripts?? That's *so* broken.
>
> not quite as bad as that. :)
> but older versions of pine had a mime-parsing bug, which meant it was
> possible to get pine to run arbitrary shell commands by sending it the
> right mime-headers. :(
I remember that one. but that's not quite in the same boat as the
running-attached-shell-script issue...
automatically running attached shell script or vbs file = stupid stupid
mailreader
bug in MIME parsing = whoops! bad code, but not quite stupid
And that "UNIX virus" mail claimed "It contains (sic) of a so-called shell
script which, when executed [...]" rather than mentioning overflowing
buffers or exploiting a bug...
I agree that theoretically you could set up a UNIX mail virus, but without
a really really badly designed security model overall (viz Outlook and
Windows) it's not going to get very far if it has to rely on various
buffer overflows and bugs in a myriad of different mailreader versions to
get itself run.
> (wouldn't be surprised if similar bugs existed in other unix mail handlers
> that parsed mime).
yep, there was a buffer overflow if I recall correctly, found in nmh a
coupla months ago :( Of course a fix was released in a few days and all
the vendors have binaries for it on their websites.
--j.
-- Irish Linux Users' Group: ilug at domain linux.ie http://www.linux.ie/mailman/listinfo/ilug for (un)subscription information. List maintainer: listmaster at domain linux.ie
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:06:04 GMT