Everhart,Glenn From: Andrew Franz [afranz@ozemail.com.au] Sent: Wednesday, April 01, 1998 8:42 AM To: Toralv.Dirro@drsolomon.com Cc: ntsecurity@iss.net Subject: Re: [NTSEC] email virus - how to detect hoaxes TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net Contact ntsecurity-owner@iss.net for help with any problems! --------------------------------------------------------------------------- 1. The ActiveX Security risks can be summarised as follows: - ActiveX relies on the user's judgement to accept (or not) a certificate (or an unsigned control). - A previously signed control can be used (maliciously) for a different purpose than it was intended by the original signer. - There is no way the user can know at the time of accepting the signature how general purpose the ActiveX control is. In any case, user's can be fooled into accepting certificates - If a (malicious) ActiveX control takes some subtle action, with a delayed effect, there is no way of tracing which ActiveX control was responsible, since there is no secure audit trail. - (malicious) ActiveX controls (accepted) can do anything an executable can do, including disabling the authentication mechanism itself. IMO, it's not reasonable to rely on the user's judgement completely, especially when many users are new & relatively naive. Viruses are mind-games evidenced by the fact that many are spread by EMail under the guise of "funny" applications. More links: 1. http://www.w3.org/Security/Faq/wwwsf7.html#Q65 2. http://www.w3.org/Security/Faq/wwwsf7.html#Q68 3. http://www.microsoft.com/ie/security/?/ie/security/directxbeta.htm 4. http://www.digicrime.com/activex/ 5. http://www.halcyon.com/mclain/ActiveX/Exploder/ 2. Java and IE - IE allows Applets to read & write to a "scratch" area on the client machine's hard disk. This creates new potential holes (which perhaps somebody more knowledgeable could answer): a) Can other applications (not the browser - which presumably prevents this), later invoke BAT/EXE/other files stored in the scratch area? b) What happens when IE4 opens thumbnails? 3. Java - Some actual examples of Java Applet viruses are described at http://www.sevenlocks.com/hostileactivec/ (I found this by searching on "Java" AND "Virus" at AltaVista........) Toralv.Dirro@drsolomon.com wrote: > TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net > Contact ntsecurity-owner@iss.net for help with any problems! > --------------------------------------------------------------------------- > > I am aware that there are lots of possible DoS-Attacks against browsers > (and email-clients as well), but so far (as I said, to the best of my > knowledge) I'm not aware of a way to actually exploit the newly implemented > crap to selfreplication. Certainly those possibilities, and especially how > to protect against malicious attacks, should be investigated carefully. > > regards, > Toralv Dirro > Dr Solomon's Software GmbH > > Andrew Franz AT mailgate am 30.03.98 21:42:04 > > An: ntsecurity@iss.net AT mailgate@CCMAIL > Kopie: Toralv.Dirro@drsolomon.com AT mailgate@CCMAIL (Blindkopie: Toralv > Dirro/TS/DE/DRS) > Thema: Re: [NTSEC] email virus - how to detect hoaxes > > A slight correction to Rule#2: > 1. Netscape Communicator 4 (Messenger) opens some attachments automatically > - including embedded Java Applets. Since Applets exist that can crash your > browser, it is possible to cause damage without "opening" an attachment. 2. > Internet Explorer 4 can also open attachments inline. In the same way, an > embedded ActiveX control will automatically launch. ActiveX controls can be > written to do absolutely anything and provided that you accept the > signature - will run inline. > Consider a scenario, where an ActiveX control is designed by (say) > Microsoft to modify registry values for a perfectly valid reason. Later, an > an unscrupulous cracker might re-use it, with different parameters to > penetrate your system.It can no longer be said with certainty that viruses > cannot be activated by opening EMail. > > Toralv Dirro wrote: > > > Rules to detect hoaxes (and prevent looking like a fool on lists like > this): > > > > 2. If the description suggests that this virus activates just by > > opening/reading the mail (the mail itself, not any attachments) it is > > a hoax. To the best of my knowledge it is currently impossible to do > > what those hoax-viruses claim. Andrew Franz http://www.users.bigpond.com/afranz/