Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Security Hole in Netscape and Microsoft email clients
- To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
- Subject: Security Hole in Netscape and Microsoft email clients
- From: Shimon Gruper <shimonIL.ESAFE.COM>
- Date: Thu, 30 Jul 1998 02:36:25 -0400
- Reply-To: Shimon Gruper <shimonIL.ESAFE.COM>
- Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
The new security flaw in Microsoft Outlook and Netscape Mail applications made today's headlines in all the major news papers. The exact description of this bug was not disclosed and I do not know how exactly the executable code attached to an email can start running by itself. However, the whole idea of malicious code, that can be attached to emails, is not new. I have anticipated for a long time that somebody will discover a way to auto-execute email attachments and use this to send hostile executables or as I call them "VANDALS". We have developed a unique technology, which is similar to the sand-box used in Java, but we extend it to all other internet-enabled applications. This means that each and every application that works with the Internet can only utilize very limited system resources. Normally all applications running in user's computer have the same privileges as the user himself. However, this is very unsecure when working with the Internet and I think that every Internet-enabled application must only have 'guest' privileges, with a limited access to system resources. Our sand-box will allow access only to those resources that are necessary for application's operation. When the email clients, such as MS Outlook or Netscape, will be places in the sand-box, then any other application spawned by them, such as ActiveX (in IE) or email attachment will be placed in the same sand-box, limiting their ability to do malicious things. This approach will, in most cases, protect against exploiting Internet-enabled applications bugs that create security holes. As you can see this Sand-box technology can effectively protect against Vandals sent by email, even if they are auto-executed by the email client, due to a bug. If you are interested to learn more about our Sand-box technology, please download a very detailed technical paper that I wrote, from: ftp://ftp.eprotect.com/pub/manuals/vandal-tech-wp.pdf If you are interested to learn more about our eSafe Protect line of products, please visit our website at: www.esafe.com Shimon Gruper - eSafe Technologies, Inc. ------------------------------------------------- eSafe Technologies, Inc. / EliaShim Ltd. email: shimonil.esafe.com Tel: (206) 524-9159 web: www.esafe.com Fax: (206) 524-9979 -------------------------------------------------
- Prev by Date: Re: Alert: Microsoft Security Bulletin (MS98-009) - Increased Privs.
- Next by Date: Pegasus Mail not vulnerable to Name attack
- Prev by thread: Re: Alert: Microsoft Security Bulletin (MS98-009) - Increased Privs.
- Next by thread: Pegasus Mail not vulnerable to Name attack