OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Changed subject (was Re: reg. virus named ...)
From: Ari Gordon-Schlosberg (regsnebcorp.com)
Date: Fri May 05 2000 - 18:19:44 CDT

[Thomas Andres <tandresvis.ethz.ch>]
>
> > My proposal would be to recognize certain types of messages and do
> > things to ensure that they don't automatically fire off
> > possibly-dangerous behavior in email clients. As a first cut I'm
> > thinking of taking anything that matches the PCRE
> >
> > ^Content-(?:Type|Disposition): (?:.|\n\s)*name=("?)[^"]+\.vbs\1
>
> I think you're missing the most dangerous messages with this. Namely
> html-mails with some script code embedded. Of course you can't block html
> mails (even though I would like that).
>
> IMHO these are far more dangerous, because you don't need to open any
> attachement. On the other hand, I think M$ fixed that bug in OE...

That's less of an issue, as vbs in the context of an email message body is
executed in the Internet security context, which does not let it do what
the virus does.

However, since it was sent as an attachment and clicked on, it now runs in
a local context with full permissions to do anything.

To Microsoft's credit, there is a bit of sandbox that all this executable
content it run in. However, attachements are treated as if they were saved
to disk and then opened, which is to say with the same permissions as Word
or Explorer. 

-- 
Ari							there is no spoon
-------------------------------------------------------------------------
http://www.nebcorp.com/~regs/pgp for PGP public key