: They rate of it is quite surprising. By the description, the trick
/
: method of infection does not seem all that different than past worms
: viri. Makes me wonder how many people in a room would reach into
their
: purse/pocket on hearing, "Wallet inspector"
Every single person that still opens these damn attachments!
IN WINDOWS!
So? Had the virii been an application compiled for RedHat and
everyone ran RedHat instead of Windows and they downloaded it using
Evolution and double clicked on it, it would suddenly be RH's fault
instead of MIcrosoft's? Or is it sendmail's fault because it was
listening on port 25 and allowed the worm to connect to it? Newsflash:
Even those using Netscape Mail, Lotus Notes, etc. on the PC were still
potentially infected due to the nesting of the virii.
The worm was not spread through any vulnerability in the operating system,
unlike NIMDA/SQLSlammer/etc. This worm was propogated through pure user stupidity, and
that'll follow any operating system that Dell/Gateway pre-installs for
them. If everyone wants to flame MS, at least do it in a way that doesn't
show your own ignorance.
So? Had the virii been an application compiled for RedHat and
everyone ran RedHat instead of Windows and they downloaded it using
Evolution and double clicked on it, it would suddenly be RH's fault
instead of MIcrosoft's? Or is it sendmail's fault because it was
listening on port 25 and allowed the worm to connect to it? Newsflash:
Even those using Netscape Mail, Lotus Notes, etc. on the PC were still
potentially infected due to the nesting of the virii.
The worm was not spread through any vulnerability in the operating system,
unlike NIMDA/SQLSlammer/etc. This worm was propogated through pure user stupidity, and
that'll follow any operating system that Dell/Gateway pre-installs for
them. If everyone wants to flame MS, at least do it in a way that doesn't
show your own ignorance.
-Dave
<OT>
to me the problem is one of a mono culture. Too much of the same stuff everywhere.
doesn't matter if it's MS-Windows. MacOS X or Debian GNU/Linux or bacon and eggs - too much of the same is bad for you..
: So? Had the virii been an application compiled for RedHat and
: everyone ran RedHat instead of Windows and they downloaded it using
: Evolution and double clicked on it, it would suddenly be RH's fault
: instead of MIcrosoft's?
I suspect the skill set/clue of RH users is at least an order
higher that windows users.
The main problem I see is many e-mail readers default to having
the preview plain open and this will then run any app it finds.
No clicking required.
James Edwards
Routing and Security Administrator jamesh@cybermesa.com
At the Santa Fe Office: Internet at Cyber Mesa
Store hours: 9-6 Monday through Friday
505-988-9200 SIP:1(747)669-1965
Not sure why that is the case. Web browsers know better than to execute things, or at least to execute them in a sandbox, and there seems to be much more "abuse" capabilities in IE / Netscape than $RandomMailReader.
How hard is it to tell a mail reader "NEVER execute a binary"? If someone really wants to run a program that was e-mailed to them, they can save the attachment and run it outside the mail reader or something. So things like "virus.doc.exe" won't get executed by $luser who thinks it was a word doc.
There are ways around this (copy/paste an executable into a word doc, then type "Click here!" in the Word doc), but it might help.
RedHAT do not allow to run an attachment, even if attachment wish to be
runned - it uses 'x' flag which is not attachment's attribute. Linus useers
are niot Administrator's, so virus can not infect the whole system,... Etc
etc....
(Why RedHAT? It is the worst Lunux amongs all. Use SuSe or Mandrake).
>>>
>>>
>>>
>>> : They rate of it is quite surprising. By the description, the trick
>>> /
>>> : method of infection does not seem all that different than past worms
>>> : viri. Makes me wonder how many people in a room would reach into
>>their
>>> : purse/pocket on hearing, "Wallet inspector"
>>>
>>>
>>> Every single person that still opens these damn attachments!
>IN WINDOWS!
So? Had the virii been an application compiled for RedHat and
everyone ran RedHat instead of Windows and they downloaded it using
Evolution and double clicked on it, it would suddenly be RH's fault
instead of MIcrosoft's? Or is it sendmail's fault because it was
listening on port 25 and allowed the worm to connect to it? Newsflash:
Even those using Netscape Mail, Lotus Notes, etc. on the PC were still
potentially infected due to the nesting of the virii.
The worm was not spread through any vulnerability in the operating system,
unlike NIMDA/SQLSlammer/etc. This worm was propogated through pure user
On Wed, Jan 28, 2004 at 12:07:36PM -0500, Patrick W.Gilmore said something to the effect of:
Not sure why that is the case. Web browsers know better than to
execute things, or at least to execute them in a sandbox, and there
seems to be much more "abuse" capabilities in IE / Netscape than
$RandomMailReader.
How hard is it to tell a mail reader "NEVER execute a binary"? If
w00t.
someone really wants to run a program that was e-mailed to them, they
can save the attachment and run it outside the mail reader or
something. So things like "virus.doc.exe" won't get executed by $luser
who thinks it was a word doc.
I don't think it's that it's hard, so much as inconvenient.
C-level-officer types want point-and-click to open and launch,
not to be ordered to port and manipulate attachments to access them.
And since that might be too much effort...heck...why not give users
a peep-hole preview function that allows them to split the screen and
peak into the email without clicking on anything at all? Back-office
IT heads would roll if that went away...
We _can_ thank M$ for setting the bar on this one; no one expected
irresponsible features like instant access to attached goodies until
the Internet-for-Idiots and SMTP-for-the-generally-challenged
revolutions were ushered in to the sounds of "Where do you want to go
today, and how much do you want to break/spend/consume while you're
there?"
I wish I could end this with "Friends don't let friends use Outlook,"
but I have to agree that the fault still lies primarily in the users
that continually refuse to heed the warnings of
A) shut that preview pain^N^Nne shee-yit off
B) don't execute attachments in email, even/especially if it looks
like it might be a really k00l screen saver...
Unfortunately, Microsoft products seem to have a default which is set to hide
file extensions and to make it very difficult to see 'multiple extensions' like
the '.doc<many spaces>.pif' in the current worm, it is somewhat easier to dress
a vampire in gerbil clothing in these systems than in others.
If RedHat, by default had you running as root rather than an unprivledged
user, it sure would be.
Most Windows boxes are running with administrative privledges. That makes
Windows a willing accomplice. The issue isn't that people click on
attachments, but that there are no built in safeguards from what happens
next.
Most Windows boxes are running with administrative privledges. That makes
Windows a willing accomplice. The issue isn't that people click on
attachments, but that there are no built in safeguards from what happens
next.
This is problem #1. Unfortunately, Windose is too complex and have too much
legacy, so everyone must run as a administrator (try to install Visio
without admin privileges...).
Problem #2 - using extentions to select an application - may be, it's a very
good idea, but it complicates virus (worm) problem.
>
> Most Windows boxes are running with administrative privledges. That makes
> Windows a willing accomplice. The issue isn't that people click on
> attachments, but that there are no built in safeguards from what happens
> next.
This is problem #1. Unfortunately, Windose is too complex and have too much
legacy, so everyone must run as a administrator (try to install Visio
without admin privileges...).
The whole point of the infamous *.DLL was to provide local libraries for
applications like unix *.lib.so files. This was corrupted by app vendors
who were too deadline focused to install their DLL's in the application
directory.
Of course this was abetted by the ability of an application to write
into the system directories.
When NTFS came out an ordinary user could not write the system directory
tree Hence most users are running as Administrator or equivalent so that
they can write into the system tree. This was a bad design decision by
MS _and_ application developers. This _is_ fixable by MS by simply not
allowing apps to write into the system tree. This of course is a "small
matter of programming" but it would really improve the overall security
posture of Windows.
Now there are well written applications which do install their DLL's into
their own tree these apps can usually be recognized by _not_ requiring a
reboot after installation.
Problem #2 - using extentions to select an application - may be, it's a very
good idea, but it complicates virus (worm) problem.
Agreed
However magic numbers in the header or having the execute permission bit
set bring the same problem to the table.
Problemm #3 - Monoculture.
This greatly exacerbates problems 1 and 2 but is not so much of a
problem on its own. i.e. Apache which has over 75% of the webserver
market and is infrequently compromised.
Problem #4
MS applications have an unfortunate predilection to run any bit of
executable code they find. i.e. a WMA file can contain executable code
which media player will happily execute. This is a perfect example of
just because you can do something it does not necessarily follow that you
_should_ do something. This dates back to [*]BASIC and the RUN command.
It was somewhat useful 10+ years ago not so much today.
Actually, it's more of an issue in the registry than the file system; older
apps tend to want to write the global HKLM, rather than the user-specific
HKCU.
But, regardless, Win2K and WinXP do have restricted-user modes that tie
this stuff down quite well. They tend to be used in corporate
environments. But for home users, it gets to be a pain in the butt,
because it prevents a lot of things users want to do, like installing
games, multimedia apps and spyware.
You can't really have it both ways; if you can install apps, you can
install viruses and trojans. I don't see this being much different
regardless of the OS you run. And until you have earned some battle scars,
you're not afraid of the pretty toys.
It would be nice, though, if there were a legitimate 'su' analog in Windows
-- sorry, "runas" doesn't cut it. Makes it hard to normally run
restricted, and explicitly enable temporary privs sometimes...
/kenw
Ken Wallewein
K&M Systems Integration
Phone (403)274-7848
Fax (403)275-4535 kenw@kmsi.net www.kmsi.net
want point-and-click to open and launch,