mailing list archives
RE: How often are IE security holes exploited?
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 13 Dec 2002 21:14:44 +1300
"Richard M. Smith" <rms () computerbytesman com> replied to Paul:
Thanks for the reply. Let me try to clarify things a bit.
I'm most interested in security holes related to IE, ActiveX controls,
and the Microsoft JVM. Basically things that can be exploited from an
HTML Web page or email message. As you noted, these kinds of security
holes can be exploited from Outlook, Outlook Express, and Windows Media
OK -- that's pretty much what I assumed in my other answer.
Something like Loveletter didn't use any security holes to run. It's
probably the best example of social engineering being used to get people
to run a virus/worm by clicking on an attached file.
Well, it is that, but it was so successful because far too many
_corporate_ sites were so mal-administered or mal-managed.
LoveLetter did not get sent to 350 squillion Email addresses because
it found that many addresses in home and small business user address
books. It got there because it hit a few really large sites (think
DoD, and the _really big_ corporations -- places with huge GALs and
that use Outlook). It took that level of embarrassment (sometimes
repeated two or three times in teh ensuing month or two) for the
admins and/or management at many large corporate sites to acknowledge
that only blocking known viruses coming in, or possibly "known
viruses plus attachments of one or two extensions that we suspect
might be the big problem ones" was yet another case of a
simplistically stupid approach to a complex problem that had only
started to actually be exploited at that point...
Also does anyone know of an example of a virus or worm that used an IE
security hole that hadn't been seen before?
I forget exactly which offhand (perhaps the first Yaha or something
just before it?) took advantage of the CR-only (or LF-only??) line
break issue, in which many Unix mail servers will incorrectly pass
what should be CRLF line-terminations and are otherwise invalid
characters in standard SMTP traffic. Several content filter and AV
Email scanner parsers "mis-handled" these messages, missing the
attachments entirely (why these products were not written from the
beginning to "fail closed" has still not been satisfactorily
answered) and passing the bad messages on. Of course, Outlook
and/or OE "happily" saw the messages as intended and they would
detach and run the atatchments (and of course the users, feeling
"safe" because they knew their Email was scanned for bad things,
happily double-clicked away...).
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Full-Disclosure - We believe in it.