[Techtalk] new spam thingy
Dan Richter
daniel.richter at wimba.com
Fri Nov 22 12:20:32 EST 2002
>I wasn't aware that MIME included the ability to send commands to execute
>a program. In fact I'm almost 100% sure of that.
It doesn't. But Internet Explorer had a gaping security hole that allowed
anyone to download and execute programs on your computer. It set the MIME
type to audio/wav, but left the extension at .exe. Now, under Windows,
executing programs and opening files use the same API (so opening a Word
document is the same as executing Word). So IE saw the MIME type (a sound
file) and said that it was okay to "execute", and Windows saw the extension
and executed it as an executable!
This is the security hole that Nimda and Red Worm used. (As far as I know,
Red Worm was just a slightly modified copy of Nimda. Virus writers really
aren't very original: most viruses are just clones of other viruses that go
off at different times and display different messages.) These viruses used
an equally stupid security hole in IIS (MS's web server), so they spread
from browser to server to browser - a true epidemic.
And, since Outlook uses IE as its rendering engine, Outlook has the same
security holes as IE. So virus writers love it.
Most IIS's aren't vulnerable anymore because they've been patched. (You
would think that they all have, but you'd be surprised how incompetent some
sysadmins can be.) But many home users never upgrade or apply patches,
which is why even recent viruses like Bugbear still use that same attack.
They don't use ONLY that attack, but they use that attack in combination
with others.
========== Dan Richter ============== mailto:Dan at wimba.com ===========
The only thing 'express' about Outlook Express is how fast it
spreads viruses. I like to call it LOOKOUT EXPRESS.
- Jim Greenly, professor at Georgia Institute of Technology
More information about the Techtalk
mailing list