[Techtalk] new spam thingy

Dan Richter daniel.richter at wimba.com
Fri Nov 22 12:20:32 EST 2002

>I wasn't aware that MIME included the ability to send commands to execute
>a program.  In fact I'm almost 100% sure of that.

It doesn't. But Internet Explorer had a gaping security hole that allowed 
anyone to download and execute programs on your computer. It set the MIME 
type to audio/wav, but left the extension at .exe. Now, under Windows, 
executing programs and opening files use the same API (so opening a Word 
document is the same as executing Word). So IE saw the MIME type (a sound 
file) and said that it was okay to "execute", and Windows saw the extension 
and executed it as an executable!

This is the security hole that Nimda and Red Worm used. (As far as I know, 
Red Worm was just a slightly modified copy of Nimda. Virus writers really 
aren't very original: most viruses are just clones of other viruses that go 
off at different times and display different messages.) These viruses used 
an equally stupid security hole in IIS (MS's web server), so they spread 
from browser to server to browser - a true epidemic.

And, since Outlook uses IE as its rendering engine, Outlook has the same 
security holes as IE. So virus writers love it.

Most IIS's aren't vulnerable anymore because they've been patched. (You 
would think that they all have, but you'd be surprised how incompetent some 
sysadmins can be.) But many home users never upgrade or apply patches, 
which is why even recent viruses like Bugbear still use that same attack. 
They don't use ONLY that attack, but they use that attack in combination 
with others.

========== Dan Richter ============== mailto:Dan at wimba.com ===========
   The only thing 'express' about Outlook Express is how fast it
   spreads viruses. I like to call it LOOKOUT EXPRESS.
        - Jim Greenly, professor at Georgia Institute of Technology

More information about the Techtalk mailing list