Scot Mc Pherson wrote:
>
> I believe the one of the most important holes is html based mail, because
> the e-mail is processed as a webpage which can be used to download
> undesirable content. If you configure your e-mail browser to display all
> messages as text you will close this hole...You will notice my e-mails are
> nearly 100% text
>
Downloading content is also a form of receipt notification and
capabilities discovery, which mass e-mailers love to know. Barnes and
Noble have done mass e-mailings learning to tailor future content,
whether you want it or not.
Another case is teenpicks.com (teen sexual pictures). If we suppose a
CEO, CFO, or directors of a corporation received sexually oriented
HTML e-mail and that e-mail deposited cookies then a claim of a
sexually hostile atmosphere by an employee can be hard to dispute.
> Scot
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, May 11, 2000 9:45 AM
> To: Castro, Edison M. (PCA)
> Cc: 'Steven M. Bellovin'; [EMAIL PROTECTED]; Brant Knudson; [EMAIL PROTECTED]
> Subject: Re: VIRUS WARNING
>
> On Thu, 11 May 2000 08:24:11 EDT, "Castro, Edison M. (PCA)" said:
> > That is exactly the same way that all Windows virus work. As a Windows
> > user (as well as other OSes), I can say that people have to be responsible
> > for their actions. Whenever you receive any Email attachment, the only
> way
> > that attachment can produce any damage is if you run it.
>
> Well, it's worse. Melissa, the Love Bug, and the Christmas worm all
> required
> the user to take an action (click/open/run the payload).
>
> However, there's apparently ANOTHER hole....
>
> Seen on a SANS posting yesterday:
>
> /Valdis
> -- 10 May 2000 Email viruses are now spreading WITHOUT THE USER
> OPENING ANY ATTACHMENT.
> Personal computers running Internet Explorer (IE) version 5.0 and/or
> Microsoft Office 2000 are vulnerable to virus attacks using most email
> systems, even if the email recipient opens no attachments. You don't
> even have to use IE; just have it installed with the default security
> settings. If you have not closed the hole, you can receive viruses (and
> spread them) by viewing or previewing malicious email without opening
> any attachment, or by visiting a malicious web site. The problem is
> caused by a programming bug in an Internet Explorer ActiveX control
> called scriptlet.typelib. This is by far the fastest growing virus
> distribution problem and ripe for a hugely destructive event - at least
> as large as the ILOVEYOU virus. Updating your virus detection software,
> while important, is not an effective solution for this problem. You must
> also close the hole. The hole can be closed in five minutes or less
> using tools available at Microsoft's security site:
> http://www.microsoft.com/security/bulletins/ms99-032.asp
> The correction script may be run directly from:
> http://www.microsoft.com/msdownload/iebuild/scriptlet/en/scriptlet.htm
> Editor's Note: Thanks to Jimmy Kuo of Network Associates and Nick
> FitzGerald of Computer Virus Consulting Ltd. for raising the visibility
> of this dangerous problem.
--
Dennis Glatting
Copyright (c) 2000 Software Munitions
