[ISN] Visual Basic holes open for e-mail viruses

From: mea culpa (jerichoat_private)
Date: Fri Nov 20 1998 - 02:19:50 PST

  • Next message: mea culpa: "[ISN] FBI Opens High-Tech Crisis Center"

    From: SLF - Vol 3 Issue# 220 Nov.20,1998
    From: ravensceo <ravensceoat_private> 
    Another example of why you should be aware of your information security
    issues each and every day! As always, your comments are welcome! 
    For years, virus researchers and hoax debunkers have asserted a simple
    truth: You'll never get a virus from reading e-mail. 
    Not anymore. 
    Anti-virus researchers have identified a class of viruses, called HTML
    viruses, which hide out in Web pages or e-mail and activates when users
    view the content. 
    "Just the fact that your mail program shows e-mail in a window (could) 
    spread the virus to your system," said Igor Grebert, senior researcher at
    anti-virus maker Trend Micro Inc. 
    The Cupertino, Calif., company publicly announced, on Wednesday, efforts
    to include protection against such viruses in its anti-virus software.
    Last week, anti-virus firm Central Command Inc. warned of a more isolated
    virus that affected ActiveX controls in certain cases. 
    Microsoft Corp. accused the companies of scare tactics. "We are extremely
    confident that this is nothing that users should be worried about," said
    Mike Nichols, Internet Explorer product manager at Microsoft. 
    Little danger, for now 
    Indeed, at present, HTML viruses present no danger.  Grebert has only
    encountered what he refers to as "test viruses" that do not have any
    destructive payload.
    In addition, while HTML viruses have potential to be nasty, they will have
    a hard time spreading out of control over the Internet.
    Does this type of virus concern you, or will it have the same limited
    impact of most viruses? Add your comments to the bottom of this page. 
    In order to copy itself to a new Web page, the HTML virus must execute on
    a machine from which it is allowed to change the page. This essentially
    means that only Webmasters have the possibility of being "Typhoid Mary." 
    "If you are just a user, you will not infect other people's Web pages," 
    said Grebert. 
    Still, whoever they are, the virus writers have been busy. In the past two
    weeks, Trend Micro has tallied no less than 17 new variants, written in
    Microsoft Corp.'s VBScript. While none of them could harm users, don't
    expect the viruses to have their teeth filed for long. Soon, they could
    cause significant problems for users who get them. 
    Technically, the viruses resemble normal programs. "There is no security
    in Windows that limits what VBScript can do," said Grebert. "Can it read
    your files? Yes. Can it format your hard drive? Yes." 
    Another IE hole
    Essentially a macro virus, the viruses -- written in VBScript -- are
    embedded in the HTML included in a Web page or e-mail. 
    Users of Windows 98 or more recent versions of Microsoft's (Nasdaq:MSFT) 
    Internet Explorer and Outlook are at risk, according to Trend Micro, since
    both programs are set up with Microsoft's Windows Scripting Host -- needed
    to run VBScript. 
    Microsoft said the problem did not affect Internet Explorer. 
    "As a user you would have to go to a site that was designed to be
    malicious, and users would have to lower the (default) security," said
    Microsoft's Nichols. Even when security is lowered, users still are
    prompted every time a script tries to run, he said, putting only the most
    ignorant at risk. 
    Rubber gloves before reading
    Still, Outlook and other e-mail programs that read VBScript will allow the
    virus to execute, claimed researchers. 
    "The real angle of attack is on HTML e-mail," said Russ Cooper, moderator
    of NTBugTraq. "In that regard, people are wide open to attack." 
    Originally, the threat of e-mail macro viruses was expected to come from
    Microsoft's combination of Outlook 98 and Windows 98. 
    At the end of July, Finnish students found holes in Outlook that let
    viruses spread by e-mail. However, that security hole could only be
    exploited by luring the user to click on an overlong HTML link. 
    Several experts had predicted that some virus writer would put the two
    Not just VBScript 
    Netscape Communications Corp.'s (Nasdaq:NSCP) Navigator, which does not
    support its rival's VBScript, is immune, said Grebert.  "Yet, with the new
    features that Sun is putting into Java to compete with Visual Basic, they
    may have a similar problem in the future."
    In addition, Cooper warns that an HTML virus could be written in
    JavaScript just as easily as VBScript. 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:11:53 PDT