Forwarded from: Jay D. Dyson <jdysonat_private> -----BEGIN PGP SIGNED MESSAGE----- Courtesy of Risks Digest 21.90. (And I share Bear's outrage.) - -----BEGIN FORWARDED MESSAGE----- Date: Mon, 28 Jan 2002 22:31:26 -0700 (MST) From: Bear Giles <bearat_private> Subject: Yet another Microsoft Outlook exploit Yet another Microsoft Outlook exploit is on the loose... and this time the arrogance of the recommended solution is breathtaking. The problem is the built-in support for UUENCODED text within the body of a message. Prudent programmers will use a starting pattern such as "\n\nbegin ([[:octal:]]+) ([^\n]+)\n" and subsequently verify that each line has the expected format. Even checking only the first few lines (e.g., verifying that the first character correctly encodes the length of the rest of the line) essentially eliminates any chance of a false hit. Sadly, it will surprise few people that Microsoft cuts straight to the heart of the matter. If your line starts with "begin " (possibly with two spaces), Outlook/Outlook Express WILL interpret the rest of the message as a UUENCODED attachment. It doesn't need a preceding blank line, nor a following octal number. It doesn't need subsequent lines that actually look like UUENCODED data. There are some reports on slashdot that later versions of O/OE have discarded the "view source" command, with the effect that the rest of the message is permanently lost to the user. The use of this bug as a DOS attack on mailing lists that use a 'digest' approach is left as an exercise for the reader. Naturally, it hasn't taken long for the malware writers to jump on the bandwagon. All you need to do to get around the "strip executable attachment" killjoys is to put the malware right in the body of the message! Just start a line with "begin 666 www.myparty.yahoo.com" and you're off and running! Microsoft's official position, at http://support.microsoft.com/default.aspx?scid=kb;EN-US;q265230 , is stunning in it's <s>feeble-mindedness</s> simplicity. We, and by "we" I mean every person on the planet who may ever send a message to an O/OE <s>victim</s> user, or have a message forwarded to such users, are advised (with editorial comments) to: * not start messages with the word "begin" (actually, it's *any* line starting with the word "begin". And that's effectively a ban on the word "begin" for anyone using a mail agent with transparent line wrapping, e.g., the web mail portals that some ISPs are pushing.) * capitalize the word "begin," even when used within a sentence. E.g., "We will Begin the new project when Bob returns from his vacation. * Use a different word such as "start" or "commence." E.g., all training materials for new Visual Basic programmers shall henceforce refer to "start/end" loops instead of "begin/end" loops. Microsoft's justification for suggesting a significant change to the English language instead of fixing their bug is given as: "In a SMTP e-mail message, a file attachment that is encoded in UUencode format is defined when the word "begin" is followed by two spaces and then some data,..." Needless to say there is no citation given for this "fact." That's probably related to the fact that UUENCODE was defined by UUCP, not SMTP, and that every encoder/decoder I have seen requires a leading blank line and a octal file permissions code. But the damage is done - since malware is exploiting this bug we now get to put into place filters that don't just strip executable attachments or properly formatted UUENCODED blocks, we also have to strip *improperly* formatted UUENCODED blocks! Bear Giles - ----- END FORWARDED MESSAGE ----- ( ( _______ )) )) .--"There's always time for a good cup of coffee"--. >====<--. C|~~|C|~~| (>------ Jay D. Dyson -- jdysonat_private ------<) | = |-' `--' `--' `The armed are citizens. The unarmed are subjects.' `------' -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: See http://www.treachery.net/~jdyson/ for current keys. iQCVAwUBPGbduLlDRyqRQ2a9AQFhvgP+KaCJmv1npclEQOL2X3CXc2iqibTesMyk AiXL5jgmS6y5QTHx1S2QGW8gCJZUuaROx+mRfpLHxtOiU/54HgasHzu3ZZomjwrR wOzFRfQi/65orWUJr490/qaHT5q+980kxMWdpS6d1mG1uKdnla8F9q1adR39hCWB 5nNeJQvBTss= =WA5h -----END PGP SIGNATURE----- - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Feb 11 2002 - 04:32:27 PST