1. I don't see any ActiveX scripts on Star's web site. I do see some simple JavaScript to change images on mouseover -- pretty standard and mostly harmless. My browser is set to prompt before downloading or running any activeX scripts. That and I read the source for the page - no ActiveX, just JavaScript. 2. What is absurd about asserting that hotmail should make their best effort to filter out outgoing messages with a viral payload? As a free web based email service it is a simple matter to create an essentially anonymous account, access that account from an anonymous redirector, like http://www.anonymizer.com, and send a viral payload to someone. The nature of their service makes it ripe for launching an attack. The culpability for that attack certainly rests with the individual who launches it, but, if Hotmail does not respond to the fact that their service is being used this way then they create an externality. I, as a security administrator, must create systems and /or procedures to protect my users from hotmail. I incur an expense for a service that I don't even use because that service refuses to clean itself. There is definitely room to disagree on this point. Hotmail is knowingly providing an attack mechanism. If they made their site an equally accessible launching point for SPAM, they would be blackholed. 3. The fact that Star internet sees more viruses directed at their client networks from Hotmail than any other source does not indicate a hole in Star's defenses. While a literal interpretation of the comment could indicate that their client's were actually infected, I doubt that is how they arrived at their numbers. I believe they are talking about the number of viruses they do intercept. I think it is unlikely they would make public statements about those viruses they don't see, don't catch, or don't know about. (IMO your interpretation is off. You could argue their choice of phrasing was poor - but I would disagree.) If you want to assert that Hotmail should not be responsible for monitoring outbound email for viral payloads we can agree to disagree. If you want to assert that Star networks does not have an interest in protecting their customers, or is not effective in doing so, you have a responsibility to provide some evidence. 4. If Hotmail asserts to their customers that they provide virus protection, they have a responsibility to actually provide effective virus protection. Failing to protect against the fastest moving, and most damaging macro viruses just can't count. That isn't the point of Star's comments, but it was the previous point of this thread. (Of course this thread seems pretty adaptable.) 5. Take what is said in that article with a grain of salt. While Star may have some interest in seeing a better AV solution from Hotmail, it looks like they have at least an equal interest in seeing their company name, mission, and services in print. -----Original Message----- From: Nick FitzGerald [mailto:nick@VIRUS-L.DEMON.CO.UK] Sent: Monday, October 25, 1999 11:17 PM To: BUGTRAQat_private Subject: Re: Hotmail security vulnerability (viruses) Xander Teunissen to Dan Schrader: > > While we are discussing Hotmail, has anyone noticed that Hotmail's > > virus scanner doesn't detect most macro viruses - including any of > > the Melissa varients? > > This article (published on Techweb last friday) notes that problem yes. > It's not much of a solution (none at all, come to think of it) but it shows > yet another of the problems this service is dealing with and exposing it's > users to. > > http://techweb.com/wire/story/TWB19991015S0016 A response I posted to Dan Schrader's original comment (above) a few days back did not make the cut for posting to the list. It made the same point as that news story -- that Hotmail is using an "old" version of its chosen antivirus software that is known to have difficulties with common, "new" macro viruses ("new" that is, if you count almost all new viruses in more than the last twelve moonths as "new"). The article is also interesting because of this claim: Anti-virus experts at Star Internet said they urged Hotmail to fix the problem after Hotmail became the biggest source of macro viruses in their business customers' networks. Now, what does this really say? It seems that Start Internet (and its customers?) holds Hotmail responsible for the *content* of the Email Hotmail's customers send. It also suggests that Star Internet's own Email scanning technology is far from adequate if Hotmail really was "the biggest source of macro viruses in their [Star's] business customers' networks". Oh yes, a final note -- to see how much Star Internet is really interested in its customers security, visit their web site (http://www.star.co.uk/) with IE and watch for the ActiveX warning... Regards, Nick FitzGerald
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:08:59 PDT