 |
| CNN WEB SITES: |
|
| TIME INC. SITES: |
| MORE SERVICES: |
| video on demand |
| video archive |
| audio on demand |
| news email services |
| free email accounts |
| desktop headlines |
| pointcast |
| pagenet |
| DISCUSSION: |
| message boards |
| chat |
| feedback |
| SITE GUIDES: |
| help |
| contents |
| search |
| FASTER ACCESS: |
| europe |
| japan |
| WEB SERVICES: |
HTML provides opening for e-mail vandals
|
August 17, 1998 by Jon Cornetto and Matthew Nelson |
From...
|
(IDG) -- The outbreak of messaging client vulnerabilities has put e-mail security on the minds of many, but an unknown and often overlooked hole may be the worst yet: E-mail clients are working a lot more like Web browsers, but they lack the mature security structure of their browser cousins.
E-mail and messaging vendors have been rushing to add HTML support to their client products. Meanwhile, browser makers and Web site producers have been building ways to embed executables inside HTML documents, via dynamic HTML (DHTML). This combination opens up a Pandora's box of security issues.
"I have a lot of control from within my browser, such as Web proxies, but in mail, what controls do I have?" asked Russ Cooper, moderator of the NTBugtraq mailing list. "I have nowhere near the same amount of security."
The latest versions of Netscape Communicator, Microsoft Outlook, and Qualcomm Eudora, which make up the lion's share of e-mail clients in use, all accept HTML-formatted e-mail, a process that is analogous to delivering a Web page to a user's hard drive.
"Once you've fetched an HTML e-mail off the server, it is a local file. Your e-mail acts like a browser, executing a local file," said Shimon Gruper, president of eSafe technologies, a Seattle-based Internet protection provider.
|
| ||
|---|---|---|
|
IDG.net home page | |
| InfoWorld home page | ||
| InfoWorld forums home page | ||
| InfoWorld Internet commerce section | ||
| Get Media Grok and The Industry Standard Intelligencer delivered for free | ||
| Reviews & in-depth info at IDG.net | ||
| IDG.net's personal news page | ||
| Subscribe to IDG.net's free daily newsletter for IT leaders | ||
| Questions about computers? Let IDG.net's editors help you | ||
|
Search IDG.net in 12 languages | ||
| News Radio | ||
|
Fusion audio primers | |
|
|
Computerworld Minute | |
If that page has embedded executables, such as a JavaScript, ActiveX control, or a Visual Basic script, those scripts could run locally, as soon as the user opens the message, Gruper said. And if the script is malicious, it could reformat a hard drive or install a virus. The user would not necessarily know that a program was running at all, as could be the case with the recently reported Back Orifice hacker tool, which can be sent as an embedded script or attachment.
The "Trojan horse" is intended to allow remote users to gain complete access to Windows 95 or Windows 98 systems over the Internet. The program was created by a hacker group called The Cult of the Dead Cow and is only 120KB of data that can run invisibly.
Outlook and Outlook Express use Trident, Microsoft's HTML viewer for e-mail clients. Trident has the same security resources that exist within Internet Explorer, said Karan Khanna, product manager for Windows NT for Microsoft.
The problem, according to analysts, is that once the message is in a user's In Box, it is in what Microsoft products consider a safe "Zone," and the script would run if called upon within the HTML.
This security hole is also the underlying cause to a bug in Qualcomm's Eudora client that was reported recently. This flaw allowed malevolent individuals to send e-mail to Eudora users with a malicious executable attachment that has been camouflaged to resemble a URL, using JavaScript or Java applets. When a user clicks on the "URL," the attack will be run locally.
Eudora uses Trident to view HTML e-mail as well, and Qualcomm advised that users turn off that extension to prevent scripts from running within the client.
In fact, Qualcomm posted a patch that disables Trident. This is like throwing the baby out with the bath water however, and it is just a short-term fix, said Matt Parks, Eudora product manager at Qualcomm.
Sun Microsystems and JavaSoft executives are quick to point out that Java applets or JavaScript are not the culprit in these attacks but more likely the unwitting accomplice.
"The Qualcomm software bug, if you read their press statement, it sounds like Java is the problem, but it's not," said Li Gong, Java security architect at Sun, based in Palo Alto, Calif. "Their problem is that they have a security problem in their e-mail tool, so when they see active content as text to the e-mail, they just blindly launch the corresponding application. That's the real problem -- there is nothing to do with Java per se."
As far as Communicator users are concerned, Edith Gong, Netscape Communicator product manager, said that it was unlikely that Communicator users could be affected by an embedded script, although she could provide no more details.
Jon Cornetto is a contributing reporter and Matthew Nelson is a reporter for InfoWorld.