jelmer <[EMAIL PROTECTED]> to me: <<snip explanation of 3rd-party app dragging HTML content across the "security zone barrier" unhindered>> > I know this thought also crossed my mind, I also recieved some mail born > virusses wich used a similar scheme but one may argue that had the zip > file contained a .vbs or .exe file, people would have openened it aswell.
Sure, but there have been a few other self-mailing viruses that have distributed themselves via .ZIP file attachments and the relative success of Mimail in particular seems in no small part attributable to the fact that "your average punter" is exceedingly unlikely to consider an HTML file to be "suspicious" _in any context_. This observation of the expected -- "predictable" even -- failing of the human component in the "security chain" is what makes security vulnerabilities, such this latest one Jelmer has pointed out, much more dangerous than the typical "Mitigating factors" BS in MS Security Bulletins would have you believe. For those who haven't already realized, nearly everything listed as "Mitigating factors" in MS Security Bulletins related to HTML parsing/security zone/etc flaws in IE/OE/OL are, in fact, simple pointers to easy things any half-clever black-hat can obviously use to exploit the stupidity of several hundred million "typical Windows users", and usually most or all of these approaches will already have been outrageously successful (with other similar vulnerabilities) in two, three or more existing self-mailing viruses. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
