Kai MacTane <[EMAIL PROTECTED]> writes:
> Sort of. The problem isn't really the MUAs so much as the user
> behaviors: the user has to explicitly activate the virus-attachment. I
> don't know of any Windows MUAs that *automatically* run any attachment
> they receive -- even Windows users would consider that a security
> risk. In general in the Windows world, when you open an attachment, the
> MUA tells the OS to load the appropriate app for viewing files of that
> type (where "type" is determined solely by filename extension, of
> course, rather than something sane like header info).
I'd like to back this up, and point out here that too much Microsoft
bashing on this one is misplaced. This particular attack is not
Microsoft-specific in any way other than having happened to be written
against a widely used Microsoft applciation; the property that it needs to
be effective is a document viewer with an embedded macro language in which
macros are executed by default.
You could run precisely this same attack against a Unix user with, for
example, a DVI document. The DVI formatting language allows for shell
escapes, and xdvi knows how to execute them. This capability is, of
course, not the default; you have to run xdvi with a special command-line
option to tell it that it's safe to do this.
Now, I'm not a Word user, so I don't know for sure, but I've at least
heard that automatic execution of macros in Word documents is *off* by
default. Extrapolating from that, however, I would imagine that Word
probably pops up a warning dialog box, and users get tired of saying "yes,
it's okay."
In other words, to be blunt, this isn't a Windows problem. This is a user
stupidity problem. The *only* effective long-term solution to these sorts
of problems is to bludgeon people about the head with the idea that they
should NEVER, EVER, *EVER* run *ANYTHING* that they get via e-mail, *even
if it's from someone that they know*, without explicit confirmation of
what it is and what it does, and that all of their programs need to be
configured the same way. And that as annoying as warning boxes might be,
they're there for a *reason*, and if they can't stand them, the answer is
to disable all macros always, not turn them on.
--
Russ Allbery ([EMAIL PROTECTED]) <URL:http://www.eyrie.org/~eagle/>
