Dangerous email

by Rik Farrow

December 12, 2000 —

Last week's "Love Bug" worm was exacerbated by features of Microsoft's Outlook email
client, but Outlook isn't the only client with potential problems.

On April 27, Bennett Haselton of href="http://www.peacefire.org/">Peacefire, an organization that promotes freedom
of speech on the Web, reported a problem with Qualcomm's popular href="http://www.eudora.com/">Eudora mail program. Many users of PCs and Macs use
Eudora as a replacement for the email readers that come with their systems. href="http://www.peacefire.org/security/stealthattach/">The problem in Eudora has
to do with a mistake in the default configuration that permits an attacker to send
email that can execute code on the target's system when a link is selected.

Eudora, like most PC and Mac email clients, displays URLs as links. Eudora warns
users if selecting a link will start a program on their computer, but Qualcomm left out
the .lnk extension in its list of file types that might launch a program.
The company recommends that users add the .lnk extension to their
Eudora.ini file, as in:

WarnLaunchExtensions=exe|com|bat|cmd|pif|htm|do|xl|reg|lnk

You may wonder why a user would click on a URL that points to a link file on his own
computer. The answer is that the average user might not know that that he's doing it.
Hiding the real source of the link is trivial, as Eudora will print whatever appears
between the anchor tags (a href and /a), which can appear
to be a legitimate link. For example:

http://www.cnn.com/2000/ALLPOLITICS/stories/04/26/hrc.townhall/

displays a local link that appear to point to CNN.

Before you run off and decide that you don't want to read email with Eudora, keep in
mind that Outlook has had many more problems in the last year, mostly related to the
execution of JavaScript. Security-conscious users of Outlook and Outlook Express
disable Active Scripting in an effort to avoid these problems, which include the
reading of files and execution of code on a user's system. Microsoft has href="http://support.microsoft.com/support/kb/articles/q235/3/09.asp">more advice about
securing Outlook.

Keep in mind that even without the ability to execute JavaScript code, attackers (or
even just "evil" Websites) can do interesting things with JavaScript. One example is
the "site from hell" which, using a simple JavaScript program, always opens a new
browser window at the site whenever you attempt to close the old one, thus preventing
you from ever leaving. A more subtle trick replaces what you see in the status line
(the text window at the bottom of the screen) with whatever the malicious party wants.
While normally you would see the URL of the site a link points to when your cursor is
over the link, a couple of lines of JavaScript can put any value the attacker wants in
the status line.

Email clients, particularly Outlook and Outlook Express, have changed the way I view
Internet security. Once, only systems running server software could be actively
attacked and broken into. But with email software that executes code, it has become
possible to attack desktops just by sending email to the victim. And identifying the
email software used by an individual is as simple as receiving email from the potential
victim. Mail headers (not displayed by default by email readers) include a line
identifying the mail agent used.

The very paranoid print their email before reading it. A somewhat more practical
approach is to disable features like Active Scripting in your email tools, as well as
making certain that you are using the most recent patches.

I don't use a fancy email reader, so I fall somewhere between the very paranoid and
the simply paranoid. I suggest you do likewise.

ITworld.com