by June 19, 2000 0 comments

A security
hole in Outlook and Outlook Express allows scripts embedded in HTML
formatted messages to run without warning. What this means is that
if any incoming e-mail (in HTML format) contains malicious script,
it would run on your system without warning, and have the potential
to do serious damage, even up to erasing your hard disk. What’s
notable is that such a message would appear as ordinary e-mail, and
wouldn’t even have an attachment.


The cause of the
vulnerability is that scripting has been enabled by default in these
mail programs. In Outlook 2000, you can change this by configuring
it to use the restricted sites zone for security and customize this
zone to turn off Active Scripting. For this:




  • On the Tools menu, click Options.



  • On the Security tab, click Restricted Sites in
    the Zone list, and then click Zone Settings.



  • Click OK to the message that appears, which will
    be a warning about the fact that you’re about to change security
    settings that’ll change the way scripts run in IE, Outlook,
    Outlook Express, etc.



  • Select the Restricted Sites icon, and then click
    Custom level.



  • Under Scripting/Active Scripting, click
    Disable.



  • Click OK, Yes, OK, and OK to close the open
    windows and apply the setting.


To change the security
settings in Outlook Express, you can do this in the security
settings of Internet Explorer (Go to Tools>Internet Options,
select Restricted sites in the Security tab, and follow the above
procedure).


Security hole in
Netscape


According to
BugNet, cookies in Netscape Communicator 4.x can allow Webmasters to
look at the bookmark files and browser cache files of Web
browsers.


Cookies are used by
Websites to personalize their content according to the user. Cookies
also contain authentication information so that the user doesn’t
need to login every time he visits the site. They have embedded
JavaScript, which is deposited in your machine when you visit the
concerned Website.


If Netscape is your browser….

If Netscape is your
browser, it sets up user profile folders–one for each user of the
software–under its Users folder (if you’ve installed it in your C
drive, you can see the folder in C:/Program Files/Netscape/Users).
However, the first name in this folder is “default”, and unless you
supply another name when Netscape prompts you to do so during setup,
there will be a folder named “default” in your Netscape folder. The
JavaScript-encrusted cookie will look into this folder and can look
at data such as your cache files or bookmarks.


Even if you’ve supplied a
name during setup, you’re still not totally safe. For example, you
may have supplied a name that’s also the username of say, your
e-mail ID. If you fill a form on a Website that includes this e-mail
ID, a Webmaster who can read that information may try and guess your
profile and thus gain access to this folder.


Until Netscape comes out
with a patch for this hole, there are some things you can do. First,
you can disable cookies, and then, turn off JavaScript from running
on your browser. To disable cookies, click Edit>Preferences in
Navigator, and go to Advanced. Here, you can choose to reject all
cookies, or set Navigator to warn you before accepting a cookie. You
can also turn off JavaScript from here by unchecking it.


However, doing this would
mean that you can’t use some functionalities in the Websites you
visit.


The Love
bug


Love is not
such a desirable thing any longer, at least where the Internet’s
concerned. The fastest-traveling virus in recent times, it has
already caused extensive damage worldwide, and new variants are
coming up by the day. To see a list of such variants, go to www.
symantec.com At last count, the virus already had 29 variants. It
spreads via e-mail and chat. The subject of the e-mail message is “I
Love You”, the body of the message says “kindly check the attached
LOVELETTER “coming from me”, and attached to the message is the file
“Love-letter-for-you.txt.vbs”.


The VBS.Loveletter….

The VBS.Loveletter.A virus,
and its variants e-mail themselves to all the addresses in your
Outlook address book, and also spread through Internet chat rooms
via mIRC. It creates a script.ini file in the mIRC directory, which
sends the dropped file Love-letter-for-you.htm to other users in the
chat room.


It executes when the
attachment to the above-mentioned mail is opened, and overwrites
files on your local as well as remote network drives. It affects
files with the extensions JPG, JPEG, GIF, WAV, TXT, DOC, HTM, HTML,
XLS, VBS, VBE, JS, JSE, CSS, WSH, SCT, HTA, INI, MP3, and MP2, and
variant G also overwrites BAT and COM files. MP3 and MP2 files
aren’t destroyed, they’re merely hidden from you.


When executed, the worm
copies itself into the Windows directory as Win32dll.vbs, and in the
Windows System directory as MSKernel32.vbs and
Love-letter-for-you.txt.vbs. It then checks if Winfat32.exe exists
in the Windows System directory. If the file exists, the worm
creates the registry key HKEY_
LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX
to execute the file on start up. The Internet Start page is then
replaced with a blank page.


If the file doesn’t exist,
the worm sets the Start page to a Website with the file
Win-bugsfix.exe. It tries to download and execute this file, which
is a password-stealing program that e-mails any cached passwords to
the mail address mailme@super.net.ph. This Website, however, has now
been blocked.


The worm then searches
files with the above extensions. When it finds these files, it
creates a file with the same name, but with a VBS extension (that
is, a file called picture.jpg would become picture.jpg.vbs) and
copies the source code of the worm into it, thus making more copies
of the worm itself. Launching any of these files or double-clicking
on them will cause your computer to become infected.


The biggest precaution
against infection is to not open any attachments by the above name
or by the name of the variants, even if they’re from people you
know. The next thing to do is to keep updating your anti-virus
software, because most vendors are adding new updates as more
variants of the worm are found.

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

Your data will be safe!Your e-mail address will not be published. Also other data will not be shared with third person.