Google accidentally sends out e-mail worm

TalkBack 13 of 24:

Next »

« Previous

• Thread View
• Flat View

More nonsense.

Thunderbird on Fedora will politely ask if I wish to download any executable file attached to an email. The "Open With" option is grayed out, so I don't even have the option of shooting myself in the foot by allowing the bug to exploit another running process (outside of Thunderbird itself). This is on BIN executables. Same with shell scripts (either inline or as attachments). Thunderbird/Fedora asks if I'd like to download the script or open it with a text editor. Since my default text editor is gedit, which has absolutely no provisions for actually executing shell code...nothing happens. Except that I can read the sloppy code of the idiot who though they could exploit my system via an email attachment.

Either way, I have to explicitly download the attachment, locate the attachment on my local drive in another program (Xterm, Konsole or Konqueror), su myself and set the executable flag. If I merely download an executable to my home directory from my email client, then surf to it via my default filesystem browser (Konqueror) and double-click it trying to get it to run, Konqueror refuses, instead presenting me with a list of legitimately installed programs within which to open it, assuming that I wish to edit the file rather than execute it (it has no execute permissions, remember).

Even though you can subvert this whole mechanism, it takes a pretty slick programmer. Recognize also that I've not even enabled SELinux, which comes standard on Fedora now and provides even finer-grained control over your system. It's just much, much easier to run a fluffer on a Windows install and get 90% of your work done for you while you go watch reruns of 'Friends' on the tube. The relative numbers of Windows systems versus Linux systems has nothing to do with it. If I could push some sort of magic button and remove ActiveX from every Window system currently running, malware exploits should instantly drop somewhere over 75% (admittedly my own rough estimate) judging from the list at Secunia of all the Windows exploits that require ActiveX. Go read Secunia's list sometime. At first you'll be amazed...then shocked...then angered when you consider the history of Microsoft being warned about the dangers of ActiveX over a decade ago and pointedly ignoring the security of end users. Here's a great quote from a honcho at Microsoft back in the day (from Wikipedia):

...Microsoft recognized the problem with ActiveX as far back as 1996 when Charles Fitzgerald, program manager of Microsoft's Java team said "If you want security on the 'Net', unplug your computer. ... We never made the claim up front that ActiveX is intrinsically secure."

From corporatewatch.org:

"Our products just aren't engineered for security," said Brian Valentine, Microsoft senior vice president for Windows development. Another Microsoft executive recently explained they never paid attention to security "Because customers wouldn't pay for it until recently."

Oh, but WAIT. MORE FUN:

http://www.schneier.com/blog/archives/2006/07/load_activex_co.html

Wonderful. Microsoft is going to allow you to install ActiveX controls without admin priveleges on Vista! How long do you think it will take for this to get abused by organized crime?

Posted by: UserLand   Posted on: 11/09/06 You are currently: a Guest | Members login | Terms of Use

Alert moderator to an offensive message

Subscribe to this discussion via Email or RSS

SponsoredWhite Papers, Webcasts, and Downloads

• The Impact of Virtualization Software on Operating Environments VMware Today's use of virtualization technology allows IT professionals to ... Download Now
• Five Steps to Determine When to Virtualize YourServers VMware Server virtualization isn't just for big companies. Entry-level ... Download Now
• Get top-ranked Novell support for Red Hat at 50% less Novell A simplified IT environment isn't just less complex, it's more reliable. ... Download Now