Computer Knowledge Newsletter – November 1998 Issue

In This Issue:

Getting to be a habit…Apologize once again for the delay. Took another vacation trip, this time to the Grand Canyon. That and the write-up took a fair part of the discretionary time available this month. See the trip at: Link

Virus News

HTML Viruses Discovered. That’s right, under certain circumstances you can now get a virus through specially-formatted web pages–pages that run scripts.

Accessing an infected HTML file causes a script in the HTML file to run automatically if your browser security settings allow it. In the case of one of these viruses, the script searches for all *.HTM and *.HTML files in the current directory and all directories above it and infects them. The infection basically prepends the virus to the HTML file. In another all *.VBS (Visual Basic Script) files in the current directory are overwritten. A third infects JS (JavaScript) as well as VBS files.

The WinScript.Rabbit virus, one of the early models, has a bug that causes all infected files to be copied to your desktop. Since it infects all files in the browser’s cache this can quickly fill up your desktop with infected file icons.

These viruses are able to operate under all versions of Win95, Win98, and WinNT if the Microsoft Scripting Host is installed (the host is standard in Win98 and NT 5.0. Prior versions of the operating system require a special update.

Check your browser’s security settings and make certain that it won’t automatically run scripts from the internet. Then immediately update your anti-virus program and keep it updated. Once a new virus type is developed new strains tend to spread rapidly. Further, expect to see script viruses that drop macro viruses and macro viruses that export code to VBS files. That makes cross-file (DOC, HTML, VBS, and possibly JS, CHM, or INF) viruses likely.

Detecting All Viruses. Some product marketing touts the product’s ability to detect all viruses, past, present and future. While a virus pioneer has proved mathematically that it’s theoretically possible to detect all viruses, that proof also showed that it’s not possible to do so reliably with computation alone. So, no product currently on the market can rightfully make the claim they detect all future viruses and survive testing to prove it.

Now, having said that, modern scanners can often detect more than just what they are programmed to detect since they now rely on far more sophisticated techniques than just looking up a scanning string in a database. More modern techniques include looking at a program’s startup code, looking at the beginning and end of programs (where most viruses attach themselves, and even emulating the startup code for a program to detect viruses that change themselves on each infection. Often, these techniques allow anti-virus programs to detect both newly written variants and even new viruses altogether.

But, nothing detects everything for all time! That’s why I keep harping on the fact that you MUST continue to keep your anti-virus software up to date. Nothing else will do the job. I don’t care what their marketing department says.

General Security

Is E-mail safe? The classic E-mail hoax warnings (Penpal, Bud frogs, etc.) continue to circle the web. And, they and others like them are hoax warnings. But, might there be just a hint of truth behind them?

Unfortunately, with modern-day E-mail programs there could be.

The problem is not in E-mail itself. You still can’t have anything bad happen to you if you send and read text messages. The problem is that modern E-mail clients, in an effort to get your business, have started to add active content to E-mail (HTML scripts, etc.) and then depend upon browser software to read and act on the active material in the E-mail. As we’ve written many times here, the implementation of active material by browsers is not particularly secure. Therein lies the problem.

And, the problem is not just limited to Netscape and Microsoft browsers and their related E-mail components. Other programs (Eudora to cite one example, there are others) use the browser code available on a user’s computer to display the active content for them. So, if there is a security problem with the browser code ALL programs that use that code are at risk, not just the browser.

I’ll describe some of the potential problems in a minute, but so that you don’t get bored by that and miss the important stuff let’s look at what you can do to help protect yourself.

Basically, the best thing you can do is what I’ve done: get yourself back as close to plain ASCII as you can. While I use Eudora for my mail program I have explicitly turned off all active content (ActiveX, JavaScript, Java, etc.) and have set the reader to NEVER automatically execute any attachment. Some messages that come in are not as pretty as the person who sent them may have wanted but at least I can feel safe that nothing is going to step in and bite me without my explicitly telling it to (if I’m crazy enough to click on an attachment and run it before checking it out that’s my decision, not the computer’s–and, frankly, you’re better off not sending me attachments as most of them get deleted without my looking at them).

OK, that’s what you can do. Now, why should you do it; what can happen using today’s active content with active code turned on and attachments run automatically?

Well, let’s take the latter first. The problems associated with letting attachments have free reign on your system without any checks should be fairly obvious. ANYTHING CAN HAPPEN. I can write a program that will wipe your disk clean without any warning and that won’t be detected by anti-virus programs (because it’s not a virus, it’s a Trojan Horse) and call it anything I wish. If I were to do that and send it to you and you allowed attachments to execute automatically, your disk would be wiped clean before you realized what had happened. [I feel obligated to say this is all theory, I’d never do that; but not all people are of that same mindset.]

That’s a fairly extreme example, but tone it down in whatever way you want relative to the damage done (sending your disk directory to another person, sending your financial files to someone else, just blanking your screen) and you can see that running attachments without knowing the person they come from very well and checking them yourself (maybe even running them first on an expendable computer) is a really bad thing to do.

But, what about the active content?

Web Techniques magazine (http://www.webtechniques.comWeb Link) reports that Richard Smith, one of the founders of Phar Lap Software, took a look at active content and found over a dozen exploits available in current E-mail clients, particularly Windows-based clients. They range from simply opening a new full-screen window without a close box in an attempt to fool you into thinking the screen had gone blank to sending a Java applet that gets stored on the client computer and when run, since it’s running on the client and not via the web, has free reign to do whatever the programmer wants it to do instead of being limited by the normal Java “sandbox.”

Some other things that can be done include notifying the author of a newsgroup message when you have read it; crashing Windows 95 with an ActiveX control; corrupting in-box files; and posting unpleasant newsgroup messages so that they appear to come from you.

We’ve described some of these as they were discovered and, of course, patches have been developed that fix most of them (so keep your E-mail software up to date as well). But, it’s guaranteed that these are not the only problems that will be found and it’s almost a certainty that there will be other problems with newer software. Why? Because there seems to be a steady trend toward more active content in E-mail, a combining of software on the local machine and on the internet, and a complete lack of any operating system security plan dealing with active content (it seems to be ad hoc–find a problem and fix it).

So, for now, avoid the temptations of active content and turn it off, along with automatic processing of attachments. It’s just not safe to do otherwise.

Information of Interest

Track Down Info. If you’re looking for people or businesses AT&T runs an interesting site you might want to consider: Link

There you can search in the usual way or, if you are so inclined, you can perform reverse telephone number lookups on partial phone numbers. And, when you do find a listing with an address you click on the address and are given the listings for others on that street. Just the thing if you’ve forgotten your neighbor’s name; just search for yours, then click on the address and find your neighbor. (By my experiment, it’s not complete; but a good start.)

New on the Web Site

This past month I’ve been working on the personal web site. It’s quite a job building up a new domain. The travel/tours section has gotten the most work so far. Link

Come, visit, and read all about it.

In closing: Happy holidays to each and every one.