Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Eudora security bug - executes URL

From: smb () RESEARCH ATT COM (Steve Bellovin)
Date: Fri, 7 Aug 1998 20:29:40 -0400

In message <Pine.SUN.4.01.9808071550190.7443-100000 () dfw nationwide net>, Aleph
...


As you may or may not know, IE is little more than a wrapper around the MS
HTML rendering component. Many other vendors, including Qualcomm, find it
easy to reuse this component to display HTML instead of having to write
their own HTML rendering engine or to license one from a third party.
The HTML components has many options, including whether to turn on or off
things like Java/JavaScript.


....


The are no security checks performed as this is a local file and is
trusted.

It should be noted that any products using the HTML component may also
fail to turn of things like Java and JavaScript and may be vulnerable
to similar attacks.


This is a crucial point.  The exploit is a direct result of Microsoft's
decision to merge, as much as possible, the desktop and the Net.
That's a laudable idea, in many ways, and the navigation concepts are
similar.  But there is a crucial difference in trustworthiness, and
the Microsoft notion depends on (a) perfect bookkeeping, and (b) perfect
entry points.  The .LNK failure in IE4 was an example of how (a) failed;
the Eudora problem illustrates a failure of (b).  Both notions are
fatally flawed, in that they require far too much trust in far too many
pieces of code.

I should note that (a)-type failures have been seen in many other cases,
notably sendmail.  Sendmail treats program execution as a an address;
for security, it tries to restrict it to alias expansion.  But that
means that every place an address can appear must check to ensure that
it isn't program delivery.  Of course, there are so many different
places that addresses can appear that it was inevitable that not all
of them would be checked -- and we've seen the results many different
times.  By contrast, the upas mailer developed at Bell Labs circa 1984
does execution as part of local delivery.  Addresses per se cannot refer
to programs, even by alias expansion.  And no, that wasn't an accident;
it was a deliberate design decision by Dave Presotto.
Previous By Date Next
Previous By Thread Next

Current thread: