[vox-tech] Linux's Vulnerability to E-mail Viruses

vox-tech@lists.lugod.org vox-tech@lists.lugod.org
Thu, 25 Apr 2002 00:47:01 -0400 

On Wed, Apr 24, 2002 at 09:21:12PM -0700, Richard S. Crawford wrote:
> I'm operating under the assumption that while viruses for Linux that
> spread like Windows viruses are very rare, there are still some out
> there.
> 
> So, given that, what level of vigilance is necessary against incoming
> viruses in a Linux system?

Richard,

  Short answer: don't read email as root, don't open attachments from 
email ever, do update your mail handling system from time to time
especially if you heard about an exploit in some component you use,
and do think before you react to an email.


Email borne viruses fall into three main categories:

- Vulnerabilities in your mail handing system,
  (mail server, fetchmail, procmail, email client, etc...)

    Which typically stack overflow problems and should be very rare
  and fixed by the upstream maintainers in a heart-beat once found 
  (sometimes quietly fixed) however these fixes get a fair amount of 
  publicity if found in the wild.

- Vulnerabilities in your attachment processing system or programs,
  (mail client auto-open-attachments, mailcap, 
   openoffice, abiword, gnumeric, etc...)

    A mailcap configuration _can_ be extremely dangerous, because you
  can elect to do anything you want with a data stream based on it's 
  mimetype.  If you pass a outside data stream to a vulnerable program 
  with mailcap or even manually you are at risk of any exploits against
  that program.

    There are a large number of these holes which exist, and some
  get created or closed every day.  Basically any program you run 
  that can be feed an input file and crashes is a hole should not
  be trusted with a mail borne data stream.  Fixes are not generally
  well published, as long as you stick to text based email you are safe.

    If you are doing mail as your own user the good news is you can
  not damage the system, just wipe out the files owned by your user
  account.  This is until someone builds a super virus which would 
  get initial user access through an application vulnerability then 
  run a collection local-root exploits to take over root.  This will
  be front page news practically ever where.

- Vulnerabilities in wetware processing the mail,
  ("send to all your friends or else", "Make money fast", 
   "do X and your hair won't fall out"
   save-to-file/change-to-file/chmod-to-executable/run-[as-root])

    There isn't much that can be done about these people, short
  of turning on spam filters, education, or execution (depending
  on your stance).

    TTFN,
      Mike