[vox-tech] Linux's Vulnerability to E-mail Viruses

Richard Crawford vox-tech@lists.lugod.org
24 Apr 2002 21:55:22 -0700 

Mike,

I'd like to pass this on to another list that I'm on which is discussing
just this issue.  May I?

Richard


On Wed, 2002-04-24 at 21:47, msimons@moria.simons-clan.com wrote:
> On Wed, Apr 24, 2002 at 09:21:12PM -0700, Richard S. Crawford wrote:
> > I'm operating under the assumption that while viruses for Linux that
> > spread like Windows viruses are very rare, there are still some out
> > there.
> > 
> > So, given that, what level of vigilance is necessary against incoming
> > viruses in a Linux system?
> 
> Richard,
> 
>   Short answer: don't read email as root, don't open attachments from 
> email ever, do update your mail handling system from time to time
> especially if you heard about an exploit in some component you use,
> and do think before you react to an email.
> 
> 
> Email borne viruses fall into three main categories:
> 
> - Vulnerabilities in your mail handing system,
>   (mail server, fetchmail, procmail, email client, etc...)
> 
>     Which typically stack overflow problems and should be very rare
>   and fixed by the upstream maintainers in a heart-beat once found 
>   (sometimes quietly fixed) however these fixes get a fair amount of 
>   publicity if found in the wild.
> 
> - Vulnerabilities in your attachment processing system or programs,
>   (mail client auto-open-attachments, mailcap, 
>    openoffice, abiword, gnumeric, etc...)
> 
>     A mailcap configuration _can_ be extremely dangerous, because you
>   can elect to do anything you want with a data stream based on it's 
>   mimetype.  If you pass a outside data stream to a vulnerable program 
>   with mailcap or even manually you are at risk of any exploits against
>   that program.
> 
>     There are a large number of these holes which exist, and some
>   get created or closed every day.  Basically any program you run 
>   that can be feed an input file and crashes is a hole should not
>   be trusted with a mail borne data stream.  Fixes are not generally
>   well published, as long as you stick to text based email you are safe.
> 
>     If you are doing mail as your own user the good news is you can
>   not damage the system, just wipe out the files owned by your user
>   account.  This is until someone builds a super virus which would 
>   get initial user access through an application vulnerability then 
>   run a collection local-root exploits to take over root.  This will
>   be front page news practically ever where.
> 
> - Vulnerabilities in wetware processing the mail,
>   ("send to all your friends or else", "Make money fast", 
>    "do X and your hair won't fall out"
>    save-to-file/change-to-file/chmod-to-executable/run-[as-root])
> 
>     There isn't much that can be done about these people, short
>   of turning on spam filters, education, or execution (depending
>   on your stance).
> 
>     TTFN,
>       Mike
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech
-- 
Sliante,
Richard S. Crawford

mailto:rscrawford@mossroot.com		http://www.mossroot.com
AIM:  Buffalo2K   ICQ: 11646404  Yahoo!: rscrawford
MSN:  underpope@hotmail.com

"It is only with the heart that we see rightly; what is essential is
invisible to the eye."  --Antoine de Saint Exupery