Prevent Current and Future E-Mail Worms
By Woody Thrower, Stan Burnett, and Gary Wahlquist - AXENT Technologies
The recent ILOVEYOU worm and its many variants (see CERT Advisory:
http://www.cert.org/advisories/CA-2000-04.html) have reminded the world
of the dangers of malicious E-mail file attachments. Earlier, Bubbleboy
demonstrated that it is possible for E-mail to automatically execute
malicious code, even without the user opening an attachment.
The malicious possibilities of scripted E-mail are virtually unlimited.
While Microsoft has released an update
to fix the specific scripting vulnerabilities exploited by Bubbleboy,
other scripting vulnerabilities can be expected in the future. Indeed,
new scripting vulnerabilities continue to be discovered. Take a look at
what the next generation of worms might look like in a recent ZDNET
article, Mere Child's Play:
In spite of the latest Microsoft patches, insecurely configured Outlook
98, Outlook Express 5, and Outlook 2000 are still vulnerable to attacks.
that automatically opens a browser window to a URL specified by the
sender. Using this method, attackers could submit form data on your
behalf, or load web pages to exploit vulnerabilities not directly
exploitable via E-mail. This vulnerability can also be used in
conjunction with the newly discovered cookie leak in Internet Explorer
(http://www.peacefire.org/security/iecookies/) that allows malicious web
sites to collect cookies from other sites. Cookies are often used as a
form of authentication, or contain other sensitive information. If you
are using the current default configuration for Outlook 98, Outlook
Express 5, or Outlook 2000, an attacker could steal your cookies simply
by sending you E-mail.
Combined with self-replication as performed by the ILOVEYOU worm, these
vulnerabilities are truly disturbing. One unimaginative but dangerous
possibility is a self-replicating distributed denial-of-service (DDoS)
agent. Previous DDoS attacks have involved dozens, or maybe hundreds of
systems. Imagine being bombarded by a denial-of-service attack from
every ILOVEYOU victim.
A troubling, underlying issue with E-mail security is that some products
install powerful scripting capabilities by default. Most people do not
want or need scripting support in E-mail. The majority of users do not
need or want Microsoft's Windows Scripting Host enabled. Very few people
need the ability to run VBScripts by double-clicking.
AXENT recommends the following countermeasures for a significantly safer
* Disable E-mail scripting in Outlook/Outlook Express.
Vulnerabilities in the default configuration of Outlook 98, Outlook
Express 5, and Outlook 2000 make systems susceptible to serious
compromise simply by viewing E-mail (without opening any
attachments). Protect yourself by reconfiguring Outlook 98, Outlook
Express 5, and Outlook 2000 as described in the pages listed below.
Note: Outlook 97 does not appear to support scripting in e-mail, and
is therefore not vulnerable.
Outlook 98: http://www2.axent.com/swat/News/mailsecurity/O98.html
Outlook Express 5: http://www2.axent.com/swat/News/mailsecurity/OE5.html
Outlook 2000: http://www2.axent.com/swat/News/mailsecurity/O2000.html
* Disable Windows Scripting Host.
Windows Scripting Host (WSH) can be used legitimately to automate
tasks when using the Windows operating system, but it can also be
exploited by worms such as ILOVEYOU and Bubbleboy. Though some users
with legitimate scripting needs may choose not to disable WSH,
disabling Windows Scripting Host will virtually eliminate the
possibility of accidentally executing a malicious .VBS file.
* Remove the VBS (Visual Basic Script) file extension from the
Registered File Types list.
The ILOVEYOU variety of worm requires that your system have the VBS
extension "registered" in order to spread. If this association is
removed, users cannot execute VBScripts by double-clicking the
script. Remove the VBS extension from "Registered file types" for a
more secure system. If necessary, users can still run legitimate
VBScripts using the Wscript.exe program. Note: Other file types (such
as .REG files) can also be dangerous, and can be removed from the
Registered File Types list for a more secure system.
* Install Microsoft fixes.
Install the Microsoft update that fixes the scriptlet.typelib/Eyedog
vulnerabilities (these vulnerabilities allow Bubbleboy and other
worms to work). AXENT also recommends that you install two additional
E-mail related fixes: "Active Setup Control" Vulnerability and "File
Access URL" Vulnerability. Check the Microsoft Security Advisor
(http://www.microsoft.com/security/default.asp) regularly for
Bulletins and fixes to other vulnerabilities that are published
Active Setup Control update:
File Access URL update:
* Filter out scripts, binary executables, batch files, etc. sent as
It is unlikely that many people in your organization need to be
exchanging code by E-mail. Those who do can simply send a compressed
copy to avoid being filtered.
* Continue to exercise extreme caution with file attachments.
Don't open unexpected attachments from trusted sources until you
confirm that they actually sent them. Never open attachments from
suspicious or unknown sources.
* Mere Child's Play (ZDNET article on the future of worm attacks)
* Frequently Asked Questions About Malicious Web Scripts Redirected by
* CERT Advisory CA-2000-04 Love Letter Worm
* 'Bubbleboy' Virus Propagates on Web
* Microsoft Update to Correct the 'scriptlet.typelib/Eyedog'
* Microsoft Security Program: Microsoft Security Bulletin (MS99-032)
* Microsoft Security Program: Frequently Asked Questions: Microsoft
Security Bulletin (MS99-032)
* Microsoft Security Advisory Home Page