Prevent Current and Future E-Mail Worms http://www2.axent.com/swat/News/Advisory.asp?id=2000-044 By Woody Thrower, Stan Burnett, and Gary Wahlquist - AXENT Technologies The recent ILOVEYOU worm and its many variants (see CERT Advisory: http://www.cert.org/advisories/CA-2000-04.html) have reminded the world of the dangers of malicious E-mail file attachments. Earlier, Bubbleboy (http://www.zdnet.com/zdnn/stories/news/0,4586,2390778,00.html) demonstrated that it is possible for E-mail to automatically execute malicious code, even without the user opening an attachment. The malicious possibilities of scripted E-mail are virtually unlimited. While Microsoft has released an update (http://www.microsoft.com/msdownload/iebuild/scriptlet/en/scriptlet.htm) to fix the specific scripting vulnerabilities exploited by Bubbleboy, other scripting vulnerabilities can be expected in the future. Indeed, new scripting vulnerabilities continue to be discovered. Take a look at what the next generation of worms might look like in a recent ZDNET article, Mere Child's Play: http://www.zdnet.co.uk/news/2000/18/ns-15326.html. In spite of the latest Microsoft patches, insecurely configured Outlook 98, Outlook Express 5, and Outlook 2000 are still vulnerable to attacks. For example, JavaScript can be embedded in E-mail sent to these clients that automatically opens a browser window to a URL specified by the sender. Using this method, attackers could submit form data on your behalf, or load web pages to exploit vulnerabilities not directly exploitable via E-mail. This vulnerability can also be used in conjunction with the newly discovered cookie leak in Internet Explorer (http://www.peacefire.org/security/iecookies/) that allows malicious web sites to collect cookies from other sites. Cookies are often used as a form of authentication, or contain other sensitive information. If you are using the current default configuration for Outlook 98, Outlook Express 5, or Outlook 2000, an attacker could steal your cookies simply by sending you E-mail. Combined with self-replication as performed by the ILOVEYOU worm, these vulnerabilities are truly disturbing. One unimaginative but dangerous possibility is a self-replicating distributed denial-of-service (DDoS) agent. Previous DDoS attacks have involved dozens, or maybe hundreds of systems. Imagine being bombarded by a denial-of-service attack from every ILOVEYOU victim. A troubling, underlying issue with E-mail security is that some products install powerful scripting capabilities by default. Most people do not want or need scripting support in E-mail. The majority of users do not need or want Microsoft's Windows Scripting Host enabled. Very few people need the ability to run VBScripts by double-clicking. Countermeasures AXENT recommends the following countermeasures for a significantly safer E-mail environment. * Disable E-mail scripting in Outlook/Outlook Express. Vulnerabilities in the default configuration of Outlook 98, Outlook Express 5, and Outlook 2000 make systems susceptible to serious compromise simply by viewing E-mail (without opening any attachments). Protect yourself by reconfiguring Outlook 98, Outlook Express 5, and Outlook 2000 as described in the pages listed below. Note: Outlook 97 does not appear to support scripting in e-mail, and is therefore not vulnerable. Outlook 98: http://www2.axent.com/swat/News/mailsecurity/O98.html Outlook Express 5: http://www2.axent.com/swat/News/mailsecurity/OE5.html Outlook 2000: http://www2.axent.com/swat/News/mailsecurity/O2000.html * Disable Windows Scripting Host. Windows Scripting Host (WSH) can be used legitimately to automate tasks when using the Windows operating system, but it can also be exploited by worms such as ILOVEYOU and Bubbleboy. Though some users with legitimate scripting needs may choose not to disable WSH, disabling Windows Scripting Host will virtually eliminate the possibility of accidentally executing a malicious .VBS file. Instructions: http://www2.axent.com/swat/News/disableWSH.html * Remove the VBS (Visual Basic Script) file extension from the Registered File Types list. The ILOVEYOU variety of worm requires that your system have the VBS extension "registered" in order to spread. If this association is removed, users cannot execute VBScripts by double-clicking the script. Remove the VBS extension from "Registered file types" for a more secure system. If necessary, users can still run legitimate VBScripts using the Wscript.exe program. Note: Other file types (such as .REG files) can also be dangerous, and can be removed from the Registered File Types list for a more secure system. Instructions: http://www2.axent.com/swat/News/disableVBS.html * Install Microsoft fixes. Install the Microsoft update that fixes the scriptlet.typelib/Eyedog vulnerabilities (these vulnerabilities allow Bubbleboy and other worms to work). AXENT also recommends that you install two additional E-mail related fixes: "Active Setup Control" Vulnerability and "File Access URL" Vulnerability. Check the Microsoft Security Advisor (http://www.microsoft.com/security/default.asp) regularly for Bulletins and fixes to other vulnerabilities that are published weekly. scriptlet.typelib/Eyedog update: http://www.microsoft.com/msdownload/iebuild/scriptlet/en/scriptlet.htm Active Setup Control update: http://www.microsoft.com/technet/security/bulletin/ms99-048.asp File Access URL update: http://www.microsoft.com/technet/security/bulletin/ms99-049.asp * Filter out scripts, binary executables, batch files, etc. sent as E-mail attachments. It is unlikely that many people in your organization need to be exchanging code by E-mail. Those who do can simply send a compressed copy to avoid being filtered. * Continue to exercise extreme caution with file attachments. Don't open unexpected attachments from trusted sources until you confirm that they actually sent them. Never open attachments from suspicious or unknown sources. Resources * Mere Child's Play (ZDNET article on the future of worm attacks) http://www.zdnet.co.uk/news/2000/18/ns-15326.html * Frequently Asked Questions About Malicious Web Scripts Redirected by Web Sites http://www.cert.org/tech_tips/malicious_code_FAQ.html * CERT Advisory CA-2000-04 Love Letter Worm http://www.cert.org/advisories/CA-2000-04.html * 'Bubbleboy' Virus Propagates on Web http://www.zdnet.com/zdnn/stories/news/0,4586,2390778,00.html * Microsoft Update to Correct the 'scriptlet.typelib/Eyedog' Vulnerabilities http://www.microsoft.com/msdownload/iebuild/scriptlet/en/scriptlet.htm * Microsoft Security Program: Microsoft Security Bulletin (MS99-032) http://www.microsoft.com/technet/security/bulletin/ms99-032.asp * Microsoft Security Program: Frequently Asked Questions: Microsoft Security Bulletin (MS99-032) http://www.microsoft.com/technet/security/bulletin/fq99-032.asp * Microsoft Security Advisory Home Page http://www.microsoft.com/security/default.asp