[7580] in bugtraq
Re: Eudora security bug - executes URL
daemon@ATHENA.MIT.EDU (Steve Bellovin)
Fri Aug 7 22:53:42 1998
Date: Fri, 7 Aug 1998 20:29:40 -0400
Reply-To: Steve Bellovin <smb@RESEARCH.ATT.COM>
From: Steve Bellovin <smb@RESEARCH.ATT.COM>
X-To: Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@NETSPACE.ORG
In message <Pine.SUN.4.01.9808071550190.7443-100000@dfw.nationwide.net>, Aleph
...
> As you may or may not know, IE is little more than a wrapper around the MS
> HTML rendering component. Many other vendors, including Qualcomm, find it
> easy to reuse this component to display HTML instead of having to write
> their own HTML rendering engine or to license one from a third party.
> The HTML components has many options, including whether to turn on or off
> things like Java/JavaScript.
>
....
>
> The are no security checks performed as this is a local file and is
> trusted.
>
> It should be noted that any products using the HTML component may also
> fail to turn of things like Java and JavaScript and may be vulnerable
> to similar attacks.
This is a crucial point. The exploit is a direct result of Microsoft's
decision to merge, as much as possible, the desktop and the Net.
That's a laudable idea, in many ways, and the navigation concepts are
similar. But there is a crucial difference in trustworthiness, and
the Microsoft notion depends on (a) perfect bookkeeping, and (b) perfect
entry points. The .LNK failure in IE4 was an example of how (a) failed;
the Eudora problem illustrates a failure of (b). Both notions are
fatally flawed, in that they require far too much trust in far too many
pieces of code.
I should note that (a)-type failures have been seen in many other cases,
notably sendmail. Sendmail treats program execution as a an address;
for security, it tries to restrict it to alias expansion. But that
means that every place an address can appear must check to ensure that
it isn't program delivery. Of course, there are so many different
places that addresses can appear that it was inevitable that not all
of them would be checked -- and we've seen the results many different
times. By contrast, the upas mailer developed at Bell Labs circa 1984
does execution as part of local delivery. Addresses per se cannot refer
to programs, even by alias expansion. And no, that wasn't an accident;
it was a deliberate design decision by Dave Presotto.
