102 lines
4.5 KiB
Plaintext
102 lines
4.5 KiB
Plaintext
From jhardin@wolfenet.com Mon Aug 3 17:17:25 1998
|
|
X-Delivered: at request of bin on uncle
|
|
Received: from wolfenet.com (root@frapp.wolfe.net [207.178.61.5])
|
|
by uncle.ssc.com (8.8.5/8.8.5) with ESMTP id RAA20843
|
|
for <gazette@ssc.com>; Mon, 3 Aug 1998 17:17:24 -0700
|
|
Received: from gypsy.rubyriver.com (root@sea-e24.wolfenet.com [209.63.211.24])
|
|
by wolfenet.com (8.8.8/8.8.8) with ESMTP id RAA22512
|
|
for <gazette@ssc.com>; Mon, 3 Aug 1998 17:17:19 -0700 (PDT)
|
|
Received: from localhost (jhardin@gypsy.wolfenet.com [127.0.0.1])
|
|
by gypsy.rubyriver.com (8.8.8/8.8.8) with SMTP id RAA30779
|
|
for <gazette@ssc.com>; Mon, 3 Aug 1998 17:16:47 -0700
|
|
Date: Mon, 3 Aug 1998 17:16:45 -0700 (PDT)
|
|
From: "John D. Hardin" <jhardin@wolfenet.com>
|
|
X-Sender: jhardin@gypsy.rubyriver.com
|
|
To: gazette@ssc.com
|
|
Subject: ANNOUNCE: Procmail Filters Kit blocks MIME buffer-overflow exploit messages
|
|
Message-ID: <Pine.LNX.3.96.980803171559.30772A-100000@gypsy.rubyriver.com>
|
|
MIME-Version: 1.0
|
|
Content-Type: TEXT/PLAIN; charset=US-ASCII
|
|
Status: RO
|
|
|
|
(For publication as you see fit)
|
|
|
|
Linux and other *nix admins out there *worldwide* who process email for
|
|
anyone using a Windows-based email client should read through this - ISPs
|
|
in particular. If your email environment has no Windows desktops, you
|
|
don't need to worry (well, at least not about the Outlook Worm... :)
|
|
|
|
Perhaps MS should rename their email client to "Lookout!!!" >:) [1]
|
|
|
|
-----------------------------------------------------------------------
|
|
|
|
A server-side fix for the email security hole in Outlook, Outlook Express,
|
|
Netscape Mail (and who knows what other Windows-based email clients)
|
|
*does* exist. It is based upon the Procmail email filtering program (which
|
|
is installed as the default delivery agent in Redhat Linux). Any Linux or
|
|
other *nix system administrator providing email services for Windows users
|
|
should consider installing this set of security filters.
|
|
|
|
This email filtering does nothing to fix the bug itself. Instead, it
|
|
prevents users from receiving messages containing an exploit. Corporations
|
|
and ISPs can install this software on their email servers and sanitize
|
|
email as it is received, before it is even transferred to the end-user's
|
|
system to be read. This will give the client vendors time to develop, test
|
|
and publish patches, and administrators time to make sure all of their
|
|
users (or clients in the case of an ISP) are notified and have their email
|
|
clients patched.
|
|
|
|
The filters package sanitizes the following possible remote exploits and
|
|
undesirable behavior:
|
|
|
|
- MIME attachment filenames longer than 100 characters are truncated to 64
|
|
characters. This is short enough to avoid triggering the security hole in
|
|
the email client programs, yet should be long enough for real-life
|
|
filenames.
|
|
|
|
- Excessively long "Content-Type:" MIME headers are truncated, preventing
|
|
buffer-overflow crashes or exploits in some email clients.
|
|
|
|
- Executable attachments have their filenames mangled so that they cannot
|
|
be executed merely by double-clicking on them; instead they must be saved
|
|
and renamed manually. I have had reports of executable attachments
|
|
(typically HTML files) being automatically run without user intervention
|
|
in some mail clients.
|
|
|
|
- Active HTML tags in the email body (OBJECT, APPLET, SCRIPT, etc.) are
|
|
mangled to prevent their automatic execution. This prevents things like an
|
|
email message that, whenever you try to read it, shuts down your email
|
|
client, automatically opens a porn site in a browser window, or freezes or
|
|
crashes your system.
|
|
|
|
The Procmail email sanitizing ruleset by itself is available at
|
|
ftp://ftp.rubyriver.com/pub/jhardin/antispam/html-trap.procmail
|
|
I have also uploaded it to sunsite.unc.edu - it should be available there
|
|
shortly.
|
|
|
|
You can also visit my Procmail Filters Kit web page at
|
|
http://www.wolfenet.com/~jhardin/procmail-kit.html
|
|
for more details, installation instructions and the full modular anti-spam
|
|
filters kit.
|
|
|
|
For media hype, visit
|
|
http://www.sjmercury.com/business/tech/docs/secure080298.htm
|
|
|
|
|
|
[1] I know: old joke. Sorry.
|
|
|
|
--
|
|
John Hardin KA7OHZ jhardin@wolfenet.com
|
|
pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5
|
|
PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
|
|
-----------------------------------------------------------------------
|
|
Your mouse has moved. Windows NT must be restarted for the change
|
|
to take effect. Reboot now? [ OK ]
|
|
-----------------------------------------------------------------------
|
|
84 days until Daylight Savings Time ends
|
|
|
|
|
|
|
|
|
|
|