Digg this story   Add to del.icio.us  
From Text to Trauma
Jon Lasser, 2001-10-17

Email is an insecure relic of an older, gentler age.

The world recently celebrated the thirty year anniversary of the greatest attack vector in the history of malicious computer code: Electronic mail.

It was thirty years ago that Ray Tomlinson used the 'at' sign to send messages between two PDP-10 systems being used to develop ARPANET, the forerunner of today's Internet.

For decades, email's limitations kept it from becoming a channel of attack. There was no reliable way to send any file other than plain text over email in such a way as to be sure that the recipient could interpret it. Plain text was good enough to get your point across, and most Internet connections were so slow that sending almost anything other than plain text was quite painful.

But as high-speed networks became more common, Internet developers believed that a method for multimedia email would soon be necessary. Most envisioned a world where email included spoken-word pieces, photographs or video, publication-ready documents, and, or course, executable files.

And so, in 1992 the Multipurpose Internet Mail Extensions (MIME) standard was formalized, with RFC 1341.

What MIME's developers did not adequately foresee was a world in which people might send unsolicited executable attachments, or a world in which word processor documents were in reality executable files with the ability to take over the entire computer upon which they were opened.

Even today, all the attacks against email that we see are essentially just Trojan horses, where the user clicks on a MIME attachment and infects their system. Some programs can exploit bugs present in earlier versions of Internet Explorer, and force the Outlook and Outlook Express mail readers to execute code automatically, but these bugs, and the programs that exploit them, are rare.

Virus writers have an advantage with Microsoft platforms: Visual Basic as a standard macro language, and the overwhelming use of Microsoft Outlook have made fertile ground for their attacks. But it is entirely possible to attack Unix boxes through email.

There are certainly enough systems running Linux to make a juicy target; they're especially juicy in that so many of them have always-on Internet connections. Many are also multi-user boxes, and perhaps attackers can use that to their advantage. Certainly, Unix lacks the uniformity of the Windows world, but three or four clients comprise the lion's share of the market: PINE and Netscape Communicator are probably the most common. And the underlying Unix infrastructure possesses its share of likely attack mechanisms, including shell escapes, and Unix MIME-handling tools. It's ripe for exploitation.

Many small programs working together -- the Unix philosophy -- can work together for bad as well as for good.

To pick an example, most Linux users can read PDF files, using Acrobat, xpdf, or gv. The "Peachy" virus proved that PDF files can spread viruses on Windows. Can this be abused under Linux? I expect so. Acrobat and gv can both read PostScript files too, and PostScript can be used to do nasty stuff to your system. In fact, Acrobat and gv will both read PostScript files named as though they were PDF files, so users don't even need to be convinced to open up dangerous PostScript files, only "safe" PDF ones. A virus that spread effectively via PDF would be cross-platform.

Email is a relic of an older, gentler age. Hackers can exploit this openness, this trust, in order to destroy our systems --- and there's no reason to believe that they'll stop with Windows. The continuing commercial success of Linux puts it greater risk for such attacks.

SecurityFocus columnist Jon Lasser is the author of Think Unix (2000, Que), an introduction to Linux and Unix for power users. Jon has been involved with Linux and Unix since 1993 and is project coordinator for Bastille Linux, a security hardening package for various Linux distributions. He is a computer security consultant in Baltimore, MD.
    Digg this story   Add to del.icio.us  
Comments Mode:


Privacy Statement
Copyright 2010, SecurityFocus