A new virus is making the rounds, Swen. Not a new concept, but better-crafted than most.
It relies on a programming feature (no, not a bug, not a mistake, not an accident, but a feature that was designed to do exactly what the virus does) that allows ANY incoming email message to automatically execute WITHOUT THE USER EVEN HAVING TO OPEN ANY ATTACHMENT.
(Before I continue my rant, if you download all the latest patches and/or service packs from Microsoft, and don’t click on attachments, you are safe. A current anti-virus program wouldn’t hurt, either. Or if you have a Mac, you lucky dog. )
Pretend we are a fly on the wall when the Microsofties were brainstorming new features for the next Outlook a few years back.
“Let’s make incoming email attachments auto-execute by default. That way I can send all my friends programs that will start immediately! And we’ll emable this by default, so we know it will work out of the box!”
What the fuck are you CPU-dead ass-hat fuckers thinking??? ANY incoming email can fucking auto-execute? Do you fucking think that everyone in the fucking world is a fucking GOOD PERSON and would fucking never, ever, ever send a fucking malicious program to someone fucking else? Hunh? Fucking-Hunh?..said the fly on the wall, but nobody heard him.
Not to start a war here but the first thing someone needs to do before they crack MacOS X is crack BSD Unix. Not an easy accomplishment by any measure.
In any case, MS software does have a tendency to have auto-enabled features (like 4 open ports) that just make anyone who learns about them cry “What the fuck where they thinking!!!”
Actually, if you use non-Microsoft e-mail products like Eudora, you won’t have this issue. I mean, yes, you’ll still have a virus-infected file as an attachment, but it won’t open automatically.
Where are you getting all your information? Certainly not from the link which states “The worm… takes advantage of a two-year-old hole in Internet Explorer and affects systems that have not installed a patch for that security hole.” Sounds like a security oversight to me.
Furthermore I’ve used Outlook and Outlook Express for years and I’m not aware of any feature that will allow an attachment to execute without explicit action on the part of the user.
True, bnorton, but MS has a history of these oversights, so many in fact, that some don’t think they’re pushing the boundaries of impossibility to imagine that MS wasn’t really looking in the first place.
Shipping OSs with a web server running by default (a la Code Red), making e-mail clients that execute code sent over e-mail (MS invented the e-mail virus. The concept was actually laughed at until Outlook came along)… their track record is not good.
You can say that the Mac and *nix market for virii is underserved due to lack of popularity, but I firmly believe accessability to be a big reason too.
Listen, I too am thankful for the gaping holes left behind by the money grubbers in Redmond, it keeps me in overtime, but there’s really more to talk about, i think. When you ask something like “what the fuck were they thinking?” The answer can only be “about money” The sector itself forces techological proliferation, yes MS bears a large part of it, the lions’ share, actually, but the proliferation is the problem, MS is merely profiting from it, wildly so, yet they remain but a player in a much larger game.
Not everybody needs a computer, hell, not everybody needs a cell phone, but everybody who’s anybody has one of each. We as a nation have been oversold, undereducated, and personally devalued, so that, like the diamond industry, our demand for new and better and faster, and shinier technology is created by the same group that supplies said product.
people with less than remedial reading and math skills are purchasing equipment that helped, at one time, to discover cures for diseases, and better ways to build damn near everything. That technology is used today, to shoot at digital deer, email dirty jokes and cheat on ones’ spouse.
Personally, I applaud MS. good for them, toeing the industry line like that. It’s made Billy a dozen metric tons of cash, and created jobs for all of us, fixing the holes and putting out the fires.
I use an old Netscape email package, partly for the same reason. Most viruses have code that Netscape can’t render, and the screen is blank or garbage. It serves as an early-warning system. None of that new-fangled gadgetry for me.
I have yet to see anything to suggest that the worm was taking advantage of an MS feature. This worm was exploiting a security bug or oversight. You are claiming that security was breached by a feature that was knowingly and intentionally put in there by MS. I don’t see anything to indicate that.
You may have a point, bnorton, in this particular case. But look at this:
from a news article I found at random, about a similar situation. MS wrote a feature to automatically execute incoming mail, and relied on a file name/type being honest. How naive is this? Doesn’t MS have any real hackers in their stable of programmers?
The article continues:
Another fine example of marketing decisions trumping common sense.
Already happened. Does anyone remember the autostart virus from a few years ago? I get a lot of mac discs from clients. When that hit, it hit the fan. Most mac people had no idea how to get virus protection (other than Disinfectant, freewear that hasn’t been current for years.) I have a whole wall of floppies with variations of the autostart virus.
Just as a hobby, not for distribution.
Really.
No, all you have to do is crack a particular service that runs on BSD Unix. OpenSSH and Sendmail, for example, have both had recent exploits.
Actually, that’s wrong, too. Eudora has exactly the same potential for causing a security hole as Outlook. It’s just another app dealing with a lot of untrustworthy data. All it takes is a particular type of bug and a Eudora-based email virus can occur. Why hasn’t it happened? I can tell you that it’s not because the Eudora programmers are so much better. It’s because Eudora isn’t a good virus platform until it gets a much bigger market share.
I’ll stand corrected on that note, if you’re running those services you are vulnerable. Fortunately though, in the desktop version of OS X (I can’t speak for the server version) they aren’t enabled by default so the average user is safe even from most of those 'sploits.
FTR, the Eudora quote wasn’t by me, it was by SkipMagic. Though I will say that I have to agree with him on it being essentially more secure than Outlook. As much as I hate my organizations main IRT department they always have reasons for making certain software the standard and in the case of org-wide e-mail it’s Eudora.
And sure, there are fine reasons for deciding to make Eudora your company-wide email client. It’s a quality product and for all we know, they get a fantastic deal on it. But that doesn’t change my point: it’s not necessarily any more secure than Outlook or Outlook Express when it comes to security exploits. I guarantee you that if Eudora was magically installed on every windows PC in the world, the security holes would be uncovered.
Microsoft’s problem, for years, has been that they were/are “feature driven” Spending a lot of time and effort making sure that the features they advertise and promote work properly. However, they never considered security a feature on the same level. Same thing with reliability, especially with older versions.
Things like that Media Player scripting Musicat mentioned, it’s forced to be on so that a dopey user doesn’t turn it off then think the ‘feature’ on MP is broken. However, they’ve just broken their security, but since it’s not a feature, they don’t worry so much.
The end user is to blame as well, we kept buying Windows computers even though the security and reliability was low, because we wanted the neato features.
A few more high profile worms and virii, and MS will have more incentive to consider security an important feature in their products.
)