Re: Hotmail security vulnerability (viruses)

[patricks () PARTHENON COM (Sweeney, Patrick)]

1. I don't see any ActiveX scripts on Star's web site.  I do see some simple
JavaScript to change images on mouseover -- pretty standard and mostly
harmless.  My browser is set to prompt before downloading or running any
activeX scripts.  That and I read the source for the page - no ActiveX, just
JavaScript.

2.  What is absurd about asserting that hotmail should make their best
effort to filter out outgoing messages with a viral payload?  As a free web
based email service it is a simple matter to create an essentially anonymous
account, access that account from an anonymous redirector, like
http://www.anonymizer.com, and send a viral payload to someone.  The nature
of their service makes it ripe for launching an attack.

The culpability for that attack certainly rests with the individual who
launches it, but, if Hotmail does not respond to the fact that their service
is being used this way then they create an externality.  I, as a security
administrator, must create systems and /or procedures to protect my users
from hotmail.  I incur an expense for a service that I don't even use
because that service refuses to clean itself.  There is definitely room to
disagree on this point.  Hotmail is knowingly providing an attack mechanism.
If they made their site an equally accessible launching point for SPAM, they
would be blackholed.

3. The fact that Star internet sees more viruses directed at their client
networks from Hotmail than any other source does not indicate a hole in
Star's defenses.  While a literal interpretation of the comment could
indicate that their client's were actually infected, I doubt that is how
they arrived at their numbers.  I believe they are talking about the number
of viruses they do intercept.  I think it is unlikely they would make public
statements about those viruses they don't see, don't catch, or don't know
about.  (IMO your interpretation is off.  You could argue their choice of
phrasing was poor - but I would disagree.)

If you want to assert that Hotmail should not be responsible for monitoring
outbound email for viral payloads we can agree to disagree.  If you want to
assert that Star networks does not have an interest in protecting their
customers, or is not effective in doing so, you have a responsibility to
provide some evidence.

4. If Hotmail asserts to their customers that they provide virus protection,
they have a responsibility to actually provide effective virus protection.
Failing to protect against the fastest moving, and most damaging macro
viruses just can't count.  That isn't the point of Star's comments, but it
was the previous point of this thread.  (Of course this thread seems pretty
adaptable.)

5. Take what is said in that article with a grain of salt.  While Star may
have some interest in seeing a better AV solution from Hotmail, it looks
like they have at least an equal interest in seeing their company name,
mission, and services in print.

-----Original Message-----
From: Nick FitzGerald [mailto:nick () VIRUS-L DEMON CO UK]
Sent: Monday, October 25, 1999 11:17 PM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: Re: Hotmail security vulnerability (viruses)

Xander Teunissen to Dan Schrader:

> > While we are discussing Hotmail, has anyone noticed that Hotmail's
> > virus scanner doesn't detect most macro viruses - including any of
> > the Melissa varients?
>
> This article (published on Techweb last friday) notes that problem yes.
> It's not much of a solution (none at all, come to think of it) but it
shows
> yet another of the problems this service is dealing with and exposing it's
> users to.
>
> http://techweb.com/wire/story/TWB19991015S0016

A response I posted to Dan Schrader's original comment (above) a few
days back did not make the cut for posting to the list.  It made the
same point as that news story -- that Hotmail is using an "old"
version of its chosen antivirus software that is known to have
difficulties with common, "new" macro viruses ("new" that is, if
you count almost all new viruses in more than the last twelve
moonths as "new").

The article is also interesting because of this claim:

   Anti-virus experts at Star Internet said they urged Hotmail to fix the
   problem after Hotmail became the biggest source of macro viruses
   in their business customers' networks.

Now, what does this really say?  It seems that Start Internet (and
its customers?) holds Hotmail responsible for the *content* of the
Email Hotmail's customers send.  It also suggests that Star
Internet's own Email scanning technology is far from adequate if
Hotmail really was "the biggest source of macro viruses in their
[Star's] business customers' networks".

Oh yes, a final note -- to see how much Star Internet is really
interested in its customers security, visit their web site
(http://www.star.co.uk/) with IE and watch for the ActiveX
warning...

Regards,

Nick FitzGerald