Prevent Current and Future E-Mail Worms

[securityteam () AXENT COM (AXENT Security Team)]

Prevent Current and Future E-Mail Worms
http://www2.axent.com/swat/News/Advisory.asp?id=2000-044

By Woody Thrower, Stan Burnett, and Gary Wahlquist - AXENT Technologies

The recent ILOVEYOU worm and its many variants (see CERT Advisory:
http://www.cert.org/advisories/CA-2000-04.html) have reminded the world
of the dangers of malicious E-mail file attachments.  Earlier, Bubbleboy
(http://www.zdnet.com/zdnn/stories/news/0,4586,2390778,00.html)
demonstrated that it is possible for E-mail to automatically execute
malicious code, even without the user opening an attachment.

The malicious possibilities of scripted E-mail are virtually unlimited.
While Microsoft has released an update
(http://www.microsoft.com/msdownload/iebuild/scriptlet/en/scriptlet.htm)
to fix the specific scripting vulnerabilities exploited by Bubbleboy,
other scripting vulnerabilities can be expected in the future. Indeed,
new scripting vulnerabilities continue to be discovered. Take a look at
what the next generation of worms might look like in a recent ZDNET
article, Mere Child's Play:
http://www.zdnet.co.uk/news/2000/18/ns-15326.html.

In spite of the latest Microsoft patches, insecurely configured Outlook
98, Outlook Express 5, and Outlook 2000 are still vulnerable to attacks.
For example, JavaScript can be embedded in E-mail sent to these clients
that automatically opens a browser window to a URL specified by the
sender. Using this method, attackers could submit form data on your
behalf, or load web pages to exploit vulnerabilities not directly
exploitable via E-mail. This vulnerability can also be used in
conjunction with the newly discovered cookie leak in Internet Explorer
(http://www.peacefire.org/security/iecookies/) that allows malicious web
sites to collect cookies from other sites.  Cookies are often used as a
form of authentication, or contain other sensitive information. If you
are using the current default configuration for Outlook 98, Outlook
Express 5, or Outlook 2000, an attacker could steal your cookies simply
by sending you E-mail.

Combined with self-replication as performed by the ILOVEYOU worm, these
vulnerabilities are truly disturbing. One unimaginative but dangerous
possibility is a self-replicating distributed denial-of-service (DDoS)
agent. Previous DDoS attacks have involved dozens, or maybe hundreds of
systems. Imagine being bombarded by a denial-of-service attack from
every ILOVEYOU victim.

A troubling, underlying issue with E-mail security is that some products
install powerful scripting capabilities by default. Most people do not
want or need scripting support in E-mail. The majority of users do not
need or want Microsoft's Windows Scripting Host enabled. Very few people
need the ability to run VBScripts by double-clicking.

Countermeasures

AXENT recommends the following countermeasures for a significantly safer
E-mail environment.

 * Disable E-mail scripting in Outlook/Outlook Express.

   Vulnerabilities in the default configuration of Outlook 98, Outlook
   Express 5, and Outlook 2000 make systems susceptible to serious
   compromise simply by viewing E-mail (without opening any
   attachments). Protect yourself by reconfiguring Outlook 98, Outlook
   Express 5, and Outlook 2000 as described in the pages listed below.
   Note: Outlook 97 does not appear to support scripting in e-mail, and
   is therefore not vulnerable.

   Outlook 98: http://www2.axent.com/swat/News/mailsecurity/O98.html
   Outlook Express 5: http://www2.axent.com/swat/News/mailsecurity/OE5.html
   Outlook 2000: http://www2.axent.com/swat/News/mailsecurity/O2000.html

 * Disable Windows Scripting Host.

   Windows Scripting Host (WSH) can be used legitimately to automate
   tasks when using the Windows operating system, but it can also be
   exploited by worms such as ILOVEYOU and Bubbleboy. Though some users
   with legitimate scripting needs may choose not to disable WSH,
   disabling Windows Scripting Host will virtually eliminate the
   possibility of accidentally executing a malicious .VBS file.

   Instructions: http://www2.axent.com/swat/News/disableWSH.html

 * Remove the VBS (Visual Basic Script) file extension from the
   Registered File Types list.

   The ILOVEYOU variety of worm requires that your system have the VBS
   extension "registered" in order to spread. If this association is
   removed, users cannot execute VBScripts by double-clicking the
   script. Remove the VBS extension from "Registered file types" for a
   more secure system. If necessary, users can still run legitimate
   VBScripts using the Wscript.exe program. Note: Other file types (such
   as .REG files) can also be dangerous, and can be removed from the
   Registered File Types list for a more secure system.

   Instructions: http://www2.axent.com/swat/News/disableVBS.html

 * Install Microsoft fixes.

   Install the Microsoft update that fixes the scriptlet.typelib/Eyedog
   vulnerabilities (these vulnerabilities allow Bubbleboy and other
   worms to work). AXENT also recommends that you install two additional
   E-mail related fixes: "Active Setup Control" Vulnerability and "File
   Access URL" Vulnerability. Check the Microsoft Security Advisor
   (http://www.microsoft.com/security/default.asp) regularly for
   Bulletins and fixes to other vulnerabilities that are published
   weekly.

   scriptlet.typelib/Eyedog update:
   http://www.microsoft.com/msdownload/iebuild/scriptlet/en/scriptlet.htm

   Active Setup Control update:
   http://www.microsoft.com/technet/security/bulletin/ms99-048.asp

   File Access URL update:
   http://www.microsoft.com/technet/security/bulletin/ms99-049.asp

 * Filter out scripts, binary executables, batch files, etc. sent as
   E-mail attachments.

   It is unlikely that many people in your organization need to be
   exchanging code by E-mail. Those who do can simply send a compressed
   copy to avoid being filtered.

 * Continue to exercise extreme caution with file attachments.

   Don't open unexpected attachments from trusted sources until you
   confirm that they actually sent them. Never open attachments from
   suspicious or unknown sources.

Resources

 * Mere Child's Play (ZDNET article on the future of worm attacks)
   http://www.zdnet.co.uk/news/2000/18/ns-15326.html

 * Frequently Asked Questions About Malicious Web Scripts Redirected by
   Web Sites
   http://www.cert.org/tech_tips/malicious_code_FAQ.html

 * CERT Advisory CA-2000-04 Love Letter Worm
   http://www.cert.org/advisories/CA-2000-04.html

 * 'Bubbleboy' Virus Propagates on Web
   http://www.zdnet.com/zdnn/stories/news/0,4586,2390778,00.html

 * Microsoft Update to Correct the 'scriptlet.typelib/Eyedog'
   Vulnerabilities
   http://www.microsoft.com/msdownload/iebuild/scriptlet/en/scriptlet.htm

 * Microsoft Security Program: Microsoft Security Bulletin (MS99-032)
   http://www.microsoft.com/technet/security/bulletin/ms99-032.asp

 * Microsoft Security Program: Frequently Asked Questions: Microsoft
   Security Bulletin (MS99-032)
   http://www.microsoft.com/technet/security/bulletin/fq99-032.asp

 * Microsoft Security Advisory Home Page
   http://www.microsoft.com/security/default.asp