To: Andrew Orlowski , grog@lemis.com CC: russell@flora.ca Subject: MSFT ignorance of MIME Date: Wed, 04 Feb 2004 20:59:41 -0500 From: Michael Richardson -----BEGIN PGP SIGNED MESSAGE----- >>>>> "Andrew" == Andrew Orlowski writes: Andrew> Many thanks for pointing me to Bernard's presentation. Very welcome. Andrew> story I think it would be a shame not to mention simple security Andrew> steps such as MSFT ignoring MIME. Can you explain this for me and Andrew> comment? Let's start at the beginning. Forgive me if you know this, but I need to start from somewhere. Almost every email in the past 10-12 years has a MIME type, like, yours has: Content-Type: text/plain; charset="us-ascii" ; format="flowed" ^ ^ ^ ^ | | | \--- (%) major-type minor-type encoding Your mail user agent is particularly compliant. I'm not sure what you are running, but it sure ain't OutHouse! A type like text/plain should be treated as straight ascii (well, whatever character set it says. us-ascii means 7-bit only) and displayed. (%%) A type like image/jpg should be passed *DIRECTLY* to the image viewer, and decoded and displayed. What does MSFT do? They ignored the entire mime type, except that text/* gets displayed. Everything else gets sent, *UNEXAMINED* to the Microsoft extension/file-content examiner. This system has no concept of the security level of the file (local disk, email, internet), and guesses the file type from the extension, and launches whatever application the registry says to launch. So, a virus writer can send a file, say named "myniceass.jpg.exe", with a type of "image/jpeg". A well written MUA would look at that, start the image view, and display static to the user. OutHouse, however, removes the extension, giving "myniceass.jpg" in the display, notes it is image/jpeg, and the user then can click on the attachment, thinking they are displaying an image. But, the real file name is "myniceass.jpg.exe", which OutHouse will happily run. Afterall, the user told them to do that, right? So, MSFT puts more checks in, but since they never pay attention to the MIME type, and instead think they know better, we get virus after virus after virus. The MyDoom attack vector goes one step further. First, it uses ZIP to send the files. Lots of virus checkers haven't been looking inside of ZIP files, and lots of dumb users have been using that to send DOC files around thinking it would keep them safe from viruses. So, lots of people are familiar with having to unzip attachments. The second thing is that the WinZip or whatever program does it on XP, needs to be AS PARANOID about letting users double click on the contents of ZIP files as OutHouse really should be. If the system were designed properly, then no user would ever login as Administrator on XP. Yet, that is the default "home user" setting. Even if you login as a "mortal" on XP, you can still get screwed. Every time OutHouse had an attachment (even an image) that it wanted to display, it would become another user - one with no permissions to edit the registry - and then run the "display tool". Even so, a user could easily be confused into doing the wrong thing. HTML email makes this particularly easy, since users get trained to expect email to sing and dance for them. Sigh. Greg Lahey has some good pages on (%) things. (%) - MSFT has embraced and extended email here. OutHouse thinks that all emails are supposed to be displayed as format=flowed and that it doesn't have to mark emails that it wants display that way as format=flowed. The result is that OutHouse users think that a pre-formatted email looks like garbage, and their emails look like garbage to everyone else. Of course, OutHouse to OutHouse looks fine. See: http://www.lemis.com/email/email-format.html (%%)- of course, Microsoft claims "latin1" on messages that contain illegal codes. Apple seems to have some mailers (maybe Outlook on Mac?) that do different things, but even worse, their "SmartQuotes" show up as superscripted 1, 2, 3. See: http://people.lemis.com/email/email-charset.html BTW: Greg, I'm at a loss as to why your Emacs gets the right glyph. ] ON HUMILITY: to err is human. To moo, bovine. | firewalls [ ] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[ ] mcr@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[ ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys iQCVAwUBQCGjfoqHRg3pndX9AQGgswQA3QmAmffaKP4DDE/6zgu/TxcHHfFjugIw 7pCcx2gW0R6QkZyHMzhCrDfuU50RSfKYeGKmaOCmdnzRWBoCB04UUz20U6Ed8Mt/ jDaWSQlhRCO8/TdLPOoxSopsgjVPOtlhZ/JAk+OQgqx15bcCQ1YPVUah5zPEBenK kQlekei1rlY= =8Oqc -----END PGP SIGNATURE-----