From: "Rod Gasson" 
Reply-To: Fidonet AVtech Echo 

From: "Jasen Betts" 
Newsgroups: fido.aust_avtech
To: 
Sent: Saturday, March 27, 2004 7:25 PM
Subject: Re: Locking Windows


>  RG> The Internet, Zip files, doc files with embed macro's, and so for
>  RG> are still nothing more than transport mechanisms - the virus code
>  RG> STILL needs to be executed before an infection can take place.
>
> you open a zip file and nothing gets run,

Ergo, no virus infection can take place.

> open a document and some automatic macros can run,

Agreed, but who is going to be silly enough to open a doc file from an
unknown source.
Even if you get one of these in email you need to save it out and
doubleclick on it (minumum action required) in order to cause infection.
How is this any different than extracting a zip file and then doubleclicking
on the trashdrive.exe inside it?

What's wrong with viewing doc files of unknown origin with something like
Quickview where no macros can be run?

What I'm getting at here is that there are a million ways to NOT become
infected, and no matter what, a person still has to *actively* DO something
in order to become infected. It doesn't just happen!!

>  >> It seems there was some way to get OE to run stuff wiothout asking
>  >> and there was no way to block it.
>
>  RG> Funny, I check for Mickysoft updates on a daily basis and there
>  RG> haven't been any security updates for nearly a month now.   You
>  RG> must be WAY behind the times.
>
> turns out I mis-read that exploit was blocked in
> "Microsoft Security Bulletin MS03-040."
> (dunno when that was released.)

October 2003, and this was a cumulative patch for Explorer, not Outlook
Express.

>  RG> Please send me a link to this so called patch so I can see how old
>  RG> it really is. I suspect that you may have read one of the recent
>  RG> 'slashdot' stories that relates to a very old bug that was fixed a
>  RG> LOOONG time ago.
>
> I was mistaken, but anywhay It was recent message in the virus echo
> a virus called "W32.Bagle-Q" from "sophos.com"

Bagle-Q  (just one of the MANY Bagel variants) are all a lot newer than this
patch. As I said, its an old exploit that was fixed up ages ago -  BUT, even
though this is/was a "recommended security fix" it seems that few people
read the fine print, because BY DEFAULT no one is/was at risk.
The following was taken from:
http://www.microsoft.com/technet/security/bulletin/MS03-040.mspx

Mitigating factors:

      • By default, Internet Explorer on Windows Server 2003 runs in
Enhanced Security Configuration. This default configuration of Internet
Explorer blocks automatic exploitation of this attack. If Internet Explorer
Enhanced Security Configuration has been disabled, the protections put in
place that prevent this vulnerability from being automatically exploited
would be removed.




-----------------------------------------


Rgds,
Rod.




--- ifmail v.2.15