News From Mike's Tavern. from Lovey@aol.com on 1998-11-21 (w3c-wai-ig@w3.org from October to December 1998)

From: <Lovey@aol.com>
Date: Fri, 20 Nov 1998 23:17:46 EST
To: w3c-wai-ig@w3.org, w3c-wai-ig-request@w3.org
Message-ID: <ce54d6e5.36563eea@aol.com>
A VBScript thingy - but what about todays ruling infavor of Sun -vs- MS re:
Java and VBS?
KPR,
LK

<-------snip------------>
<A HREF="http://www.developer.com/news/news1.html">developer.com - News
Central</A>
http://www.developer.com/news/stories/112098_vbvirus.html

Visual Basic holes open for e-mail viruses 
By Robert Lemos, ZDNN
November 19, 1998 5:08 PM PT 

For years, virus researchers and hoax debunkers have asserted a simple truth:
You'll never get a virus from reading e-mail.

 Not anymore.

Anti-virus researchers have identified a class of viruses, called HTML
viruses,
which hide out in Web pages or e-mail and activates when users view the
content. 

"Just the fact that your mail program shows e-mail in a window (could) spread
the virus to your system," said Igor Grebert, senior researcher at anti-virus
maker Trend Micro Inc.

The Cupertino, Calif., company publicly announced, on Wednesday, efforts to
include protection against such viruses in its anti-virus software. Last week,
anti-virus firm Central Command Inc. warned of a more isolated virus that
affected ActiveX controls in certain cases.

Microsoft Corp. accused the companies of scare tactics. "We are extremely
confident that this is nothing that users should be worried about," said Mike
Nichols, Internet Explorer product manager at Microsoft.

Little danger, for now

Indeed, at present, HTML viruses present no danger. Grebert has only
encountered what he refers to as "test viruses" that do not have any
destructive
payload. 

In addition, while HTML viruses have potential to be nasty, they will have a
hard time spreading out of control over the Internet.

In order to copy itself to a new Web page, the HTML virus must execute on a
machine from which it is allowed to change the page. This essentially means
that only Webmasters have the possibility of being "Typhoid Mary."

"If you are just a user, you will not infect other people's Web pages," said
Grebert.

Still, whoever they are, the virus writers have been busy. In the past two
weeks, Trend Micro has tallied no less than 17 new variants, written in
Microsoft Corp.'s VBScript. While none of them could harm users, don't
expect the viruses to have their teeth filed for long. Soon, they could cause
significant problems for users who get them.

Technically, the viruses resemble normal programs. "There is no security in
Windows that limits what VBScript can do," said Grebert. "Can it read your
files? Yes. Can it format your hard drive? Yes."

Another IE hole

Essentially a macro virus, the viruses -- written in VBScript -- are embedded
in
the HTML included in a Web page or e-mail. 

Users of Windows 98 or more recent versions of Microsoft's (Nasdaq:MSFT)
Internet Explorer and Outlook are at risk, according to Trend Micro, since
both programs are set up with Microsoft's Windows Scripting Host -- needed to
run VBScript. 

Microsoft said the problem did not affect Internet Explorer.  

"As a user you would have to go to a site that was designed to be malicious,
and users would have to lower the (default) security," said Microsoft's
Nichols. Even when security is lowered, users still are prompted every time a
script tries to run, he said, putting only the most ignorant at risk.

Rubber gloves before reading 

Still, Outlook and other e-mail programs that read VBScript will allow the
virus to execute, claimed researchers.

"The real angle of attack is on HTML e-mail," said Russ Cooper, moderator of
NTBugTraq. "In that regard, people are wide open to attack."

Originally, the threat of e-mail macro viruses was expected to come from
Microsoft's combination of Outlook 98 and Windows 98.

At the end of July, Finnish students found holes in Outlook that let viruses
spread by e-mail. However, that security hole could only be exploited by
luring the user to click on an overlong HTML link.

Several experts had predicted that some virus writer would put the two
together.

Not just VBScript

Netscape Communications Corp.'s (Nasdaq:NSCP) Navigator, which does
not support its rival's VBScript, is immune, said Grebert. "Yet, with the new
features that Sun is putting into Java to compete with Visual Basic, they may
have a similar problem in the future."

 In addition, Cooper warns that an HTML virus could be written in JavaScript
just as easily as VBScript.

<-------snip------------>
Received on Friday, 20 November 1998 23:17:57 UTC