----- Original Message ----- From: "Jake Anderson" Subject: Re: [OT:] Windows/Linux security > uhh no > microsoft has made it basically impossible to open any form of attachment in > outlook and outlook express. uhhhh ... no. First of all, it has been possible to keep reasonably secure with Outlook Express for a very long time now. However, the default settings used to be just plain bad, and even though they have improved, they are still not what they need to be. Interestingly, as best I can tell, Outlook still has some problems that I don't know that you can work around. As far as I know, there are three ways someone can nail you with an email. The first is a buffer overflow vulnerability. Back when the only computers on the net were Unix machines, this was the favorite. The famous "Internet Worm" that got so much press a few years back worked this way. This isn't so popular with Windows. I don't think it's necessarily harder to do in Windows, it's just that Windows provides so many easier approaches. The second is getting a brain-dead user to open an executable attachment. Recent versions of OE have made this harder, but not impossible. What is really annoying is that M$ has provided a convenient way for a hacker to make an exe file look like a jpeg. This "feature" can be turned off, but it takes mucking around in the registry to do it. A big difference here is that many Windows users haven't found the clue bucket. Linux is such a pain to install and configure that the totally brain dead user isn't going to be running Linux in the first place, so it's a safe bet that almost all Linux users will have enough sense not to do this. The third avenue is through HTML email. HTML provides a rich set of tools for exploiting the target system, although all of them are fairly hard to use except for ActiveX controls. Some Linux clients will open email in HTML and so are susceptible to exploits via JavaScript or Java (don't give me that crap about the sandbox being secure - it ain't). But these exploits are more difficult than ActiveX. Controlling HTML email and ActiveX are quite possible in Outlook Express (less so in Outlook), but the settings are scattered all over, so the average user isn't likely to get them right. There have also been bugs in the HTML engines from time to time that are exploitable without active content, although these have been fairly infrequent. Other than ActiveX, all of these are available on both Linux and Windows, although some mail clients will not open HTML mail. These clients are more popular on Linux than on Windows. The HTML is an especially nasty one since, on clients with a preview pane, this sort of exploit can be activated without actually opening the email. Windows is a more popular attack target simply because there are so many more Windows machines out there. Over 95% of the machines are Windows, so Linux/Unix/Mac/VMS are much less appealing targets. --McD -- http://www.piclist.com hint: PICList Posts must start with ONE topic: [PIC]:,[SX]:,[AVR]: ->uP ONLY! [EE]:,[OT]: ->Other [BUY]:,[AD]: ->Ads