The Hidden Dangers In E-mail

            Here are a few notes that I picked up when I was 
re-searching some recent e-mail disasters.


Until recently I was blissfully unaware of the havoc an e-mail can produce. I am not talking about the damage and inconvenience that can be the result of infecting your computer with a virus, or the grief that can be wrought by a macro in a Microsoft office document, no the malicious hacker can do plenty of damage from just an e-mail.

Plain simply text only e-mails offer no threat at all (well not to your computer system), the problem comes with HTML messages. HTML (hypertext mark up language) is the heart of the modern internet and does a pretty good job of making the web easy to use and nice to look at.  HTML is starting to appear in e-mails offering fancy backgrounds, numerous font characteristics, embedded pictures and clever effects. These effect are achieved by the use of a programming language called JAVA that was developed by Sun Microsystems and a more recent version called JavaScript from Netscape.

The problem comes when someone decides to write java code that does things other than making your web pages or 
e-mail look nice.

Here are a few examples of the things that can be done.

In Internet Explorer 4 it is possible to open a Web page in full-screen mode without a menu bar, tool bars, and window frame. Except for a vertical scroll bar on the right hand size of the screen, the Web page uses all of the pixels on the screen.

The "White Screen of Death" page uses the full-screen mode to make it appear that a system has crashed by turning the screen to all white. In addition, it hooks the blur and unload events to make it impossible to switch or close the window.

The only solution is to switch off your computer......


("Auto-launching Microsoft Word")

 In Outlook Express, Microsoft Word (or Microsoft Excel) can be automatically run from an Email message. 

The document to be edited by Word can be supplied by a remote Web server or FTP server. 
There can be a bad security hole here if you have turned off the warning in Word about automatically running macros when a document is loaded.
 If this warning has been turned off, the Web server can download to Word a document that is infected with a macro virus and your machine becomes infected.

Netscape Messenger can also auto-launch Word from an Email message, but it puts up a security warning first which allows you to stop Word from running.

This same security hole exists in Eudora 4, but was eliminated in Eudora 4.1.

The solution is to be sure that Microsoft office documents have the auto macro facility switched off. 
By using startup switches, you can control certain events when you start Word.      
Switch Description                            
/mmacroname Runs the specified macro and prevents the AutoExec macro (if any) from running. If you just want to prevent the AutoExec macro from running, omit macroname.


Web Bugs

A Web Bug is a graphics on a Web page or in an Email message that is designed to monitor who is reading the Web page or Email message. Web Bugs are often invisible because they are typically only 1-by-1 pixel in size. They are represented as HTML IMG tags. For example, here are two Web Bugs recently found on Quicken's home page. The two Web Bugs were placed on the home page by Quicken to provide "hit" information about visitors to DoubleClick and MatchLogic (AKA, preferences.com), two Internet advertising companies. Any graphics on a Web page that is used for monitoring purposes can be considered a Web Bug. Ad networks can use Web Bugs to add information to a personal profile of what sites a person is visiting. The personal profile is identified by the browser cookie of an ad network. At some later time, this personal profile which is stored in a data base server belonging to the ad network, determines what banner ad one is shown. Another use of Web Bugs is to provide an independent accounting of how many people have visited a particular Web site. Web Bugs are also used to gather statistics about Web browser usage at different places on the Internet.

Where can you find Web Bugs being used?

What kinds of uses does a Web Bug have in an Email message? A Web Bug can be used to find out if a particular Email message has been read by someone and if so, when the message was read. A Web Bug can provide the IP address of the recipient if the recipient is attempt to remain anonymous. Within an organization, A Web Bug can give an idea how often a message is being forwarded and read.

Why are Web Bugs used in "junk" Email messages? To measure how many people have viewed the same Email message in a marketing campaign. To detect if someone is viewed a junk Email message or not. People who do not view a message are removed from the list for future mailings. To synchronize a Web browser cookie to a particular Email address. This trick allows a Web site to know the identity of people who come to the site at a later date,

Here are some of the Email marketing companies who are known to use Web Bugs?

Email Web Bugs are represented as 1-by-1 pixel IMG tags just like Web Bugs for Web pages. However, because the sender of the message already knows your Email address, they also include the Email address in the Web Bug URL. The Email address can be in plain text or encrypted. For example, here are two Web Bugs sent t in junk Email messages:

 

Is there any method of removing Web Bugs from HTML pages?
Not really.
The technical problem is that there is no method of distinguishing Web Bugs from spacer GIFs which are used on Web pages for alignment purposes.
Your best defense against Web Bugs is to turn off cookies. Instructions for turning off cookies can be found at the Junkbusters Web site: http://www.junkbusters.com/ht/en/cookies.html#disable One note about cookies. Netscape Navigator and Internet Explorer will still send out existing cookies after disabling cookies in the browser. You must manually delete any cookie files on your hard drive to eliminate being tracked by third-party ad networks.


JavaScript Programs

This section was designed to illustrate the problem of HTML-based Email readers automatically executing JavaScript programs and ActiveX controls embedded inside of Email messages. This page silently loads the contents of the AUTOEXEC.BAT  file into a form field. Once in the form field, the file contents can be silently send via Email to the "bad guys". The Email portion of this demo has been removed for privacy reasons.

This message uses Microsoft's TDC (Tabular Data Control) ActiveX control to read files from the hard disk. This control is available on any Windows system that is running the Internet Explorer 4 browser. Because the TDC Activex control is signed and already loaded on a computer, there are no security warnings when this page is loaded.

If the page is downloaded from a Web server, the TDC control will refuse to read any files from the hard drive. However, if the page is sent as an Email attachment, hard disk files can be accessed by the page when the attachment is clicked on. To see this in action copy this section to an Email and send it to yourself as html format then look at it with Internet Explorer 


Fingerprinting of Office 97 files


In Office 97, when an Word, Excel, or PowerPoint file is saved for the first time, it is assigned its own unique serial number. This serial number is the form a 32-digit GUID (Globally Unique ID). The last 12 digits of a GUID will most likely contain the MAC or NIC address of Ethernet adapter of the person saving the document. Since Ethernet addresses are unique, this serial number in theory would allow a document to be traced back to the computer it was created on.

The GUID serial number was originally put in Office 97 document files to correct broken hyperlinks. Ironically this feature was never implemented, but the serial numbers remain.

To locate a GUID in a Word document, simply open the .DOC file in Notepad and search for the string "GUID". The GUID serial number will follow immediately in the document.

To fix this problem, Microsoft is providing a patch to Office 97 which will stop putting serial numbers in new document files. For existing files, Microsoft will also be providing a stripper utility for removing serial numbers. Click here for more details.

The Office 97 issue is independent of the operating system and will occur under both Windows 95 and Windows98. There are reports that the problem also exists in Office 98 documents for the Macintosh.

Note that in Office 2000, GUIDs are no longer generated for document files. However a number of GUIDs are included in a file if the document contains VBA macros. There is currently no method of removing these macro GUIDs except to delete the macros themselves.

External Links


This one line HTML Email message will hang the Eudora and Netscape Messenger
Email readers:

        <html> <script> while(1) alert ("Help, I am caught in an infinite loop!"); </script> </html>

The hang occurs when the Email message is read.  The embedded JavaScript
program is automatically executed and puts up a continuous stream of alert
boxes on the screen.  In both Email readers, there doesn't seem to
be any method of easily stopping the alert boxes.  CTRL-ALT-DEL
is required to shutdown the hung Email reader.

Worse yet, the next time Email is read, Eudora and Netscape Messenger will
hang again on the same Email message if the message preview pane is turned on.
This message will likely permanently disable the Email reader.  To fix the problem
requires a person with technical knowledge to manually edit the "in" box message
file and delete the message with the JavaScript infinite loop.

Moral of the story,  Email readers should never, ever automatically execute
programs embedded in Email messages even if these programs are written
in supposedly safe programming languages like JavaScript, VBScript, and
Java.


 

Eudora 4 bug allows an innocent looking Web link in an Email message to execute an attached .EXE file or .BAT file.  For pretty obvious reasons, this is not a good thing.  For the bug to work correctly, Eudora 4 must be using Microsoft's Internet Explorer 4 browser to display HTML-based Email messages.

This bug was reported to Qualcomm, the makers of Eudora, at the end of August 1998 and was fixed immediately with a patch. It is highly recommended that anyone running version 4.00 or 4.01 of Eudora for Windows should upgrade to version 4.1. The update is available at:

 

    http://eudora.qualcomm.com/pro_email/updaters.html

 

2000 - N.E.M Business Solutions UK. Tel / Fax 01823 680119 
or mobile 0468
981196

E-Mail  neil@nem.org.uk