Truth About Computer Security Hysteria
NTBUGTRAQ 'call to action' is a yawner
Wednesday, 29 July 1998
NTBUGTRAQ MODERATOR RUSS Cooper received international media attention when he wrote about a "new" email exploit. In theory, someone can run malicious code on your computer by crafting an extremely long filename for an email attachment. The attachment doesn't need to execute — the filename itself executes when Outlook tries to parse the filename.
Reporters monitor NTBUGTRAQ for juicy computer security stories. Cooper's editorial (an outright "call to action") piqued the media's interest, so they gave him international exposure. This exploit may sound bizarre to the average reporter... but I yawned when I heard about it. You see, this latest security flaw is
just a derivative of the 'letter bomb' exploit (1996) and the 'res://' exploit (1997).
What? You never heard of them before now? Shame on you! The 'res://' exploit affected Internet Explorer components capable of displaying HTML, including the email & news clients. The 'letter bomb' exploit affected Netscape components capable of displaying HTML, including the email & news clients. Both exploits relied on the use of, shall we say, "unanticipated" filenames.
"Why didn't reporters warn everybody about the Res thing or the letter bomb thing?" you might ask. Answer: those exploits probably came too soon after the Hare virus media fiasco of 1996. Some computer magazines reported on them, but the international newswires never really took an interest. (Neither did NTBUGTRAQ, oddly, but Cooper admits "even those [who track security flaws] are finding it too difficult to keep up.") Cooper's dire warning of a "modern potential for disaster" came at the right time for media exposure.
In his editorial, Cooper notes "administrators [and urban-legend websites] have been telling their users that no email message can harm their machine just by the user looking at the message." The long-filename exploit, however, changes the nature of a simple email. Again, Cooper tells us nothing new — the person who discovered the 'letter bomb' exploit said the same thing in 1996.
On a sad note, Cooper used the "some equals all" fallacy concerning the Good Times virus alert hoax. Specifically, he declared "with the discovery [of this recent exploit], 'Good Times Virus' becomes potentially real!" For the record: the mythological Good Times virus launches when you read an evil phrase with your eyeballs and it sets your processor into a demonic nth-complexity infinite binary loop. Also for the
record: the person who discovered the 'letter bomb' exploit made the same claim about Good Times. A hoax does not suddenly turn true just because one part of it suddenly turned true.
So! Enough chit-chat. Let's assess the severity of the newest computer security threat. We'll assume you use an exploitable email program, of course.
Can an evil-doer use this new exploit to crash your email software, or perhaps crash the operating system itself? Yes. Can he do it easily? Yes. Can an evil-doer use this new exploit to run malicious code on your computer?
Yes. Can he do it easily? No. It remains a highly theoretical threat with only a few "I proved my point" examples.
Should you install the security patch from Microsoft? Certainly. You can download the current patch if you wish, or you can wait for MS to release the "better" patch which will also fix a related security flaw. Note:
ignore the news.com report which says
the patch is "flawed." It works exactly as advertised; Microsoft will merely add more to it soon, to make your computer even more secure. (Think of the next release as "Patch v2.0.") I dismiss the news.com report as a typical fearmongering story.
Should you "broadcast" a computer security alert to everybody you know? Well, it depends. Do they all look up to you as an expert on computer security? Do you know if they all use an exploitable email program? If you answer "no" to either question...
I predict this latest exploit will soon join its brothers in the land of obscurity. Don't go spastic over all the media hoopla, folks.
Oh, by the way — you think this filename exploit is big? Just wait until reporters learn about "email macro viruses"...
This latest security flaw is a derivative of the 'letter bomb' exploit (1996)
and the 'res://' exploit (1997). Most news outlets ignored the older flaws — because they came out too soon after the Hare virus media fiasco.