Hardening Eudora against malicious code in HTML [was Re: Quarantined in.mbx file]

From: Aron Roberts <aron_at_socrates.berkeley.edu>
Date: Fri Sep 17 2004 - 16:52:49 PDT

   Roy Baril of Journalism shared with us a sample of an email message
apparently containing malicious code that is apparently arriving in a
number of CalMail inboxes, and may have reached staff computers in at
least three campus departments.

   The message has an HTML message body containing an "encoded"
JavaScript (see below). This code is identified as a
"download.trojan" or "JS.download.trojan" by Symantec's anti-virus
programs, leading it to quarantine email inboxes that contain the
offending message, as per the recent Micronet discussion.

   (Some background info on encoding of scripts:
<http://torque.oncloud8.com/archives/000063.html> and
<http://www.microsoft.com/downloads/details.aspx?FamilyId=E7877F67-C447-4873-B1B0-21F0626A6329&displaylang=en>.)

   This serves as a reminder that, if you're running Eudora for
Windows, you can 'harden' that program against malicious code in HTML
messages by checking, and if necessary changing, three key settings:

   - From the "Tools->Options" menu item, in the "Viewing Mail" panel,
     de-select "Use Microsoft Viewer"

     This disables the use of Internet Explorer's HTML rendering
     engine, which has a fair number of security vulnerabilities.

   - From the "Tools->Options" menu item, in the "Viewing Mail" panel,
     de-select "Allow executables in HTML content"

     This will prohibit executable content within, or referenced by, the
     HTML message from running.

   - From the "Tools->Options" menu item, in the "Extra Warnings" panel,
     select "Launch a program from a message"

     This will put up an "Are you sure?" warning message if you try to
     launch an executable attachment from within a message. (Opening
     attachments under any circumstance is potentially dangerous; this
     may help prevent one from inadvertently doing so.)

   The basic idea is that when you open or preview a message
containing HTML in Eudora, you don't want Internet Explorer's
(possibly vulnerable) rendering code to be used, and you don't want
JScript/JavaScript scripts, ActiveX controls, or other executable
content to be run.

Aron Roberts
Workstation Software Support Group

------------------------------------------------------------------------
The following was automatically added to this message by the list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Fri Sep 17 16:55:15 2004

This archive was generated by hypermail 2.1.8 : Fri Sep 17 2004 - 16:55:25 PDT