Bulgarian horse - the Melissa virus, but even worse
Mime-Version: 1.0 (NeXT Mail 3.3 v118.2)
From: Peter Langston <psl>
Date: Thu, 2 Sep 99 11:06:15 -0700
Subject: Bulgarian horse - the Melissa virus, but even worse
Forwarded-by: david mankins <firstname.lastname@example.org>
Hotmail grumblings aside (which, after all, is implemented on *UNIX* servers
(FreeBSD or Solaris), not NT), we've been too kind to Microsoft lately.
From: Jamie McCarthy
Greg Roelofs writes:
> - We already knew IE 5 and ActiveX were a disaster waiting to happen;
> now it has:
[Warning, this article sends you off for an explanation on the
discoverer's web page; the page not only explains the
exploit, it uses it. --- pozzo]
> Apparently if you visit a properly constructed web page, you've just
> given away your entire system. This one's better than Hotmail, in my
> book. Hee hee.
This follows on the heels of a major security flaw in Microsoft's
implementation of the Java Virtual Machine. (Apparently there is no
scripting language that they are unable to introduce gaping security chasms
into.) This one is just as bad: gives away your entire system when you
visit the wrong webpage, or even just receive email with the payload:
The security hole, present in most copies of Windows 95 and all versions
of Windows 98, would allow a malcontent to conceal malicious computer
code in an email message or Web page that can surreptitiously modify
files, reformat a hard drive, or execute any DOS command.
"It's the Melissa virus, but even worse," says Dan Wallach, an assistant
professor of computer science at Rice University who is one of the team
members. "The Melissa virus required someone to click 'OK.' This doesn't."
This has not been a good week for Microsoft's security team.
© 1999 Peter Langston