Mailing List Archive

On Tue, 9 Feb 2021, Kenneth Porter wrote:

> I'm reminded of the recent post suggesting that SA parse QR codes to feed
> URLs to block lists.
>
> The email includes a web document pretending to be an Excel document (double
> extension .xlsx.hTML) that contains a JavaScript Morse decoder and a string
> with the URLs encoded in Morse.
>
> I see two ways to block this: 1) MUAs should ignore code in HTML. 2) A
> malware scanner like ClamAV should watch for this kind of stuff.

You're missing the simplest one: double extensions like that are hostile
and should be rejected.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Sheep have only two speeds: graze and stampede. -- LTC Grossman
-----------------------------------------------------------------------
3 days until Abraham Lincoln's and Charles Darwin's 212th Birthdays

On 9 Feb 2021, at 18:37, Kenneth Porter wrote:

> <https://www.bleepingcomputer.com/news/security/new-phishing-attack-uses-morse-code-to-hide-malicious-urls/>
>
> I'm reminded of the recent post suggesting that SA parse QR codes to
> feed URLs to block lists.
>
> The email includes a web document pretending to be an Excel document
> (double extension .xlsx.hTML) that contains a JavaScript Morse decoder
> and a string with the URLs encoded in Morse.
>
> I see two ways to block this: 1) MUAs should ignore code in HTML.

All minimally secure MUAs ignore any embedded JavaScript. Any MUA
written in this century that executes JavaScript should itself be deemed
malware.

> 2) A malware scanner like ClamAV should watch for this kind of stuff.

Sure, why not.

Not sure how this is SA-related.

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Bill Cole wrote:
> On 9 Feb 2021, at 18:37, Kenneth Porter wrote:
>
>> <https://www.bleepingcomputer.com/news/security/new-phishing-attack-uses-morse-code-to-hide-malicious-urls/>
>>
>>
>> I'm reminded of the recent post suggesting that SA parse QR codes to
>> feed URLs to block lists.
>>
>> The email includes a web document pretending to be an Excel document
>> (double extension .xlsx.hTML) that contains a JavaScript Morse decoder
>> and a string with the URLs encoded in Morse.
>>
>> I see two ways to block this: 1) MUAs should ignore code in HTML.
>
> All minimally secure MUAs ignore any embedded JavaScript. Any MUA
> written in this century that executes JavaScript should itself be deemed
> malware.

Thunderbird and Seamonkey both have it supported and enabled out of the
box. I would not be surprised if Outlook did, along with no way to
disable it. Mac Mail probably does, again likely with at best a tedious
hassle to disable it. Windows Mail (AKA "the descendant of Outlook
Express) probably does as well, also likely can't be disabled without
tinkering with the program binary or libraries. That probably covers
99% of the general end-users that use a desktop MUA.

This would be one of the few points I'd grant in favour of webmail; at
least any Javascript is executing in a browser that's had a lot more
attention to putting a leash on JS misbehaviour.

I would personally class any email with active Javascript as malware -
it should never have been supported at all IMO - but the marketing
departments have taken charge and I see all too much (ie, more than
absolutely none) legitimate mail using it.

-kgd

On 10 Feb 2021, at 11:17, Kris Deugau wrote:

> Bill Cole wrote:
>> On 9 Feb 2021, at 18:37, Kenneth Porter wrote:
>>
>>> <https://www.bleepingcomputer.com/news/security/new-phishing-attack-uses-morse-code-to-hide-malicious-urls/>
>>>
>>> I'm reminded of the recent post suggesting that SA parse QR codes to
>>> feed URLs to block lists.
>>>
>>> The email includes a web document pretending to be an Excel document
>>> (double extension .xlsx.hTML) that contains a JavaScript Morse
>>> decoder and a string with the URLs encoded in Morse.
>>>
>>> I see two ways to block this: 1) MUAs should ignore code in HTML.
>>
>> All minimally secure MUAs ignore any embedded JavaScript. Any MUA
>> written in this century that executes JavaScript should itself be
>> deemed malware.
>
> Thunderbird and Seamonkey both have it supported and enabled out of
> the box.

Are you sure that is true today? It was not so for TBird when last I
looked, but that was some years back.

> I would not be surprised if Outlook did, along with no way to disable
> it.

I would be quite surprised, since that was removed from the desktop
version of Outlook a long time ago. What Microsoft 365's "Outlook" does,
I do not know.

> Mac Mail probably does, again likely with at best a tedious hassle to
> disable it.

Random libel. I have a lot of deep disagreements with the design and
implementation of Mail.app, but it doesn't run JS in email and never
has.


> Windows Mail (AKA "the descendant of Outlook Express) probably does as
> well, also likely can't be disabled without tinkering with the program
> binary or libraries. That probably covers 99% of the general
> end-users that use a desktop MUA.

Not being a Windows user, I cannot say. Given your other guesses, I'm
not inclined to think that this is true.

> This would be one of the few points I'd grant in favour of webmail;
> at least any Javascript is executing in a browser that's had a lot
> more attention to putting a leash on JS misbehaviour.

Back in the bad old days, OE used IE to render all HTML so it
theoretically got whatever scrutiny IE gave.

> I would personally class any email with active Javascript as malware -
> it should never have been supported at all IMO - but the marketing
> departments have taken charge and I see all too much (ie, more than
> absolutely none) legitimate mail using it.

I see none. I guess that just proves that everyone's mailstream is
different.


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

On 2/10/21 9:17 AM, Kris Deugau wrote:
> I would personally class any email with active Javascript as malware -
> it should never have been supported at all IMO - but the marketing
> departments have taken charge and I see all too much (ie, more than
> absolutely none) legitimate mail using it.

I'll reluctantly concede HTML email. But I firmly believe that email
does *NOT* /need/ JavaScript or any other active scripting / technology.

I even dislike animated GIFs in email.

If you /need/ that active scripting / technology, link to a web page.
-- Yes, I know the folly of links in email.



--
Grant. . . .
unix || die

On 10 Feb 2021, at 12:57, Bill Cole wrote:

> On 10 Feb 2021, at 11:17, Kris Deugau wrote:
>
>> Bill Cole wrote:
>>> On 9 Feb 2021, at 18:37, Kenneth Porter wrote:
>>>
>>>> <https://www.bleepingcomputer.com/news/security/new-phishing-attack-uses-morse-code-to-hide-malicious-urls/>
>>>>
>>>> I'm reminded of the recent post suggesting that SA parse QR codes
>>>> to feed URLs to block lists.
>>>>
>>>> The email includes a web document pretending to be an Excel
>>>> document (double extension .xlsx.hTML) that contains a JavaScript
>>>> Morse decoder and a string with the URLs encoded in Morse.
>>>>
>>>> I see two ways to block this: 1) MUAs should ignore code in HTML.
>>>
>>> All minimally secure MUAs ignore any embedded JavaScript. Any MUA
>>> written in this century that executes JavaScript should itself be
>>> deemed malware.
>>
>> Thunderbird and Seamonkey both have it supported and enabled out of
>> the box.
>
> Are you sure that is true today? It was not so for TBird when last I
> looked, but that was some years back.

CONFIRMED: SeaMonkey v2.53.6 (latest version) DOES NOT execute
JavaScript in email.


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Kris Deugau schrieb am 10.02.2021 um 17:17:
> Bill Cole wrote:
>> On 9 Feb 2021, at 18:37, Kenneth Porter wrote:
>>
>>
>> All minimally secure MUAs ignore any embedded JavaScript. Any MUA
>> written in this century that executes JavaScript should itself be
>> deemed malware.
>
> Thunderbird and Seamonkey both have it supported and enabled out of
> the box.

No. Thunderbird has Javascript disabled for mail display since a long
time. It cannot be enabled as well. The display of ordinary web pages in
extra tabs has Javascript enabled, but this is in browser tabs only.

Alex

On 2/10/2021 11:30 AM, Bill Cole wrote:
> CONFIRMED: SeaMonkey v2.53.6 (latest version) DOES NOT execute
> JavaScript in email.

I don't think the intent is to run it in the MUA. It's probably
distributed as an attachment (ie. inline) to save to disk and be viewed
outside the MUA in a normal browser.

Kris Deugau wrote:
> Thunderbird and Seamonkey both have it supported and enabled out of the
> box.  I would not be surprised if Outlook did, along with no way to
> disable it.  Mac Mail probably does, again likely with at best a tedious
> hassle to disable it.  Windows Mail (AKA "the descendant of Outlook
> Express) probably does as well, also likely can't be disabled without
> tinkering with the program binary or libraries.  That probably covers
> 99% of the general end-users that use a desktop MUA.

I stand corrected; I posted based on old(er) versions and general
pessimism.

After a close look again at Thunderbird I've apparently been misreading
one of the about:config flags (javascript.enabled), although if it's not
for email HTML rendering I'm not sure what it's used for.

-kgd

On 11 Feb 2021, at 10:36, Kris Deugau wrote:

> After a close look again at Thunderbird I've apparently been
> misreading one of the about:config flags (javascript.enabled),
> although if it's not for email HTML rendering I'm not sure what it's
> used for.

Thunderbird will open links in its own windows rather than launching a
browser, if configured to do so. Like SeaMonkey or Firefox, that
internal browser can optionally support JavaScript and by default does
so. Once upon a time, there was also a javascript.allow.mailnews flag,
but it was removed. The comment at
https://bugzilla.mozilla.org/show_bug.cgi?id=13023#c5 implies that
JavaScript was "finished off in mail" just over 21 years ago. That is
roughly the timeframe for removal of JS in mail support from just about
every notable standalone MUA that ever had it, following a couple of
rounds of malware using it as a transmission vector.

Web-based MUAs (SquirrelMail, Horde, GMail, Outlook Web Access, etc.)
brought back some support for JavaScript in mail, but as I understand
some of them do some defanging of scripts and the advancement of browser
limitations on nefarious scripts has also helped make those less
dangerous than they could be.

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

On Thursday, February 11, 2021, 09:49:35 PM GMT+1, Bill Cole <sausers-20150205@billmail.scconsult.com> wrote:
>Web-based MUAs (SquirrelMail, Horde, GMail, Outlook Web Access, etc.) 
>brought back some support for JavaScript in mail, but as I understand
>some of them do some defanging of scripts and the advancement of browser
>dangerous than they could be.
You are very optimistic, Bill...  :-D
Users copy and paste full web pages in an email and click the "send" button singing at the same time... 

----Pedrete

On 12 Feb 2021, at 4:10, Pedro David Marco wrote:

> On Thursday, February 11, 2021, 09:49:35 PM GMT+1, Bill Cole
> <sausers-20150205@billmail.scconsult.com> wrote:
>> Web-based MUAs (SquirrelMail, Horde, GMail, Outlook Web Access,
>> etc.) 
>> brought back some support for JavaScript in mail, but as I understand
>> some of them do some defanging of scripts and the advancement of
>> browser
> l>imitations on nefarious scripts has also helped make those less
>> dangerous than they could be.
> You are very optimistic, Bill...  :-D
> Users copy and paste full web pages in an email and click the "send"
> button singing at the same time... 

Yes, but HOPEFULLY that ends up copying and pasting something harmless
like just the body text or an image of the page.

Fun fact: with recent MacOS MS Word, if you copy a block of formatted
text and paste it into a new message in the MailMate MUA, you get an
embedded PNG graphic. An interesting solution to the problem of rich
text portability.

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

On Fri, 12 Feb 2021, Bill Cole wrote:

> On 12 Feb 2021, at 4:10, Pedro David Marco wrote:
>
>> On Thursday, February 11, 2021, 09:49:35 PM GMT+1, Bill Cole
>> <sausers-20150205@billmail.scconsult.com> wrote:
>>> Web-based MUAs (SquirrelMail, Horde, GMail, Outlook Web Access, etc.) 
>>> brought back some support for JavaScript in mail, but as I understand
>>> some of them do some defanging of scripts and the advancement of browser
>> l>imitations on nefarious scripts has also helped make those less
>>> dangerous than they could be.
>> You are very optimistic, Bill...  :-D
>> Users copy and paste full web pages in an email and click the "send" button
>> singing at the same time... 
>
> Yes, but HOPEFULLY that ends up copying and pasting something harmless like
> just the body text or an image of the page.
>
> Fun fact: with recent MacOS MS Word, if you copy a block of formatted text
> and paste it into a new message in the MailMate MUA, you get an embedded PNG
> graphic. An interesting solution to the problem of rich text portability.

...for certain values of "interesting". I hate images of text - you can't
copy the text and do useful things with it.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
When violence comes, and brings your death with it -- *die well*,
for that is the only thing you can change about your death.
-- Lawdog
-----------------------------------------------------------------------
Today: Abraham Lincoln's and Charles Darwin's 212th Birthdays