Closed
Bug 578297
Opened 14 years ago
Closed 1 year ago
Accidentally opening an email attachment may have infected my computer
Categories
(MailNews Core :: Attachments, defect)
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: jaco, Unassigned)
References
(Blocks 1 open bug)
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
Please investigate the email below. Strange things started to happen when the attachment was opened by mistake (some java app started, don't know the rest, I pulled the plug on my computer quickly)
Received: from localhost
for <xxxxxxx@xxxxxxx>; Fri, 9 Jul 2010 16:49:53 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new
Received: from 127.0.0.1
by localhost
with ESMTP id 5gCD+2K-gdkn
Fri, 9 Jul 2010 16:49:46 +0200 (CEST)
Received: from vpn29-204.altair-tv.ru (unknown [109.111.19.204])
by mailserver (Postfix) with ESMTP id 861DB1610356
for <xxxxx@xxxx.com>; Fri, 9 Jul 2010 16:49:43 +0200 (CEST)
Received: from 109.111.19.204 by mx1.biz.mail.yahoo.com; Fri, 9 Jul 2010 18:44:57 +0300
Date: Fri, 9 Jul 2010 18:44:57 +0300
From: Mail Delivery Subsystem
X-Mailer: The Bat! (v3.62.03) Professional
Reply-To: goulashfs6@rotp.com
X-Priority: 3 (Normal)
Message-ID: <396844352.28219839838582@rotp.com>
To: xxxxxx@xxxxxxx.com
Subject: Delivery Status Notification (Failure)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----------B92A869A91FDE80E"
------------B92A869A91FDE80E
Content-Type: text/plain; charset=Windows-1252
Content-Transfer-Encoding: 7bit
Note: Forwarded message is attached.
This is an automatically generated Delivery Status Notification
THIS IS A WARNING MESSAGE ONLY.
Delivery to the following recipient has been delayed:
Message will be retried for 2 more day(s)
------------B92A869A91FDE80E
Content-Type: text/html; name="Forwarded Message.html"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Forwarded Message.html"
PG1ldGEgaHR0cC1lcXVpdj0icmVmcmVzaCIgY29udGVudD0iMDt1cmw9aHR0cDovL2lkaWVwZXJ1
Lm9yZy9pbmRleDMuaHRtbCIgLz4=
------------B92A869A91FDE80E--
Reproducible: Didn't try
Comment 1•14 years ago
|
||
Please tell me Thunderbird doesn't enable Java by default.
Blocks: malware-attacks
Group: core-security
Comment 2•14 years ago
|
||
Jesse, is there even a pref for that? Or are you referring to a build-time option?
Comment 3•14 years ago
|
||
A new profile created with Lanikai on Mac OS X showed all plugins enabled.
Comment 4•14 years ago
|
||
mailnews.message_display.allow.plugins was true? Or plugins rendered content in messages despite that pref's value?
Comment 5•14 years ago
|
||
(In reply to comment #3)
> A new profile created with Lanikai on Mac OS X showed all plugins enabled.
The mailnews.message_display.allow.plugins pref should prevent them being used from within the content policy.
Comment 6•14 years ago
|
||
So I've just done
Components.classes['@mozilla.org/appshell/window-mediator;1'].getService(Components.interfaces.nsIWindowMediator).getMostRecentWindow("mail:3pane").document.getElementById("tabmail").openTab("contentTab", {contentPage: "http://www.adobe.com/software/flash/about/"});
with mailnews.message_display.allow.plugins false, and that shows me that plugins aren't enabled.
However, I think we're going down the wrong track here.
Per comment 0:
> Please investigate the email below. Strange things started to happen when the
> attachment was opened by mistake (some java app started, don't know the rest, I
> pulled the plug on my computer quickly)
The attachment was *opened* by mistake, and then some java app started.
If this was the attachment being opened (I would guess into Firefox/Other browser) and then that invoked the app or something else, then I'm not sure we can do much about it. Not convinced from the testcase though, opening it as an .eml doesn't seem to do much.
Updated•14 years ago
|
Summary: Possible infection vulnarability? → Accidentally opening an email attachment may have infected my computer
Comment 7•14 years ago
|
||
(In reply to comment #0)
> ------------B92A869A91FDE80E
> Content-Type: text/html; name="Forwarded Message.html"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment; filename="Forwarded Message.html"
>
> PG1ldGEgaHR0cC1lcXVpdj0icmVmcmVzaCIgY29udGVudD0iMDt1cmw9aHR0cDovL2lkaWVwZXJ1
> Lm9yZy9pbmRleDMuaHRtbCIgLz4=
>
> ------------B92A869A91FDE80E--
Decoded HTML.
> <meta http-equiv="refresh" content="0;url=http://idieperu.org/index3.html" />
Data returned from the URL in meta tag today.
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <html><head>
> <title>404 Not Found</title>
> </head><body>
> <h1>Not Found</h1>
> <p>The requested URL /index3.html was not found on this server.</p>
> <p>Additionally, a 404 Not Found
> error was encountered while trying to use an ErrorDocument to handle the request.</p>
> <hr>
> <address>Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at idieperu.org Port 80</address>
> </body></html>
(In reply to comment #1)
> Please tell me Thunderbird doesn't enable Java by default.
Jesse Ruderman, does it mean that the URL returned HTML data which invoked Java Applet when you accessed?
If so, it may mean idieperu.org was attacked.
Reporter | ||
Comment 8•14 years ago
|
||
The attachment was opened from within Thunderbird by clicking on the attachment logo in the inbox list. I was expecting -my mistake- a thunderbird message window, not something else.
Afterwards I looked at the source of the message, tried to b64decode the attachment, but messed that up so it showed me something binary. That made me wonder and send the bugreport.
But nevertheless, it is too easy to trick people this way. The document index3.html has probably been discovered by idieperu.org and removed.
Updated•14 years ago
|
Component: General → Attachments
Product: Thunderbird → MailNews Core
QA Contact: general → attachments
Updated•2 years ago
|
Severity: normal → S3
Comment 9•1 year ago
|
||
per comment 6
Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•