PermaLinkMicrosoft's Sybari Acquisition: Reminds Me Of A Notes Security Story
11:27:44 AM

Via Peter O'Kelly (as well as Ferris Research and El Reg, Microsoft is acquiring anti-virus and anti-spam vendor Sybari, continuing their string of acquisitions (GeCAD and Giant, previously) in the anti-malware space. Sybari's AntiGen product has been availble for Notes and Domino for about ten years. I have to wonder if it will continue under Microsoft. Not that it's critical, as there are many other high-quality anti-virus and anti-spam products for Notes and Domino, but Sybari's multi-engine approach was definitely a good one. But that's not what I'm writing about.


What I'm really writing about is an interesting story about Notes security in the early days, and it revolves around some publicity generated by a Sybari press release. It took place at a time when I was doing some contract QA work for Lotus, so I got a good insiders look at the issues. Enough time has past since then that I believe that I can finally go public with some of the details.


The first time I ran into Sybari was more than nine years ago, in October 1995. A front page article appeared in PC Week magazine. I don't recall the headline, and don't have a copy of the article -- but I do have a copy of the press release from Sybari that prompted the article. The title of that release was "Lotus Notes Security Alert", and the PC Week headline was of a similar tone. Here's the lead from the press release.


Contrary to what is popularly believed, the Lotus Notes environment is vulnerable to several types of new software virus attacks. These can range from simple electronic mail "bombs" and Trojan horses to viruses that infect workstations, servers and networks.


The article went on to list several possible ways that Notes mail could be used to transmit a virus, which was really nothing that everybody didn't already know. This was in the days of R4 beta, before the introduction of the ECL, and before widespread interconnection of Notes networks via the Internet. The article mentioned the fact that Notes could send stored forms containing buttons with malicious code, and it also mentioned that Notes is an OLE container -- and because of the capability of auto-launching a scriptable embedded object it drew the following conclusion:


In December of 1994, the U.S. DOE's Computer Incident Advisory Capability (CIAC) in reference to the "good-times" virus-hoax declared that "As of this date, there are no known viruses which can infect merely through reading a mail message"(1). The information disclosed here demonstrates that the potential of a virus spread through the simple action of reading mail is a reality that users of Notes must now understand and quickly remedy.


This didn't raise much concern in the Notes community. Lotus Business Partners in the BP Tech Forum on Lotus' Notes Net dismissed all the claims as insignificant. Internet mail couldn't spread an OLE-borne virus, because there was no way to send OLE objects through the SMTP Gateway. And all connections on the various Notes networks (run by CompuServe, Worldcom, AT&T and others), were fully authenticated so any virus outbreak could be easily traced and isolated even if another one of the holes that Sybari pointed out (the ability to anonymously depost mail in Notes R3's mail.box database) was exploited. The Notes mail template was also easy to modify to warn recipients when a message contained a stored form or an OLE objects.

But there was one more thing in the Sybari release that did at least raise a few eyebrows.


To avoid detection, a technique called `Stealthed Form' can be used to convert a stored form into a normal rich-text item like the `Body' item used in all mail messages. The stealthed form will execute whenever the rich-text item (e.g. `Body') is displayed. This technique allows formulas to be executed directly from any rich text field, making detection extremely difficult. This technique also subverts mail filters and background macros designed to detect stored forms.


Nobody in the Notes community seemed to know what this "stealthed form" technique was about. The contention was that it would allow someone to send a stored form that looks just like a regular mail form, but in which the Reply button (which in R3 was actually on the form body, not in the action bar) might include rogue code, but none of us -- myself included -- believed it was possible. One Lotus BP even wrote "I challenge them to send me a 'stealthed' form," and included his email address in a forum post. We all pretty much dismissed it on the grounds that if none of us had heard of it, it couldn't be real.


Ray Ozzie, however, didn't dismiss it. I don't know whether he contacted Sybari to get further details, or whether he worked it out for himself, but a few days later one of the engineers in the Notes QA group forwarded me an SPR that Ray had filed himself. The QA engineer wanted some help from someone with more Notes development experience and a better security background in testing the fix for the bug that was enabling "stealthed forms", and my name was suggested by one of the QA managers. I looked at the SPR, and Ray had included a step-by-step description of the method for creating a "stealthed form". I don't have a copy of the SPR, but I do have the email that I sent back to the QA engineer.


What happens is that a user creates a Store-form-in-document form. You're probably aware that this is considered dangerous if mailed because it can contain an innocent looking button (it can look just like a standard mail form with a "Reply" button), that has code that does nasty things. Some customers have set up Mail/Paste macros on user mailboxes to detect all mail that arrives with stored forms. A flag is set to put a symbol in a view, alerting the recipient. If the mail is from someone the user does not trust, the user should not open it. But this "stealth" technique is a way to keep the Mail/Paste macro from discovering that there is a stored form, so the recipient can not be alerted. This is done by renaming the fields that Notes uses to store the form.


I've actually looked through all my old email archives, and it looks like the test messages that I sent that included a "stealthed form" have been lost, along with the details of how the technique worked. My recollection is that it involved creating an ordinary Stored Form In Document form, creating a document with it, and then runnng and agent that assigns FIELD Body := $Body, and then deleting all the $ fields. The Notes editor code was designed to handle rich text recursively, so that the rich text body of a form could contain rich text fields (and subforms with their own rich text body and rich text fields), and there was nothing in the code to prevent interpretation of stored form elements within an ordinary rich text field. Until the bug was fixed in R4 (and a maintenance release of R3), the Notes editor would notice the stored form elements but fail to notice that it wasn't looking at a $Body field, so it would still override the Form field and display the stored form. The mail template could not be modified to detect this -- at least not without adding some direct hooks to API calls.


Of course, today this all seems uninteresting. We have the ECL, which provides far more complete protection against threats like this. It was implemented shortly after this bug was uncovered, but not in time for the 4.0 release. If I recall correctly, it came in 4.1, though it might have been 4.5. I'm not sure exactly when the work on the ECL started, but I can't rule out the possibility that it was Sybari's publicizing of the "stealth forms" bug that lit the spark that made Lotus make Notes and Domino mail so much more secure. And now Sybari is part of Microsoft. I think that might be the more important factor to consider in the Microsoft acquisition. Microsoft isn't just acquiring anti-malware products. They're acquiring a company that has known how to find vulnerabiliites in enterprise email systems longer than just about anyone in the business.

This page has been accessed 179 times. .
Comments :v

1. Nathan T. Freeman02/09/2005 06:58:08 AM


I remember that. Damn, that was a long time ago. I know I was on that thread. Do you still have a copy?




2. purchase12/05/2016 01:23:41 PM
Homepage: http://indian10cia.com/


What should I talk to my doctor about when considering if http://indian10cia.com/ , is right for me?




Enter Comments^


Email addresses provided are not made available on this site.





You can use UUB Code in your posts.

[b]bold[/b]  [i]italic[/i]  [u]underline[/u]  [s]strikethrough[/s]

URL's will be automatically converted to Links


:-x :cry: :laugh: :-( :cool: :huh: :-) :angry: :-D ;-) :-p :grin: :rolleyes: :-\ :emb: :lips: :-o
bold italic underline Strikethrough





Remember me    

Monthly Archive
Responses Elsewhere



About The Schwartz

rss.jpg


All opinions expressed here are my own, and do not represent positions of my employer.