Attachment Manager

How is it that e-mail worms manage to spread so well? Typically it happens because, as we have said before, given the choice between security and dancing pigs, dancing pigs win every single time.

Fairly early on, some clever criminal realized this and started sending out e- mails like the one shown in Figure 13-6. Sometimes the message had a more suggestive subject line, such as ILOVEYOU, although strictly speaking, it does not seem necessary to be all that suggestivejust including the word naked in the e-mail seems to be sufficient to get at least 50 percent of the population to double-click the attachment.

Figure 13-6. Would your users open this attachment?

In 2000, Microsoft and other vendors started enabling attachments to be blocked, at least in some mail clients . (Outlook Express did not receive effective and usable attachment blocking until Internet Explorer 6.0 Service Pack 2 in XP SP2.) In Outlook, the blocking consisted of a blacklist of file extensions and file type identifiers that were blocked from being opened in the UI. The net result was that the e-mail the user saw looked like the one in Figure 13-7.

Figure 13-7. Now users cannot open the attachment.

This worked well until the bad guys came up with a simple workaround. Just zip or rename the attachment and then include instructions for how to open it in the e-mail body. This worked reasonably well; the user population that was able to follow the instructions was slightly smaller than the number that would have opened the original attachment, but worms still spread nicely . Eventually, the antivirus vendors figured out how to identify some (but not all) of these attachments as evil anyway, and the ball was back in the bad guys' court . The workaround this time was to zip and encrypt the attachment. Now the e-mail looks like Figure 13-8.

Figure 13-8. Most users can figure out how to spread this worm.

At this point, we are somewhat stuck. We can hardly block zip files in e-mail. The productivity loss would be quite severe unless we provide alternate file transfer mechanisms, and it is likely they will be even less secure. Some anti-malware vendors have tried identifying the password in the e-mail, but this is too difficult to work most of the time. The basic problem here really is a Layer 8 problema political problem in the nine-layer OSI model. (Remember, there are at least nine layers in the OSI model: physical, data link, network, transport, session, presentation, application, political, and religious layers .) The unfortunate fact is that unless users will stop double-clicking untrusted attachments, the only way to stop worms is to prevent them from doing so. We can easily do this with Group Policy now thanks to the new attachment manager in XP SP2.

The attachment manager is a way to control which attachment types are considered dangerous and generate a prompt. Prior to XP SP2, each application would need to maintain a list of these attachments. Starting with XP SP2, a centrally manageable list can be honored by all applications through the Attachment Execution Prevention (AEP) set of APIs. Figure 13-9 shows the settings you can control using the attachment manager.

Figure 13-9. The Windows XP SP2 attachment manager.

After you configure the attachment manager in Group Policy, any application that calls the AEP to determine how to handle a particular file attachment or file download from the Internet will benefit from the central list. KB article 291369 lists the file types that should be considered unsafe as a baseline. You may freely add others, too. For users who consistently choose dancing pigs over security, we suggest creating a separate OU, and then giving them a policy that considers .* unsafe. This may sound drastic, but if it is the only way to protect them from themselves , you should at least be consider it (and of course, your policy should allow you to do so).