[Spambayes] Spambayes pwning me?

Mon Aug 18 08:22:34 CEST 2008

The article that you reference to describe DEP is horribly inaccurate and misleading.  Check out the Wikipedia article, it's considerably better: http://en.wikipedia.org/wiki/Data_Execution_Prevention

DEP does not misfire.  Whenever hardware DEP kicks in, some software is trying to execute at an address that is not normally designed to contain executable code.  This is often the result of a buffer overflow or some other software flaw.  These are the flaws that allow all kinds of viruses, worms, and other attacks to flourish.  That's why hardware NX (the technology use by DEP) was created by Intel in the first place - to make a large class of security attacks significantly more difficult.

Executing code on the stack, in the heap, etc. could actually be intentional on the part of the executing program, but most seasoned developers consider that to be a poor design choice (see the "In some instances" paragraph in the Wikipedia article).  The quality of design debate aside, this choice does open the program up to buffer overflows and other attacks that would normally be made much more difficult with DEP enabled.  Forcing that choice on another program (an add-in forcing DEP to be disabled for all of Outlook) is undeniably an irresponsible choice.

Turning off DEP for a critical program like Outlook which constantly receives unauthenticated data from effectively untraceable sources is opening an enormous security hole.

The fact that this has been known about and left for three years is insane.  Fixing DEP issues is not difficult, unless of course, the software has intentionally created this behavior.  If that's the case with SpamBayes, it should be stated outright so that people can make informed decisions about using the software.  I'm certainly not going to continue using it while it requires me to open the front door to my computer and invite people to come take advantage of me.

-----Original Message-----
From: skip at pobox.com [mailto:skip at pobox.com]
Sent: Sunday, August 17, 2008 5:14 PM
To: Fu
Cc: Amedee Van Gasse; spambayes at python.org
Subject: Re: [Spambayes] Spambayes pwning me?

    fu> To clarify, I'm not concerned about SpamBayes having malignant code
    fu> in it, but if it has a DEP issue, that issue could be exploited to
    fu> create an email worm that replicated without me ever having to open
    fu> the email.  Microsoft enabled DEP in Windows to protect us from
    fu> flaws in software that could lead to this type of situation.
    fu> Suggesting that users disable DEP is irresponsible.  If there is a
    fu> DEP issue in SpamBayes, fix it.  If there is a DEP issue in Outlook
    fu> when dealing with add-ins, if enough people report it, Microsoft
    fu> will fix it.

I'm not a Windows person, but it would appear that DEP is a fairly common
cause of software installation problems:

    http://www.realtime-vista.com/administration/2007/04/disabling_data_execution_preve.htm

In part, it says:

    If Vista (and actually this has been around since Windows Server 2003)
    sees that a process is being spawned that "could" be unwanted, DEP shuts
    it down. This is especially common in some application installations: if
    a Windows Installer setup (MSI) calls an executable in Vista, DEP could
    very well put a stop to it. If you are trying to run an installation or
    other executable being stopped by DEP, it could save you some trouble so
    turn it off while you attempt to give it another shot&

The SpamBayes FAQ suggests listing Outlook as a safe application:

    5.8 After installing SpamBayes, Outlook crashes and then asks for the
        plug-in to be disabled.

    Are you using an Athlon 64 or Core 2 Duo with DEP? There are issues with
    DEP and Outlook with a SpamBayes-based plug-in. Listing Outlook as a
    safe application on these processors should "solve" the problem.

Also, this has been a known issue for quite awhile:

    http://mail.python.org/pipermail/spambayes/2005-August/017792.html

If Mark Hammond hasn't figured out a way around the problem short of
disabling DEP for Outlook my guess is it's not a trivial problem.

Skip