[Spambayes] Spambayes pwning me?
fu at fu.org
Mon Aug 18 08:22:34 CEST 2008
The article that you reference to describe DEP is horribly inaccurate and misleading. Check out the Wikipedia article, it's considerably better: http://en.wikipedia.org/wiki/Data_Execution_Prevention
DEP does not misfire. Whenever hardware DEP kicks in, some software is trying to execute at an address that is not normally designed to contain executable code. This is often the result of a buffer overflow or some other software flaw. These are the flaws that allow all kinds of viruses, worms, and other attacks to flourish. That's why hardware NX (the technology use by DEP) was created by Intel in the first place - to make a large class of security attacks significantly more difficult.
Executing code on the stack, in the heap, etc. could actually be intentional on the part of the executing program, but most seasoned developers consider that to be a poor design choice (see the "In some instances" paragraph in the Wikipedia article). The quality of design debate aside, this choice does open the program up to buffer overflows and other attacks that would normally be made much more difficult with DEP enabled. Forcing that choice on another program (an add-in forcing DEP to be disabled for all of Outlook) is undeniably an irresponsible choice.
Turning off DEP for a critical program like Outlook which constantly receives unauthenticated data from effectively untraceable sources is opening an enormous security hole.
The fact that this has been known about and left for three years is insane. Fixing DEP issues is not difficult, unless of course, the software has intentionally created this behavior. If that's the case with SpamBayes, it should be stated outright so that people can make informed decisions about using the software. I'm certainly not going to continue using it while it requires me to open the front door to my computer and invite people to come take advantage of me.
From: skip at pobox.com [mailto:skip at pobox.com]
Sent: Sunday, August 17, 2008 5:14 PM
Cc: Amedee Van Gasse; spambayes at python.org
Subject: Re: [Spambayes] Spambayes pwning me?
fu> To clarify, I'm not concerned about SpamBayes having malignant code
fu> in it, but if it has a DEP issue, that issue could be exploited to
fu> create an email worm that replicated without me ever having to open
fu> the email. Microsoft enabled DEP in Windows to protect us from
fu> flaws in software that could lead to this type of situation.
fu> Suggesting that users disable DEP is irresponsible. If there is a
fu> DEP issue in SpamBayes, fix it. If there is a DEP issue in Outlook
fu> when dealing with add-ins, if enough people report it, Microsoft
fu> will fix it.
I'm not a Windows person, but it would appear that DEP is a fairly common
cause of software installation problems:
In part, it says:
If Vista (and actually this has been around since Windows Server 2003)
sees that a process is being spawned that "could" be unwanted, DEP shuts
it down. This is especially common in some application installations: if
a Windows Installer setup (MSI) calls an executable in Vista, DEP could
very well put a stop to it. If you are trying to run an installation or
other executable being stopped by DEP, it could save you some trouble so
turn it off while you attempt to give it another shot&
The SpamBayes FAQ suggests listing Outlook as a safe application:
5.8 After installing SpamBayes, Outlook crashes and then asks for the
plug-in to be disabled.
Are you using an Athlon 64 or Core 2 Duo with DEP? There are issues with
DEP and Outlook with a SpamBayes-based plug-in. Listing Outlook as a
safe application on these processors should "solve" the problem.
Also, this has been a known issue for quite awhile:
If Mark Hammond hasn't figured out a way around the problem short of
disabling DEP for Outlook my guess is it's not a trivial problem.
More information about the SpamBayes