The decision by Yahoo to use a word-altering e-mail
filter to guard against the execution of malicious Web code is generating
buzz in the Internet security space and experts predict ISPs will follow the
company’s lead to implement aggressive forms of virus protection.
To protect against hidden code in e-mail written in HTML or other
cross-scripting techniques, Yahoo has admitted to using a security filter
that automatically deletes potentially harmful Web code and replace that
text with strange words.
According to published reports, Yahoo was replacing the word “eval” with
“review.” By blacklisting “eval,” Yahoo’s filter made words like “evaluate”
appear as “ereviewuate.” The site said “mocha” was being changed to
“espresso” and “expression” was replaced with “statement” even if the phrase
appears within a word, all aimed at blocking words that can be used to
launch malicious JavaScript codes.
Those words were not blacklisted during tests by internetnews.com on
Thursday but a Yahoo spokesperson confirmed some words were altered within
the software as “an extra security measure for our millions of users.”
The Yahoo spokesperson said the aggressive filtering was necessary to combat
the numerous viruses that have suddenly emerged over the last 12 months,
adding the technology was a “necessary security step.”
Security experts gave the Yahoo move a half-hearted thumbs-up, noting that
blocking, deleting or even altering some text was useful in the
virus-protection battle. Some text can be used embed harmful code into an
e-mail message written in HTML, causing a sticky issue for Web-based mail
providers because code could trick a system or network into sharing
sensitive information, including usernames and passwords.
Paris Trudeau, marketing manager at U.K.-based e-mail security firm SurfControl, said the extra layer of
protection offered in text-filtering software was “absolutely necessary.”
“In the past 12 months, we’ve seen a huge increase in the release of
viruses. This is a huge issue for organizations because there is a period
of time between when the virus is detected and when a fix is issued. In
between, the down time is costing companies millions of dollars,” Trudeau
said, arguing that any extra security should be applauded.
“In the past, ISPs and e-mail providers have centered their e-mail filtering
around the spam problem but I think that virus protection is so important
these days that any attempt to add another layer of protection is critical,”
she added.
Moving forward, Trudeau suggested ISPs and e-mail providers might want to
include an opt-in feature for customers to agree to have text changed within
e-mails since it could be problematic when the software creates innocuous
words, as in the case of Yahoo.
She said SurfControl, which sells Web and e-mail filtering technology that
includes tools to automate content recognition, supported the use of text
filtering to handle certain words within messages. “A filter can be used to
manage all kinds of cases to isolate words and phrases. But, it’s important
that the consumer or the enterprise using the software actually sets the
permission.”
“The filter is a tool to give an enterprise client the ability to deploy and
apply it in a way that is specific and acceptable to them. They can decide
how they want that e-mail handled. They may want to change text, isolate it
or even delete it entirely. It’s up to the companies,” Trudeau added.
Bernie Sheinberg, a spokesman for Postendo (formerly Vanguard Security
Technologies) said the decision to alter text was not the best way to block
the spread of harmful code. “Software can block offending code without
having to alter important e-mails,” Sheinberg said.
“Technically, from an enterprise point of view. Content filtering ensures
more productivity by the employees. Filters have been limited to blocking
what goes in or comes out of a network and there are big holes to plug on
the security end,” he added.
While Yahoo’s filter is being criticized for altering text, other e-mail
providers say filters to block potentially dangerous code execution should
be embraced.
Microsoft’s also filters out JavaScript tags and
commands within its Web-based HTML e-mail service but words are never
changed.