Please create an account to participate in the Slashdot moderation system


Forgot your password?

Microsoft Develops Security-Path for Outlook 356

Reemi writes "On Microsoft's Office update-site they write: The Outlook® E-mail Security Update is in development... Since access to certain file attachments in Outlook is restricted by the update, users will need an alternate method for distributing files... For a list of file types impacted by this update, read File Types Impacted by the Outlook 98/2000 E-mail Security Update. It seems Microsoft is setting a new standard: Emails without attachments. "
This discussion has been archived. No new comments can be posted.

Microsoft Develops Security-Path for Outlook

Comments Filter:
  • We'd probably be no better or worse off with custodians running nuclear plants than with a 'technician' like a Homer Simpson. Seriously, you aren't giving sysadmins enough credit here. Sure, there are lots of MSCE type idiots running around, but there are a lot of highly skilled people working as admins as well. Admins are the people who are ultimately responsible for the security of their networks, who else should be able to control them?

  • It seems to me that this is Microsoft's way of throwing a tempter tantrum. It seems that they are saying, "Okay, you want tighter security than Outlook provides? We'll release a patch that makes Outlook so secure that you can't access email attachments at all!"

    It seems that they could've just disabled execution of attachments, yet left a way for those attachments to be saved.
  • 1) Microsoft has never had a clue about security. Why should they? They're a single-user mentality customer playing in a networked arena. The paradigms their programmers grew up with are no longer pertinent. They haven't been since the early 90's.

    2) Who are you going to sue? Microsoft disclaims all responsibility for the design flaws in their programs. Their initial design and their sorry attempt to patch their original flawed design are nothing less than irrefutable proof that what's happening inside Microsoft is malpractise on a huge scale. They don't need to patch Outlook, they need to fix their entire flawed perception of the importance of security. How many more billions of dollars will have to be lost before someone sees this? Certainly Microsoft has no incentive to change. The IT lemmings will keep jumping off the MS Cliff because they don't know any better, and Microsoft will never have to pay for the flaws in their code because the laws are moving toward favoring the corporation, not the consumer.

  • It's Msft's job to SELL LICENSES . - period. That's what fills the coffers and keeps stockholder grinning. Market research show that ease of access to data is more important than security. Putting security into a system turns users off, and thus sales droop. The teeming millions have enough problems just learning Word, without having to jump thru hoops just to get access to their files. Untill ppl have enough bad experiences to learn to demand security, it won't be a development priority.
  • I've been preaching the "No Attachment" message to my users for three years now and they still think I'm an idoit ("But how will we share files?")

    That's not a solution. The problem here is the broken windows software design. Microsoft has made a decision in all of its software to make it easier to use at the cost of security. The real solution here is to disable the auto-matic launching of executable files of any type; to get rid of microsoft word macros, or atleast turn them off by default; to make it so the user needs to initiate any action that could be dangerous to the system.

    Solutions like "don't send attachments" or blocking attachments of certain types only provide the user with a false sense of security. What happens when a user gets an email with a link in it that points to "That important document you asked me about"? The user clicks on it thinking 'well it's not an attachment and besides outlook filters out bad stuff so I have to be safe'; word launches, reads and executes the happy go lucky script. The only thing that has changed is how the "virus" spreads. The problem is is that the "virus" is still spreading.

    Microsoft and sysadmins in general need to start educating their users and putting some effort into securing things. You can't just hide from a problem and assume everything is ok.

  • If somebody wrote a program for linux that allowed shell scripts to run when you double-click 'em, do you really think it would be any more secure?

    Yes. Because someone would write it so that you had a choice of options. View the attachment, file the attachment, save the attachment to disk, execute the attachment. The broken, brain-damaged Microsoft way is there is only one way to "Open" a file and that is to open it with the program that is associated with that file extension. There are at least three instances of brokenness and/or brain-damage in the preceeding sentence. One of those is that MS uses extentions to associate files with applications, but Office applications use file contents to determine file types. You can save a Word document with a startup macro with a .rtf extension and MS Word will open the file and execute the Macro. The user has no means to determine if the file has what it's extension says it has.

    I have to use Microsoft products at work, but I don't have to like it.

    Anomalous: inconsistent with or deviating from what is usual, normal, or expected
  • by Booker ( 6173 ) on Tuesday May 16, 2000 @05:03AM (#1069486) Homepage
    And it only took an estimated 10 billion dollars worth of damage worldwide before they did something about the security problems... whoo! :)

  • according to the BBC the fix is only for Outlook and there will not be a fix for outlook express, where the majority of the clueless lie. seems to be a bit of a waste of time
  • by Anonymous Coward on Tuesday May 16, 2000 @05:04AM (#1069489)
    I am a Microsoft Lawyer. Sorry for the AC I couldn't figure out how to log in.

    We suggest you take this story down as you quote words directly off our web page.

    If not we will crush you.

    Thank you.
    Micro$oft Lawyer.

  • Frankly I feel it's an over-reaction on their part totally disabling those file attachment types.

    Yes, but it's a bug in Outlook that it determines the file type from the extension anyway. Outlook completely ignores the MIME type of attachments, and guesses what they are from the extension. This makes sending a GIF called "image.vbs" non-trivial to someone using Outlook. Similarly, this means I could rename the love letter worm VBS file and call it "image.gif", and Windows would think it's an image. Of course, this means that it won't be run automatically by double clicking on it. Or will it? If your image viewer can execute VB scripts, then you're just as vulnerable. Can IE run VB scripts (it's configured as the default image viewer on many Windows systems)? Sigh.

  • The whole thing stems from one fundamental confusion: failing to distinguish between _viewing_ a file, and _executing_ the instructions in that file. If filetypes like VBS macros had two separate commands for these, with the default being 'view', then worms like this could not spread.

    I always thought it was really stupid how the menu in Program Manager said 'Open' instead of 'Run'. Now Microsoft's decision to blur the lines between the two is coming back to haunt them.
  • by pigpogm ( 70382 ) <> on Tuesday May 16, 2000 @05:05AM (#1069496) Homepage
    Quick! The second horse has gone!

    Close and lock the barn doors, and shoot all the other horses!
  • Java can definitely be a risk. It's weird (as someone else noted) that pretty well all the file types that M$ is limiting are their own products.

    If I send you a malicious Java *application*, it can do all kinds of stuff - probably just as well as the VBScript program can (but it would be harder to write, IMHO).

    It's a Java *applet* (e.g., run via your friendly Web browser) that's quite limited in what it can do via the sandbox concept. So, Java would not be good as a virus that ran as an applet through your browser, but would work just fine as a virus Java application you ran through your native Java virtual machine (JVM).

    The difference is that most people only have a JVM in their Web browser, so they couldn't run a Java application anyway. If Sun has their way, everyone soon will have a JVM....if M$ has their way, maybe we won't. Someone correct me if I'm wrong - I don't think there's any sort of JVM shipping with Windows 98 or 2000, you need to get and install one separately.

  • No, I still wouldn't be happy with Windows even if they did that. There is a lot more wrong with Windows. Those things would be a small start in the right direction, but the inherent architecture of Windows (yes, even NT and 2000) is poor, and you can't easily retrofit that.

  • Viruses aren't spread by people you don't know anymore, they're spread by your stupid, clueless friends and family!

    Very true, and a really good point. However, don't make the assumption that my loved ones would go into my "trusted user" list. My network admins, co-sysadmins, and a few other technical professionals I know might make that list. My mother? No way.

    (That's not to say that somebody's mother isn't going to make that list. Just not mine.)

  • Am I the only one who feels insulted by the Big All Knowing Corporation keeping me from doing what I want for "my own good"?

  • As a matter of fact, here's a better way than that...
    Encode you're viruses into HTML documents. Then, ship the documents to whomever. When they open the document, since it's running locally, should allow all scripts to run...automatically.
  • I would appreciate everyone's opinion on another solution I suggested. This might still make it into a product (not outlook) so if you can see a flaw in it, please tell me.

    When a file is received as an attachment that matches the "executable" mask (that is, has the extension exe, vbs, bat, etc) the file is renamed by the addition of a ".unsafe" extension, thereby becoming file.exe.unsafe for example. This preserves the integrity of the file but makes it non-executable until the user explicitly renames it back to the executable extension.

    Problems I have considered:
    1) somebody might predict this and register the ".unsafe" extension to an executable. Could be solved by using a random string. This also implies prior infections, so they're already screwed.

    2) most users have "hide extensions" turned on. While they would still see the unregistered ".unsafe", they might not comprehend the significance and require education before they can use their executable attachments. My feeling is that this is a good thing.

    Can anyone show me a truly important flaw in this suggestion? I would like to push it internally but I am uncertain of its worth.

    Yes! We are all individuals! I'm not!
  • So can Excel and Powerpoint and any other document that lets you include ActiveX (Formerly OLE) objects. Maybe they didnt exclude them because 99% of the documents attached to E-Mail in the Outlook-using business community are Word or Excel documents. Funny their own browser (IE) gets "features" broken by this update such as "Send page as link" which sends a .URL attachment to a person. ~GoRK
  • MS says that from now on the user will get asked if it's ok to access the address book. Will this be via pop-up window, or some other method. I'm going to assume that it's a pop-up window.

    The vulnerability is from VBA, now if someone is able to write a VBA app which can scan your address book why wouldn't this app be able to select the "OK" button when windows asks the user if it's ok to access the addressbook?

    What if the password protect it? The target audience for windows HATES security, because it's a hassle. They'd have to actually remember their passwords! So if they do password protect it do you think that they'd add a "save my password" checkbox to the prompt? If they do we fall back into the VBA vulnerability.

    Get eudora and forget about outlook.

  • by ch-chuck ( 9622 ) on Tuesday May 16, 2000 @06:42AM (#1069517) Homepage
    "I explained how just making the switch would yield very little benefit while misleading folks into thinking they were more secure"

    I guess we're really getting into the twilight zone now - actually, making ppl feel secure and confident in a product is a great marketing strategy - they used to teach us that at one big old-iron firm I worked for, that "consumer confidence" is key. A customers 'mental image' of a company/product is much more important than the actual quality/security of the product, which is often beyond their ken anyway, the sales is there to keep the 'warm fuzzy's' going and the payments coming. Msft can get away with all this as long as they have the public trust and someone else to blame it on (hackers, inept McSE's, etc etc etc). It's amazing how much all of this is a smoke&mirrors, Wizard of OZ, managed media public relations image projection game.
  • by FFFish ( 7567 ) on Tuesday May 16, 2000 @06:43AM (#1069518) Homepage
    Write an educational virus. It wouldn't have a destructive payload ('cept for worming itself through address book). But it sure would *pretend* to be doing nasty things. Scare the bejeezus outta the idiots who doubleclick it. Bright lights, beeps, shit like that.

    And then pop up a message saying it *COULD* have nuked their system, but didn't, and that maybe they should finally learn their lesson: don't open attachments!

    (Yes, literally: "DON'T OPEN ATTACHMENTS!" Those sorts of dolts are better off never opening them than having to choose which ones to open...)

  • "No, in the case of ILOVEYOU, this would have stopped the spread of the virus pretty quickly. Imagine if a user had to push "Yes" for each of the several hundred mail messages he/she was sending out. And MAPI.DLL should have similiar protection. "

    I think on most ISP's, "mail", when looked up, gives the address of the mail server, where mail can be sent directly by SMTP.

    Alternatively, in Windows, a virus could stay search (like netstat can) for connections to servers with "mail" in their names, assume they are mail servers, and try to send via SMTP through them. Although, this may not work with MSEXCH servers on corporate LANs.

  • Your points are valid up to a point. Recreating user files is worse than system files. Recreating every user's files is worse than just a single user's files though, which is what you get when there isn't effective multi-user security. With Windows you probably have to fix user files, system files registry files, etc.

    The other problem is that unrestricted access to system files makes what a virus can do more dangerous, because it can infect itself into lots of other things. Thankfully, few viruses so far have been really insidious and sophisticated enough to pervasively infect a system and slowly (or at least delayed) start to do things. Think how much more damage these viruses might have done had they only slightly propagated themselves at first so they weren't noticed as quickly, but thoroughly infected the systems, so that at some later point they could go full bore once they had been spread all over the place? Doing this effectively would require that a virus/worm be able to infect system files and not just user files.

  • This is the problem:

    I can't imagine that it would ever become popular enough within the Linux/UNIX community

    The Linux/UNIX community is changing, just as the internet community changed in the early nineties. In one breath someone here says, "We need to make Linux easier to use and spread its acceptance." and in the next you hear, "I don't want to deal with people who can't use a computer, stay off Linux and use Windows!" In the next breath you hear about a static "Linux/UNIX community" which would never let a program in which would have as many problems as outlook.

    Well, the "Linux/UNIX community" is dynamic, very dynamic. You can't read the newsgroups without seeing how many 'newbies' are trying out Linux, and how many others are trying to get Linux/UNIX into homes of windows users.

    I'm not discounting SoftwareJanitor, there is a lot of truth in that posting, but I know that the blanket statement "it would [never] become popular enough within the Linux/UNIX community..." is not accurate, since the Linux/UNIX community won't the be same tomorrow as it is today and everyone here seems to want it to be different.

    If one wants to advocate an operating system then one needs to help people understand that you just need to be a computer user to use it, you don't need to join some sort of community or exclusive club. The more you talk about 'the community', the more you alienate those who don't understand that it's not exclusive.


  • and this patch will make it more diff to sync your palm w/ outlook []. this is IMHO just part of the plan to make ppl dislike the palm.

    #include "standard_disclaimer.h"
  • Simple re-encode your macro viruses into Word, or Excel or Access or whatever macros, then send that document (with the viruses attached) around...

    VBA macro viruses cannot function until the user has first enabled scripting for their open session of the Office product they are using. When a script attempts to run in an email, two things happen. Firstly Outlook prompts the user, telling them that the mail contains script and asking whether they want to run it. Secondly, if you have not run any script prior to the email in your open session, Outlook prompts you whether you would like to run macro scripts.

    Try it at home. Your idea has been covered by Outlook for a long time, however weakly.

    Yes! We are all individuals! I'm not!
  • For frustrated system admins, this is what my college instructors used to call a "teachable moment." Now is probably the ideal time to bring up strategic software issues with your CIO to avoid this kind of trouble in the future. Here are a few lessons that we may have the opportunity to pass along:

    For starters, just because you run NT or 9x, and your staff likes using Word, don't always assume that the Micros~1 solution is the best one, or even the best-integrated. Nearly all third-party apps are designed specifically to be happy in the M$ biosphere. For your environment, you might be better off tracking your software inventory with Tangram Asset Insight instead of SMS. Maybe your HR database should be running on Peoplesoft or Oracle instead of MS-SQL. Maybe not... but each technology decision should be considered on the merits of the tech, rather than just saying "we are a Microsoft shop."

    When you use MS products (or any software), don't always take the "biggest d*ck" approach. Outlook Express might serve your needs better than Outlook. The hot new service pack might not be ready for prime time. Keep in mind that you probably have a lot of 2 year-old systems in your office that you are trying to squeeze a little more life out of. What works on your brand new test-lab box might break in the real world.

    MCSE grunts might be easy to find and recruit, but even the most die-hard M$ fan would rather learn how to use the right tool for the job, and one person with the right tech is better than three people trying to fix junk. Don't give up on superior solutions out of fear that you can't find "qualified" staff. I bet your SQL guru would love to be sent to Oracle DBA classes... in fact, you might actually retain him/her for a couple more years if you show that your are committed to expanding the skills of your employees.

    Most of your staff is probably made up of geeks and hackers who know a lot about security. Don't take their recommendations lightly.

  • Your posting doesn't seem to be as incompatible with what I was saying as you seem to think it is.

    The mere fact that the Linux community is varied, is changing, and is incredibly dynamic is exactly what will probably insure that no single email client ever becomes as ubiquitous in the Linux world as Outlook is in the Windows world. There are very few software packages other than the kernel itself that are truly universally accepted, let alone something as high-level as an email client.

    The Windows world is different, because it is a monoculture dominated by a single vendor which has an amazing ability to control what software gets bundled with machines. No single entity in the Linux world has that kind of power. Not Red Hat, not Mandrake not SuSE, not Caldera, not Corel, nobody. The fact that there are many different distributions out there insures that there will be diversity in what packages will be used. The fact that it will probably be a long time (if ever) before the KDE/Gnome split is unified likely insures that no single GUI email package will ever become dominant on Linux the way that Outlook is on Windows.

    And as I said before, the thing that will really make sure that something with inherent security problems never gets pervasively deployed is that in order for something to be widely accepted in the Linux world it must be open source, which means problems such as these get dealt with quickly.

    As for talking about 'the community', that means something different here on Slashdot than it does if I am talking to someone in a different forum. You are reading something into my words that isn't there if you think I use that terminology to be divisive rather than inclusive.

  • One way of preventing these problems is to require all executable programs/scripts to be digitally signed by the vendor or a local administrator or security officer. I've read about some old operating systems that made the creation of executable files a privileged operation. The compiler had the privilege of creating an executable file. It enforced security policy by treating certain actions in the source code as fatal compilation errors. This allowed an insecure operating system to be protected from the programs of unprivileged users. A problem is that you can't use languages like C that allow the programmer to dynamically generate and execute code.
  • by konstant ( 63560 ) on Tuesday May 16, 2000 @06:52AM (#1069535)
    All they needed to do was change it so that it would save it out, and then the user would be able to launch it if they needed to after finding it

    Microsoft *did* make precisely that change after Melissa. That was also released as a patch. In fact, the complaint in the Outlook group was that nobody had downloaded that patch and consequently had lower security than Outlook actually provided.

    When it comes to security patching, you can lead a horse to water, but without "push" or software as a service you can't make him drink.

    Ok, that's enough mixing of metaphors for one day.

    Yes! We are all individuals! I'm not!
  • It will still prevent the macro viruses spreading on computers that don't have MS Office -- this last one hit both Outlook and Outlook Express address books, and was writen in a scripting language run by MS Windows Scripting host, which all computers with MS IE4 and above have. See, less people have Office than WSH, so if you take away the ability with WSH, then it's harder to spread.

  • There's an analogy here somewhere:

    The Titanic might not have hit an iceberg if the captain had not gone full steam through Iceberg Alley.
    Even if it did it would not have suffered such a large gash if there was better quality control on the hull rivets.
    Even so it might not have taken on water if it had double-hull construction (available at the time but considered too expensive and bulky).
    Even so it might have only flooded one or two compartments if the bulkheads had extended well above water level (this was considered too much of an inconvenience for passengers moving around the ship).
    Even if the ship still sank the loss of life would have been less terrible if there were enough lifeboats and the crew was trained to deploy them.

    So who's to blame?
    The newspapers of the time initially blamed the captain for speeding.
    The other problems came out during the inquiry and recent expeditions to the wreck.
    The companies that built and operated Titanic were liable and had to pay damages.
    The industry was more safety conscious after that - for a while.

  • From the article:

    This update limits certain functionality in Outlook to provide a higher level of security; it was not created to address a security vulnerability within Outlook.

    So, basically, allowing any arbitrary VBS script to execute without prompting the user isn't a security vulnerability. What is it, a ''feature''?

    Okay, then, providing a higher level of security *doesn't* address a security vulnerability. So, basically, this sentence says:

    This update limits certain functionality in Outlook to provide a higher level of security even though Outlook does not have the security vulnerability that this update addresses; it was not created to address a security vulnerability within Outlook because Outlook doesn't have the security vulnerability that this update very specifically addresses..

    In other words, Outlook is 100% secure, but this update makes Outlook more secure. I guess this is the new M$ math....


  • I saw something on the other day called Outlook2Ical that purports to be able to convert Outlook calendar messages to Ical calendar entries. Might be just what you are looking for.

  • "Restricted Zone" uses the "High" level of security, which leaves "Script ActiveX controls marked safe for scripting" and "Active Scripting" enabled.
    Yikes... You're entirely right. I just checked again, more carefully this time, and I discovered a nasty Outlook bug: When I "Default Level" for Restricted Zone, the setting changed to "High". Then I hit "Custom" to see what had changed... but I realize now that it showed me my old settings, not the new "High" settings. Grumble.

    Anyway, I still think it's moot. Barring bugs, it would be impossible to do anything malicious in an email that is being read with those settings. That's the whole point of restricting scripts. And, again, ILOVEYOU would not work as an embedded script using any default security settings.

    kaphka sez: it has nothing to do with the ILOVEYOU virus, which would run just as well under Pine (assuming you're running Pine on a Windows machine.)

    Hm. How would it propagate itself?
    Technically I said it would run just as well under Pine. :-) But it could still propagate, if the user has any email addresses in their Windows address book (or whatever they call it.)

    Sure, that's an outlandish scenario. But it still has nothing to do with Outlook. ILOVEYOU could easily be rewritten to pull addresses from Netscape's address book, or Eudora's, or Pine for Windows', etc. Outlook is only targetted because it's so common.
  • by istartedi ( 132515 ) on Tuesday May 16, 2000 @05:07AM (#1069580) Journal

    E-mail without attachments? I don't think so. It said *certain* file types. If somebody wrote a program for linux that allowed shell scripts to run when you double-click 'em, do you really think it would be any more secure?

    MS e-mail has been insecure because it has been customary to allow users to easily open attachments of any type. Period. Not because MS mail programs are poorly written or anything of that nature.

    Now some people have abused that privelege, and users have not understood it. So the only real solution is to place some restrictions on it. I use MS mail programs and have never had any security problems. I never open attachments from strangers either!

    Also, this is really not a bad turn-around time for a patch. Admitedly, it is longer than the turn-arounds for most open source bugfixes, but not by a ridiculous ammount of time, especially when you consider that the security hole is entirely fixable via user education anyway.

  • Executability isn't an issue. It still comes down to how braindead your mail client is. Let's say a company called Macrosoft made this unix email reader called Inlook, and by default it was configured to execute ".pl" attachments under perl if you double clicked on them. Let's say this particular perl program would sit around and watch your mailqueue to grab addresses, and send itself off to all those addresses. The same type of spreading would be accomplished. This would be possible if as many dumb people used linux as windows, and if as many people used Inlook as Outlook.

    In other words, spreading of the email is primarily a user and a client issue, not an OS one. The consequences on the system where the worm is run is an OS issue.

  • by Maryck ( 84 )
    Its interesting that they do not include .doc files in the list even though courtesy of VBA, those files can also execute malicious code.
  • Great, I'm sick and tired of downloading all those anothersillything.mpg attachments. Attachments are evil, we need a standard way of ftp-ing the attachments to a server and then just posting the url!
  • It doesn't surprise me that a company that can't write GOOD code to protect against attachment viruses would hire lawyers that can't figure out how to type in a username and password.
  • So you'd be happy with Windows if it let you set security on key files and deny the execute permission to people?

    If so, check out NT and 2000.
  • The real problem is much more fundamental then the outlook API. The real problem is the lack of a proper security model. You don't want to have your newly downloaded script to interact with an API that basicly lets it do anything it wants. A downloaded executable has access to the full win32 API. Just changing the outlook interface won't help preventing worms since there are other ways to retrieve the list of addresses in the addressbook.

    However, it would be ok if there were some restrictions on what this script would be allowed to do. I.e. a sandbox model would be appropriate for anything opened from an email client or a browser. Anything which is not labeled as trusted should not be trusted to behave well.

    This problem is not unique to windows. Most unix mail clients also leave it to the user what to open. Of course linux mail clients don't have much of an API to script. Apart from that, there's nothing stopping a virus from mailing itself to everyone in the addressbook and removing porn and mp3 on Linux (except the user of course) since it can all be done without requiring root permissions.
  • by ch-chuck ( 9622 ) on Tuesday May 16, 2000 @06:18AM (#1069606) Homepage
    Not when dealing with the teeming masses, it's all emotional appeal, using the proper buzzwords, etc. The 'logic' is this: ppl don't want viri, Msft doesn't want to be broken up, therefore the 'party line' is: breaking up Msft with bring you a plague of viri! No technical linkage required at all, Msft users wouldn't understand it anyway, just simple 'association'. Retroactive damage control. And yes, the EULA *does* exempt them from liability for damages caused by defects in the code - that's why it's such a great biz, you can sell not ready for prime time products out the yin/yang but as long as you can hold a monopoly position and positive market image, your in fat city.

    What is it, something like 80% of people polled think Msft is 'doing a great job' as it is? Who wants to be a billionaire? Nothing succeeds like success.
  • Grrrr... I think I'm going to have to stop reading Microsoft-related discussions on Slashdot, before I injure myself from banging my head against the wall so much.

    The ILOVEYOU "virus" was a trojan horse. As Microsoft has tried to explain to the public for years now, trojan horses cannot be prevented as long as users run untrusted code on their systems. (I'd be happy to hear any ideas, but I don't think it's possible.) But all the computer pundits kept spreading FUD and demanding a solution, so Microsoft implemented the only solution possible: prevent users from getting access to untrusted code in the first place. Kinda like banning cars because people won't fasten their seatbelts.

    Anyway... Ahem... I was planning to not rant about that, but I ended up going on for quite a bit. What I really wanted to point out was a small factual correction... actually two. First, I don't know how you have your Outlook configured, but by default, "Restricted Zone" does disable all scripting. Second, despite the "press release" quoted, Outlook's current default security zone is "Internet", not "Trusted". ("Internet" is the default zone for browsing web pages.) I don't know if this was a MS typo or your typo. (By "your" I mean the author of the article that Xemu lifted.)

    Changing the security zone defaults is a good idea. But, as few people seem to understand, it has nothing to do with the ILOVEYOU virus, which would run just as well under Pine (assuming you're running Pine on a Windows machine.)
  • yup.. the two are really comparable, they're supposed to do the same thing. yup. really. And MS excel is a way better spreadsheet than oracle.

  • Finally someone who understands the issues enough to stand up to this "It's possible on Linux too" BS.

    This is all about execution based on file extension. This simply wouldn't happen on this scale in Linux. Sure you could write some sort of cool Linux executable that showed some cool jumping frogs that also offloaded a virus payload, but the user would first have to save it to disk, set the execute bit(s) and run it. Then in order for this virus to spread it would have to read people's address book - on Windows this is just a MAPI call, but on Linux you have to check for pine, mutt, kmail, balsa, communicator, LDAP, etc address books. The scale of this problem for replication means that it would just never happen. It would spread to a few hundred people maximum before people would stop and say "what's going on", fire off a post to some bulletin board, and stop the virus in its tracks.

    Thats not to say that it will remain this way on Linux - chances are we might all unify to one email application with a standard interface (CORBA) to access the address book. But you still have to overcome the "save, set +x bit, run" problem which just isn't going to go away soon.

  • The *real* problem is Outlook's automation object model. By providing an API where Exchange data can be scanned and mail can be sent without user interaction, they are setting themselves up for all sorts of worms (or worse, targeted industrial espionage).

    I really disagree. Things should be scriptable. There's too many legitimate uses for it. But access should be limited by the process that attempts it.

    If I have a script in my home directory that sends mail, and it's not setuid'ed as anyone else, then the script should be able to do what I can do. It is me.

    On the other hand, if I receive a script as an attachment, and instead of saving it and "chmod"ing it as executable (thereby taking responsibility for what it does), I directly run it from inside the email program, then that process should be lauched "su"ed as nobody. Naturally, it shouldn't have access to my address book, just as other users on the system don't have access to my address book. And needless to say, the "nobody" user should not have the ability to send mail or open network connections, among other restrictions.

    The problem with apps like Outlook, Word and Excel is twofold: they treat data as code and they aren't written for a multiuser system. Neither of those things would necessarily be fatal, but the combination is.

  • push! push! push!

    A quick read of the threads on this article should show anyone the huge flaw that exists in the MS plan. Personally, I would use that as a key point. MS plans to release this update, and they will then just have to answer for another mistake.

    I don't like Windows, etc., but I don't want to see a company with that many good people go down in flames. The employees should really speak up for themselves instead of just accepting upper management's decision.

    Maybe with more smart ideas, like this one, they could eventually gain people's confidence. heh.

  • That was the whole problem in this case. You got email from people you trusted and so you opened it. PGP would have only added to your false sense of security!
  • On the other hand, if you write your virus in Visual Basic with some ASP processing on the server side + MTS + IIS + MS authentication process ripped of Kerberos + rules engine + XML + VRML + Marketing Department == a highly scalable and maintainable by only 120 people macro virus capable of overwriting all your jpg files with pictures of naked and petrified Ms. Portman, a virus with its own market share, very scalable robust and that only takes 10 minutes to execute on a single given client.

    Well, for this kind of virus of the future, the new Outlook security patch will work just fine!
  • by IanO ( 21302 ) on Tuesday May 16, 2000 @05:10AM (#1069619) Homepage
    I've also heard that in the next update they are recommending that we remove any cables connecting our computers to the internet.

    Their final security update will be a patch which automatically powers the computer down before you can boot into Windows... this would be the ultimate in security except that we won't be able to download it because we've already removed all cables connecting us to the internet.

  • The MS patch revolves around defining various types of security levels for attachments. At present, they only define two levels. At level 1 (.exe, .com, .vbs, et cetera), the attachment is deleted. Poof. Gone.

    The aren't gone or deleted. It will not allow the user to run or save them. If you later change your security policy you can save/run them any time you like. The data is always there.

    I think this makes good sense as a default policy for 99% of users. If you can't figure out how to change your policy, you shouldn't be running attachments in the first place.
  • by rcw-work ( 30090 ) on Tuesday May 16, 2000 @05:11AM (#1069627)
    ...Those can contain executable code too, but I guess Microsoft has to defend people's freedom to doubleclick on untrusted Word attachments.

    Microsoft can't get too draconian with the patch, lest people refrain from applying it, in which case they are back to where they started.

    Ahh well. Virus writers will have to get mildly creative again.

  • WHy not Perl? It's infinitely better for text manipulation anyways.

    You don't understand GNOME/KDE. I don't think the primary purpose of these projects is to make a good or ideal environment. The primary purpose is to make a reasonably compatable one, in order to infiltrate Microsoft's market. They are doing the best they can, within that constraint. Using Perl would be pointless in that regard, because the area they're trying to infiltrate doesn't already use Perl. It uses VB.

  • by subsolar2 ( 147428 ) on Tuesday May 16, 2000 @05:11AM (#1069629)
    Frankly I feel it's an over-reaction on their part totally disabling those file attachment types. All they needed to do was disable double-click/click (depending on your settings) launching & execution of those file types.

    All they needed to do was change it so that it would save it out, and then the user would be able to launch it if they needed to after finding it.

    For some user it would stop the viruses since they never would be able to find it one it was on the HD. ;)


  • E-mail without attachments? I don't think so. It said *certain* file types. If somebody wrote a program for linux that allowed shell scripts to run when you double-click 'em, do you really think it would be any more secure?
    MS e-mail has been insecure because it has been customary to allow users to easily open attachments of any type. Period.

    I would expect that most Linux users wouldn't double-click an attached shell-script without at least reading it first, and trying to figure out what it is. That's one of the benefits of Linux being "hard" - people using it tend to be "power users" at a minimum.

    This is something that people developing "easy" distributions of Linux will have to work on and watch out for. If Linux really does become available for the masses, some of those masses will do some pretty stupid things. Imagine a DDOS setup distributed as an e-mail attachment!

    One thing which makes Windows and Outlook particularly vulnerable is the relentless drive by MS to hide anything resembling a technical detail. In the default setup in Windows, file extensions aren't visible. So when the e-mail has an attachment "I Love You.txt.vbs", Windows (and outlook) hide the .vbs extension, and the user sees "I love you.txt". A plain text file is safe, as long as that's what the shell thinks it is. I hope Corel and others look hard at some of the MS Windows defaults, and the potential implications of them. Ease of use doesn't have to compromise security.

  • My point is simply that if we make things "close enough", or if we use

    a specification that allows interoperability between products from different vendors.

    then we're still vulnerable to a virus.

    Possibly, but not necessarily.

    You won't find me to be someone who is saying that viruses/worms are impossible on Linux/UNIX. I do believe they are less likely and less likely to cause as much damage, but I do believe and have been advocating that we make sure to keep vigilant to insure that they don't happen on Linux/UNIX or are at least dealt with as quickly and permanently as possible if they do. Unlike Microsoft, I don't think the Linux/UNIX world should put its head in the sand or live in denial.

    On the other hand, history has shown that two products which are similar, and conform to many of the same standards may have very different security issues. For example both Netscape Navigator and Microsoft Internet Explorer have somewhat similar user interfaces. If you can use one, you can probably figure the other out pretty easily. They both implement many of the same standard interfaces. HTML, Java, Javascript, etc. However, both have had at least a few security problems (in general, it seems like IE has had far more and far more serious security related bugs), but in most cases, the security problems they have had have not been the same. Exploits which work against one browser don't necessarily work against the other. The same thing is true of many other types of software. I think it is stretching to say that implementing a common interface or API necessarily puts you at the same risk of 'inbreeding' that having everyone rely on the same vendor's products does (as we see now with products like Outlook).

    If it's a close enough interface, then I can probably code something to work with multiple variations.

    Maybe, maybe not. I have little doubt that in many cases it makes it far more difficult to create a single virus/worm which can afflict multiple platforms. It very definitely rules out many sorts of binary coded viruses, as they are generally tied to a specific hardware platform or OS API.

    I'm not advocating homogenaity of implementation (heck, not even MS purports to do that - multiple system elements may expose the same functionality, even though they are implemented in many different ways (e.g. drivers, etc)), but that if we have near identical interfaces, we're still stuck with the problem.

    I'm not saying that there isn't any shred of truth in what you are saying, I just think that you grossly exaggerate the risk that is involved in following open, industry standard interfaces. I think you have a lot more of a point when interfaces are partially secret or totally proprietary, as they are not then exposed to nearly the level of independant review.

  • Executability isn't an issue.

    Yes, it is. It isn't the only issue, but it is still an issue.

    It still comes down to how braindead your mail client is.

    The difference is that an email client on Linux/UNIX would have to go out of its way to be as braindead as Outlook is in this case. Just because a file comes down under Linux/UNIX with a certain extension, it isn't immediately going to be executable as it is under Windows.
    Let's say a company called Macrosoft made this unix email reader called Inlook, and by default it was configured to execute ".pl" attachments under perl if you double clicked on them.

    It would have to intentionally set the execute bits on files based on their extension. That would be an extra effort. If the 'Inlook' email client was open source, something like that would certainly get noticed and fixed quickly. If it wasn't open source, that would seriously limit the number of users who have it on their system, since most of the Linux/UNIX distributions wouldn't include it by default.

    Let's say this particular perl program would sit around and watch your mailqueue to grab addresses, and send itself off to all those addresses. The same type of spreading would be accomplished.

    This is of course true, but this is only a fraction of what the ILOVEYOU virus, for example, does. It also goes out and wonks around with the system registry, and deletes files. These parts would be less likely to cause problems on Linux than on Windows 9x due to permissions.

    This would be possible if as many dumb people used linux as windows,

    That isn't quite true, as Linux/UNIX still has a certain amount more security than Windows 9x, and thus will even to a certain extent protect dumb users from themselves.

    and if as many people used Inlook as Outlook.

    For reasons I've stated before, it is highly unlikely even if Linux/UNIX had the same size user base as Windows that any single email client would ever get the installed base of Outlook.

  • I think the sandboxed environment for executing scripts would be a good move for Microsoft to implement, but would be very difficult for them to retrofit at this time. It is definitely something that any Linux/UNIX email clients should think about doing ahead of time so that they aren't faced with having to try to retrofit later.

    I am not that sure that signing documents will really help that much, as too many users will be too lazy to bother with setting up encryption or to understand how it works.

  • That could be a workable, albiet inconvenient workaround in the Linux world, where it is possible to run programs under different user ids without logging out. I don't think it would be considered an acceptable alternative in the Windows world due to the fact that their ability to deal with simultaneous multiuser sessions is non-existant to awkward.

  • windows will still execute it

    No it won't.

  • it's arguable that the spread of Melissa and ILOVEYOU had nothing to do with security exploits.

    Well, that is a matter of perspective I suppose. One way of looking at it is that both of them rely on the fact that there is little or no security in Windows 9x.

    So, addressing the original poster's comments, just because they've got 4 mail programs on their system doesn't mean they're "safe", if they all have essentially the same API's

    I think that if an API is standard and multivendor, then it, in itself is less likely to be the target for attack because it will be under the scrutiny of a much larger number of eyes. Specific implementations can of course have their own problems, but that is a slightly different issue.

    or similar address book files (perhaps XML), etc.

    The address books, or their access methods are only part of the problem, in that it is only related to the propagation of viruses/worms, not necessarily to their destructive potential. It also doesn't take into account that Melissa/ILOVEYOU also rely on the ease with which code from outside can get executed under Windows. For the problem to be as bad under Linux/UNIX as it is under Windows, all three things would have to come together on a significant number of desktops. As long as the Linux developer community and the distribution vendors are aware of this potential problem, it is not nearly so likely to happen.

  • I usually ZIP everything sent because many mail gateways corrupt the filenames of attachements. Also very nice to make sure your personal love letters reach their targets untouched. /dot
  • This is a press release.

    After some research on My Own Company Ltd. (DAQDAQ: MOCL), these are the best solutions we have found depending on the security grade you prefer (higher number, higher security):

    1. Delete Outlook Express
    2. Don't use email at all
    3. Destroy your Internet connections, and your whole LAN if desired
    4. Destroy your computer and all your electronic equipment
    5. Destroy all your belongings and spend the rest of your life in the Sahara dessert, living alone

    This has proven succesful in our labs in a controlled environment, so we can almost assure you that following the points above will solve your computer viruses problem, including those that spread by email, forever.
  • Original article []

    Date: Mon, 15 May 2000 21:07:41 -0400
    Reply-To: Russ
    Sender: Windows NTBugtraq Mailing List
    From: Russ
    Subject: Outlook Email Security Update
    Comments: To: "NTSecurity (E-mail)"
    Content-Type: text/plain; charset="iso-8859-1"

    Today Microsoft announced the "Outlook Email Security Update", scheduled for
    availability from;

    on May 22nd, 2000.

    I was briefed on this update last week, and during this discussion I
    presented several recommendations. Microsoft have chosen not to implement
    any of them, despite the nearly 10 days available prior to its availability.
    Presumably they still haven't resolved the issues they have getting content
    onto their update sites in a timely fashion.

    Before I go into what is in this update, there are several critical
    incorrect assertions in it. Quoting from the official press release;

    "Heightened Outlook default security settings increase the default Internet
    security zone setting within Outlook from "trusted" to "restricted." The
    restricted zone disables most automatic scripting and ActiveX=AE Controls
    from opening without the user's permission. Users who prefer less security
    can easily change their Outlook settings to trusted zone."

    I guess the Microsoft Office Product Group has never bothered to read my
    page on how Outlook works and what needs to be done to the Restricted Sites
    Trust Zone for it to be truly safer;


    Of course without the modifications to the default settings of the
    Restricted Sites Trust Zone, Outlook happily runs any Active Scripting, and
    will happily invoke any ActiveX control marked safe for scripting and
    present on your system (ActiveX downloads are disabled.)

    I more than pointed this fact out to the Briefer, one Lisa Gurry from the
    Microsoft Office product group when she presented the functionality to me. I
    told her to either not make the switch to the Restricted Sites Trust Zone,
    or, make the switch and alter the defaults. I explained how just making the
    switch would yield very little benefit while misleading folks into thinking
    they were more secure, especially against scripting worms.

    The fact that ILV was relatively stupid as worms go seems to have been
    missed by many people. A slightly modified version sent as HTML that doesn't
    bother with the address book (who needs it, most people have lots of mail in
    their folders from all sorts of interesting folks to reply to) will likely
    get by these new features since scripting can still be done. The fact that
    "attachments" won't invoke any more isn't likely going "to thwart the spread
    and impact of many computer viruses."

    This presumes, of course, that some 45 million people already realize just
    how stupid they were to click on that attachment in the first place...and
    maybe have told a few friends...;-]

    MS seem incapable of doing what some coder at;

    has done with relatively few lines...namely convert inbound HTML-based
    emails to something else (Rich Text) which completely eliminates the
    vulnerabilities of scripting emails.

    Of course they further show their ignorance of the realities of corporate
    email systems by providing this quote;

    "Given the global impact of the I Love You virus and the growing threat of
    malicious hackers, we strongly believe we must take the unprecedented step
    of limiting certain popular functionality in Outlook to provide a
    significant, additional security option for our customers,"

    ...which, of course, has probably triggered thousands of email gateway
    scanners to throw the message back as containing a worm...duh!

    Granted, its unprecedented to remove functionality in favor of
    security...after a product's been released. This usually occurs during

    Anyway, to the features in this update;

    1. "Email Attachment Security":

    Attachments won't be put through to users email. That's right, they'll go
    into never-never land. I haven't received an answer to my question as to
    just where they will go. I've been told that a user will somehow,
    miraculously know that there was some sort of attachment on a given piece of
    mail but that it's been stripped in the interest of their security...

    We'll have to tune in next week to find out where those objects get tossed
    to. ISPs may end up with thousands of little (or not-so-little) fragments of
    messages left behind by Outlook POP3 users who's mail simply says "Nope, I
    don't want that thanks"...with no ability for the user to delete it cause
    they can't see it...

    A full list of extensions being excluded is below (which will make even more
    dumb email gateways break as they can't figure out whether the presence of
    the text string "vbs" is a script or not)

    2. "Object Model Guard":

    Well, to be more precise is the "Address Book Guard" really. If Outlook
    detects lookups in your address book (that are somehow distinguishable to an
    invocation of the "Find" command", it, um, pops up a dialog. Not sure what
    the dialog says, but presumably it will be sufficiently verbose to explain
    what might be happening. Haven't seen what the dialog box options are, say,
    for someone trying to script a newsletter or a marketing document. Guess
    lots of folks are going to learn how to use distribution lists (making
    scripting worms easier in future as they just look for distribution lists
    instead of lots of addresses.)

    I should say, however, that this was one of the features I was looking for.
    Would have been nice to know how they're doing that, but...

    3. "Heightened Outlook default security settings":

    I covered this. They ignored my advice, don't know how their products work,
    and then told the world they were doing a good thing(tm)...NOT!

    I *have* to believe we'll see different wording in the final web page...I
    don't think they'd continue to lie so blatantly about their product.

    Get the feeling I'm not going to get briefed again in the future...;-]


    MS dropped the ball. I told them to make this thing appear as an interim
    step. It's not a patch, its Outlook on Training Wheels. I thought it was
    going to be a complete product (i.e. you download it and that's how that
    version works, get the full version to do more harm to yourself). As such,
    it made a lot of sense to have a version that was severely restricted. Put
    users on that till you're satisfied they aren't going to shoot themselves in
    the foot.

    Nope, they gotta tout it as more than that.

    So, bottom line, unless they change the thing before it gets released next
    week, make sure anyone you suggest it to also gets this URL;

    and turns off scripting and scripting of activeX components marked safe for

    I'm not even going into the fact that Outlook Express isn't being updated.
    Let's get real Microsoft, its the only email package included in every
    shipping OS you make! Oh, and let's not forget the "It can't be removed on
    Windows 2000!~!@!$!%" Someone on Bugtraq made a funny post about it being a
    virus...come on, we all know it can't replicate itself to another
    machine...that's done automatically at installation of the OS...

    In case you can't tell, I'm not pleased with the press release, or the
    completeness of the update.

    That said, I made another suggestion today that hopefully will get
    implemented. One of the biggest problems that exist with all of this is the
    fact that most people never update their systems with any patches, security
    or otherwise. I've suggested that they put a download counter on the site so
    we'll be able to see just how many people actually get the thing. Doesn't
    say much other than show the realities. MS could put a lot more effort into
    a better update, and it probably still wouldn't be applied by most folks
    (even if they did something so the patch could apply to more of the millions
    of folks the patch isn't intended for, i.e. those that use Outlook Express

    For those interested, here's the list of extensions to be blocked by the

    ADE Microsoft Access Project Extension
    ADP Microsoft Access Project
    ASX Streaming Audio/Video Shortcut
    BAS Visual Basic Class Module
    BAT Batch Files
    CHM Compiled HTML Help File
    CMD Windows NT Command Script
    COM MS-DOS Application
    CPL Control Panel Extension
    CRT Security Certificate
    EXE Application
    HLP Help File
    HTA HTML Applications
    INF Setup Information
    INS Internet Communication Settings
    ISP Internet Communication Settings
    JS Jscript File
    JSE Jscript Encoded Script File
    Ink Shortcut
    MDB Microsoft Access Application
    MDE Microsoft Access MDE Database
    MSC Microsoft Common Console Document
    MSI Windows Installer Package
    MSP Windows Installer Patch
    MST Visual Test Source Files
    PCD Photo CD Image
    PIF Shortcut to MS-DOS Program
    REG Registration Entries
    SCR Screen Saver
    SCT Windows Script Component
    SHS Shell Scrap Object
    URL Internet Shortcut
    VB VBScript File
    VBE VBScript Encoded Script File
    VBS VBScript Script File
    WSC Windows Script Component
    WSF Windows Script File
    WSH Windows Scripting Host Settings File

    Russ - NTBugtraq Editor
    "dot-age" (as in "we're in the dot-age") = senility (source Webster's)

  • by cje ( 33931 ) on Tuesday May 16, 2000 @05:13AM (#1069665) Homepage
    Wow! Thanks, Redmond! Word has it that Windows 2000 Service Pack 8 will also have built in invulnerability to the Morris Worm!
  • This is not a troll, just pointing something out.

    Does anyone else find it ironic that almost ALL of the file extensions on the list pertain to Microsoft applications?
  • by AllynKC ( 88909 ) on Tuesday May 16, 2000 @07:33AM (#1069667)
    It is a blatant overreaction, and limiting the attachments doesn't address the underlying security flaws; it only hides them. Prevent executables from running directly from within Outlook, or if they are ran, greatly limit their functionality if they are ran from within Outlook. For instance, if a script is ran externally from Outlook, assume that the user ran it him/herself, and give it access to the Outlook Address book (there are legitimate times when this is useful). If the script is ran from within Outlook, then it should be assumed to be insecure and not be given access to the Outlook Address book, and should not be able to modify other files on the system.

    There will be a loud scream of protest from users who download this patch. They will want to be able to send many of these file types via e-mail. MS will, of course, provide an uninstall for their patch, say "I told you so, you really do want the full level of functionality", and then go on happily ignoring security issues, always refering back to this failed attempt as the reason (ie: "we tried implementing greater security, users hated it, so we removed it").
  • *ROTFLMAO* I'm sorry, but there is so much in this document to laugh at. As laughter is good therapy, here's the entire thing potted into a syringe-sized dose:

    A nice starter - you know you're in Microsoft's hands now!

    This update limits certain functionality in Outlook to provide a higher level of security; it was not created to address a security vulnerability within Outlook.
    Absolutely! Keep telling us there's nothing wrong with Outlook and maybe we'll believe you someday.

    Certain functionality in Office may be impacted by this update.
    What does that mean? Let's follow the link []
    Palm, Windows CE devices (PDAs) have synchronization issues. These include:
    Syncing with the Inbox displays a prompt and then fails. This is under investigation.

    Ah, that's not a bug, it's 'impacted functionality'. Let me add that to my excuses list.

    Since access to certain file attachments in Outlook is restricted by the update, users will need an alternate method for distributing files...
    Such as elm/pine/Eudora/Netscape Messenger...

    Level 2 security contains only one file type by default: .ZIP files. If a message contains a .ZIP attachment, you are prompted to save the file to disk if you try to open it.
    Ignoring the fact that in Microsoft's world there is only one type of archive - have you noticed how MS deem it okay for you to open it elsewhere, just not near Outlook? What are they trying to hide?
    This update...was not created to address a security vulnerability within Outlook.
    Ah, yes - so you said. And you know what, I almost believe you...
  • windows will still execute it No it won't. uh ... there is *no* requirement that an executable file image be attached to a program with a .exe extension in any modern version of windows. I can create an executable named foo, and as long as windows detects the correct information in the header, it will execute it. Hell, I *have* done this, regularly. (It also is no longer true that .com files have to be under 64K in size or adhere to the compact memory model ... that was true in win31, but no more). Now, its possible that *outlook* wont invoke it, because a lot of the automagic file invocation stuff happens with checks through the registry to discover what should be used to open a particular file, and outlook might be stupid enough to not know that something not named .exe is actually an executable --- i dont know, as i havent run outlook more than once or twice. but theres no inherent windows limitation, and hasnt been for years. -- Robert West Delphi R&D
  • In Outlook:

    - Right click on the attachment
    - Choose edit (opens in Notepad)
    - Choose save, then open in your favourite text editor.

    Not too hard...
  • How does removing executable attachments hurt the little guy any more than it hurts the big guy?
  • Because at least they would only affect one user's files, not system files, libraries, etc.

    Does that mean I really expect problems similar to the ILOVEYOU virus? Not any time soon.

    What about the ILOVEYOU virus requires root? It needs to read your address book, send e-mail, and replace personal documents (.jpg and .mp3 files). Doesn't sound to me like system file modification is necessary...

  • That's not ironic, that's the point. The extensions on the list are those that are part of Windows or that belong to MS applications. There are plenty of other applications that could also be dangerous -- if you install Perl, for instance, .pl files are just as dangerous as .vbs files -- but Microsoft is letting the vendors of those products add extensions to the banned list themselves. (Disallowing files belonging to other companies could be seen as anticompetitive.)
  • Just to add one thing. ZIP is not on the list. For years I've been telling people to ZIP things anyway, and if you really need to send an EXE as an attachment you can still ZIP it. The user will have to intentionally unZIP it, which will make them think before running it.

  • the ease of access to the address book

    cat ~/.addressbook

    the various gaping holes allowing access

    ILOVEYOU exploited no gaping OS holes that I'm aware of.

    the general problems of macro scripts

    print "Looks like a macro script to me!";

  • Outlook does this as well, but that's not the problem. Few people actually have macros in Outlook, but if they do, by default they'll see a message box saying "This outlook session contains macros..." yadda yadda.
    The problem is not outlook's internal VBA macros, but external programs being able to automate outlook so easily, due to its exposed object model which WSH/VBScript (among others) has easy access to with no regard for security.
  • Statements such as this:


    MS dropped the ball. I told them to make this thing appear as an interim step. "

    ... make "Russ" seem as arrogant as fuck.

    Sure, he might be qualified to scrutinize MS' security (hell, it doesn't take much to be in a position where you can poke strong technical holes in MS' security, sheesh), and he may very well have some good points to make, but coming off like "I told them so, but they didn't listen" is really just fundamental geek arrogance at its finest.

    The *viewpoint* may be perfectly valid, but the arrogant header containing the packet is going to cause this message to bounce off corporate-mindset firewalls all over the place.

    Who the hell does he think he is? The Great God of Microsoft, directing his minions? I thought that position was already filled.

    With all due respect, I do *not* know this Russ person at all, and may be treading on a few toes, but since I don't know him, his viewpoint wrapped in arrogance is an unfortunate first intro. (I'm sure he's a technically competent invididual, though.)

    This is a perfect example for how *not* to communicate to an industry/public about technology. Better would be to just state the facts, and leave the blame out of the equation - it'll carry better in mainstream media, because media types detest geek arrogance, especially when it involves Microsoft...
  • GNOME's VB-compatible scripting host is sandboxed; scripts can't touch anything outside their sandbox.
  • by MrP- ( 45616 )
    i just read an article, i think wired, that said it just disables single click for VBS/JS files, and requires you to confirm when something tries to read your address book... i guess the info on would be correct though huh?

    $mrp=~s/mrp/elite god/g;
    Outlook does not run embedded programs automatically.


    Outlook does not run embedded programs automatically.


    Outlook does not run embedded programs automatically.


    I know I take this too personally, but the rampant ignorance about this issue, among such otherwise intelligent folks, is really depressing.

    To clarify: The ILOVEYOU trojan exists as an inert attachment. It will not run when you read the email; it will only run if you then launch the executable attachment. Yes, there are ways to run safe code automatically in Outlook, and yes, there have been bugs that allow you to run unsafe code automatically in Outlook, but none of that is involved here.
  • by tjwhaynes ( 114792 ) on Tuesday May 16, 2000 @05:17AM (#1069715)

    Amazing. MS chooses to remove all access to the attachments. Not just stop them running, but actually stop them being saved out to disk. That's going to really impress the user who receives the Kerberos document in EXE form :-)


    Toby Haynes

  • The su to nobody fails because nobody's password is typically *'d out in /etc/shadow. That doesn't necessarily mean that the suid ownership of a mail client can't be set to nobody, although that would effectively present a challenge to find a secure way to read a user's mailbox. Not saying it can't be done though.

    It is also not true that 'only root can change their user id'. Only root can do so without knowing what the password is. I often log in as one user and su to another without ever being root, so I know that is possible. If the user id's password is starred out, then only root can su to that user id.

  • One of the main things the ILOVEYOU virus does is wonk around with the registry. Under Linux/UNIX the equivalent would be messing around with files in /etc for example. It could still be destructive to a single user without doing that, but one of the things it was trying to do with the registry hacks was to try to sniff passwords, which could be used to compromise a lot more things.

  • The problem with Wizard of OZ marketing is that Toto could pull back the curtain. If MS makes all of these security changes and two weeks later the "Open this attatchment and Old Navy will send you 6 dollars.vbs" worm does 10 times as much damage as ILV, they're screwed. Every middle manager in the country will say, "That MS rep promised us this new Outlook was secure, but it obviously isn't." Next time MS promises something, like all NEW Kerberos extensions, maybe nobody will trust them. We can always hope.

    An external application is trying to access e-mail addresses you have stored in Outlook. Do you want to allow this?
    Allow access for: 1min, 2min, 5min, 10 min

    This is so dumb! I am sure that this time restriction is a potential security problem.

    You either allow the executing appliation to read the addresses until the app. is terminated, or you disallow it, but you don't allow some app. to do something for 1 or 2 or 5 or 10 minutes. This makes no sense, if I wrote a virus, would I make this virus wait for 10 minutes before it did some damage or spread around? No. The virus would do its business in the very beginning and it usually does not take a minute for the virus to execute.

    Micro soft must be some kind of a brain disorder
  • damn, you seem to have spotted the flaw in my logic.. ;)

  • Instead of actually increasing the security of thier mailer and stopping the ease of access to the address book, the various gaping holes allowing access to the O/S and the general probelms of macro scripts, they block access to certain filetypes.

    This won't actually stop the problems that Outlook has or causes, but it will slow it down a little. Now people will save them off to thier disks and run the programs from there allowing more access to Back Orifice, and a .BAT containing "Deltree /y c:\"

    This is typical of what happens when a corporation becomes stale.

    Good riddance I say. The more more people are scared away from Microsoft the better.
  • So when LINUX becomes a common desktop OS user are going to have to save their email attachments that are to be executed.

    Sending executable content indiscriminantly in email is what has caused this virus/worm problem in the first place. Most of the things that are sent as executables are pretty worthless easter-egg type things anyway.

    They're going to have to figure out that the file is to be executed in some way, with no pretty icon

    You can have iconic file managers under Linux/UNIX. Both KDE and Gnome do so. Nothing stops Linux/UNIX email client from doing an iconic representation of attachments, in fact there are a few that do so.

    (not to mention an extension).

    The extension, or lack thereof is determined by whomever sent the file. Under Linux/UNIX they are just optional, and aren't what determines executability, but there is nothing prohibiting people from adopting a convention for using them.

    They're even going to have to run chmod on the file to get a script to run. These limitations are all perfectly reasonable on a server OS. They obviously make the system considerably more secure. But if you think that Joe and Jane user who use this as a desktop OS at work or at home are going to figure all this out, I think your overly optimistic.

    Given how much problems that Joe and Jane user cause themselves, maybe it is a good thing if they can't figure this out.

    Companies can probably afford a few minor disasters from viruses than losing the productivity they gain from clicking on e-mail attachments and having them do what the sender intended.

    The question is, how much productivity do they really gain from this? Is it really worth all of the problems that this type of virus/worm can cause to get a few little animated toys? How many legitimate executables are sent via this type of 'push' through email that can't as effectively be sent through a 'pull' and just sending the users a link to a place to download from?

    I know this is a huge security hole which requires the user to determine if the attachment is safe based on who they think sent them the message.

    The problem is that user's have a hard time doing that when the virus/worm attacks address books. The message may appear to be from someone that the user knows and trusts if that person's computer is an unwitting host for the virus/worm. Unless you impose some sort of digital signature on attachments which this type of user would probably have just about as much of a hard time with as figuring out how to make files executable, you aren't going to be able to trust any executable attachment, regardless of who it appears to be from.

    The question is how much ease of use you want to trade for security.

    The question is really, how much purported ease of use are you really getting for the unquestioned security you are trading off here?

    I think the solution that many have suggested of showing a dialog box before outlook lets an application send an email is a good place for MS to start.

    That is a start, but is pretty much a band-aid. Viruses/worms will find a way to disable or bypass that if they can run in a Windows 9x environment where there is little to no OS security. Also too many users will just blindly click through warnings like that, especially after the first few times they see them.

    However, it appears they have made some patches to fix some of their security problems, and that sys admin are very lax in applying them.

    Part of the problem is that Microsoft has promoted Windows as 'any idiot can administer it'. So - idiots are administering it. Microsoft hasn't done a very good job of informing and educating their user base, so they are part of the problem. They spend too much time trying to spin-doctor and downplay any problems that happen rather than trying to make sure as many people know about problems and apply patches as possible.

    Hopefully both MS and those sys admins have learned their lessons.

    You are much more optimistic than I. I am not convinced that it will be possible for Microsoft to retrofit security on their existing infrastructure in any kind of short timeframe. I am convinced that anything less than that will not be effective in stopping the virus/worm threat.

  • ...and what happens if they decide that Wordperfect is a security risk, and ban its file types. Or how about html mail with scripting languages that doesn't conform to Microsoft's standards...

    Oh this could be good!
  • My understanding is that certain versions of outlook with certain confiiguations will run the vb script when viewing the email text (either in a sperate window or in the preview pane).

    Note that no one is saying that this happens with all versions and all configuations, so it isn't sufficient to provide one counter-example (i.e. "it didn't auto exceute on my system - so there!").

    Russ published a chart showing outlooks behavior when you open or preview email. Note that in Outlook 98 and Outlook Express, when previewing email, active content is executed if the secutity zone allows. 7&aid=56

    So Outlook will auto execute scripts iff active scripting is allowed by whatever zone Outlook is using.

    Outlook defaults to using the internet zone and I doubt(hope) that active scripting is enabled by default for that zone, but is is likely that many IE users would enable active scripting at some point, since may sites, incluiding MS's IE update, require it.
  • While this is true, and indeed a heterogeneous population is indeed more resistant to infection (biologically and otherwise), at what cost? Like it or not, the current push, fueled in no small part by Microsoft, is to have the same look, feel, and, yes, interface, everywhere.

    There is a downside to the push to try to make everything homogenous. One is that it promotes stagnation. Another is evidenced by what we've been talking about here in that lack of diversity can make a system vulnerable to any small weakness that might be found. We need to find a way to allow options for the same interface everywhere, while also allowing for flexibility for people to do things differently.

    One thing to think about is that we can have a similar enough look and feel and 'interface' to allow users to use different software without necessarily being forced to all use the exact same products. For instance, if I can drive a Ford or a Toyota, I can adjust to driving a Chevy or a Honda or whatever pretty easily. They aren't exactly the same, the controls may look a little different or be placed slightly different, but it isn't going to keep me from driving. By the same token, if I know how to run one GUI, it doesn't take me long to figure out how to use another.

    Having a certain level of diversity in the software community is a good thing. If we had file formats and network formats that were not controlled by vendor interests and fighting, we would be a lot further along here. We could have compatibility to talk to each other without having to be exact clones of each other.

    Look at Netscape - they want the same user experience everywhere. This thought process occurs in progamming as well (look at Java - hey, and C!),

    The direction that C has gone, and hopefully Java will (and probably would have if it weren't for Microsoft's attempts to derail cross-platform Java) is that it is standardized not on individual products, but on a specification that allows interoperability between products from different vendors.

    where if the same interfaces exist in multiple places, it'll be easier to interoperate.

    One of the problems the computer world faces is that we need to promote vendor and platform independant standards where they are possible and make sense, while still allowing innovation (as opposed to Microsoft's 'immovation' (immitation)). We (in the sense of the industry as a whole) should change standards or create new standards when there is a good technical reason for doing so, not for vendor specific marketing reasons.

  • An NT box *IS* C2 in a disconnected configuration. And would probably be considered B2 or better in a configuration where it's powered off, unplugged and locked in a safe...
  • by jabber ( 13196 ) on Tuesday May 16, 2000 @05:22AM (#1069756) Homepage
    As part of its effort to standardize the user interface and functionality of all Microsoft programs, Windows producer Microsoft has proposed the following guidelines. They will make your development strategy consistent with the development strategy at Microsoft.

    1. Start by having your R&D staff search the net and other sources for popular applications until they find one that would look good in a box with the art division's latest logo.

    2. The R&D staff must now completely replicate that product, changing the interface slightly and adding no less than 20,000 extra "features," at least 100 of which must really be bugs that they didn't feel like fixing.

    3. Do NOT, under any circumstances, test the product. This is a waste of time and money. Ship the first beta that arrives on your desk. In fact, don't bother even getting it on your desk. Just ship every build that comes along. Users like upgrades. Besides, you can charge people for bug-fixes cleverly disguised as "service packages". Users love service packages.

    4. Hopefully someone's written a user's manual. In fact, it's probably readable by a normal human being. This is unacceptable; perform a find and replace operation on random English words, replacing them with technical terms and acronyms. Users like acronyms; they add mystery to a product. Never tell what an acronym means; this is unprofessional. You may even wish to make up your own acronyms; again, don't tell what they mean. For every sensible sentence, you lose at least three calls to your $200-per-incident tech support line. Users love calling tech support, especially when there are fifty touch tone menus that all lead to the same two people.

    5. Prepare for shipping. Have your team of 57 lawyers create a prefabricated license agreement. If you do not have 57 lawyers, hire or fire as necessary so that you do have 57 lawyers. Be sure that the license agreement includes a "by opening the box, you agree to this" statement. Then put it inside the box. Users will perceive this as a joke and laugh. Users love involuntarily binding themselves to legal agreements.

    6. Before shipping, invest in shrink wrap. Shrink wrap the manual. Shrink wrap the CD. Shrink wrap each and every floppy disk separately. Shrink wrap the "getting started" card. Shrink wrap the registration card. Shrink wrap the card from your grandmother. Then dump the whole mess in a box and shrink wrap it. Pack several boxes inside a larger brown box with 5,637 non-decomposable foam peanuts (each one shrink wrapped individually, of course). Be sure the foam peanut count is exactly 5,637. Remove or add shrink-wrapped foam peanuts as necessary. Throw in a roll of bubble wrap because of its entertainment value.

    7. Ship the product and move your entire R&D and art staff to the $200-per-incident tech support lines.

  • by Jonny Royale ( 62364 ) on Tuesday May 16, 2000 @05:23AM (#1069759) Homepage Journal
    I'm supprised no one thought of this before...

    Simple re-encode your macro viruses into Word, or Excel or Access or whatever macros, then send that document (with the viruses attached) around...

    If I wasn't in trouble with Microsoft before [], I sure am now!

  • by wrenling ( 99679 ) on Tuesday May 16, 2000 @05:24AM (#1069773)
    .doc & .xls were how most viruses used to get passed -- *cough* back in the 'old' days.

    It took new and improved MS Outlook to allow more fun ways of nuking computer systems.

    The solution isnt to back track, but to figure out how to go forward while sandboxing the current problem so that any code executed in Outlook stays within Outlook.
  • by sammy baby ( 14909 ) on Tuesday May 16, 2000 @05:27AM (#1069779) Journal

    Okay, folks, stop saying "Hey, they took attachments out of Outlook!" Here's what actually happened:

    The MS patch revolves around defining various types of security levels for attachments. At present, they only define two levels. At level 1 (.exe, .com, .vbs, et cetera []), the attachment is deleted. Poof. Gone.

    At level two (just .zip files), opening the attachment shows a warning to the effect of, "Hey, this file, it could be really really bad, so be careful before you open it, okay?"

    Obvious weaknesses:

    1. The .zip file attachment filter is absolutely ludicrous: anyone with a copy of WinZip can also open .arj, .cab, .tar, and .gzip files (and probably a full other types to boot). None of those file types are addressed.
    2. Executable files that you want distributed are nuked. Outta luck.
    3. This patch breaks functionality with a whole bunch of software []. I don't know if this was avoidable (can't make an omlette without breaking some eggs), but it sucks.

    What the release gets right:

    IE does have a pretty nifty security model in that it offers multiple layers of trust for various sites/domains (trusted, "Internet", restricted, custom). Anything sent by e-mail is now assumed to be from the "restricted" zone, unless manually reset. I'd prefer to see a per-user trust level for e-mail, but that can only come with the widespread adoption of an authentication model (like PGP, for example), which I don't see happening yet.

  • by SoftwareJanitor ( 15983 ) on Tuesday May 16, 2000 @05:28AM (#1069786)
    If somebody wrote a program for linux that allowed shell scripts to run when you double-click 'em, do you really think it would be any more secure?

    Slightly, because at least they would only affect one user's files, not system files, libraries, etc. That is unless someone logged in as root were stupid enough to run such an email client. Not nearly as likely. Does that mean that the Linux community doesn't need to keep a watchfull eye out? No. Does that mean I really expect problems similar to the ILOVEYOU virus? Not any time soon.

    But the main reason that this isn't typically a problem is that unlike the MS-DOS/Windows method where executability is determined by file extension, in Linux/UNIX executability is determined by file permissions, which are normally set so the file isn't executable when it is downloaded. While it would certainly be possible for a program to be written for Linux with such a misfeature, I can't imagine that it would ever become popular enough within the Linux/UNIX community to become a target for virus authors. In order for something to become ubiquitous in the Linux community, it will need to be open source. And that will ensure that such a glaring problem will likely get fixed before it gets exploited much.

    Outlook is such an attractive target for virus authors because it not only has its own security holes in addition to the generally lax security of the Windows 9x platform, but it is so ubiquitous that viruses written for it will affect the vast majority of Windows users that come into contact with it.

  • by IntlHarvester ( 11985 ) on Tuesday May 16, 2000 @05:30AM (#1069791) Journal
    NO -- disabling the Scripting Host is an idiotic response dreamed up by dunderheaded MCSEs. It's like disabling Bash or Perl on a Linux box -- it prevents one or two specific things from going wrong, but it also axes a big bunch of functionality.

    The ILOVEYOU worm just happened to be a VB Script. It could have also been recompiled into an EXE with trivial changes. It could have been coded in Perl, Delphi, C++, and so on. There's nothing special about things running in the scripting host.

    The *real* problem is Outlook's automation object model. By providing an API where Exchange data can be scanned and mail can be sent without user interaction, they are setting themselves up for all sorts of worms (or worse, targeted industrial espionage).

    What Microsoft should really include is a dialog box -- "Warning -- a program is trying to automatically send a mail message to! Proceed? Yes/[No]/See Message". This would stop mail worms pretty quickly. Better yet, give the Exchange admins control over whether things like this are even possible on their systems.

    Forcing users to change how they handle executables is a start, but doesn't solve the real problem -- a poorly implemented COM API.

Matter cannot be created or destroyed, nor can it be returned without a receipt.