Microsoft Develops Security-Path for Outlook 356
Reemi writes "On Microsoft's Office update-site they write:
The Outlook® E-mail Security Update is in development... Since access to certain file attachments in Outlook is restricted by the update, users will need an alternate method for distributing files... For a list of file types impacted by this update, read File Types Impacted by the Outlook 98/2000 E-mail Security Update.
It seems Microsoft is setting a new standard: Emails without attachments. "
Re:Scripting host? (Score:2)
Re:Innovation! (Score:2)
It seems that they could've just disabled execution of attachments, yet left a way for those attachments to be saved.
Here come both barrels... (Score:2)
2) Who are you going to sue? Microsoft disclaims all responsibility for the design flaws in their programs. Their initial design and their sorry attempt to patch their original flawed design are nothing less than irrefutable proof that what's happening inside Microsoft is malpractise on a huge scale. They don't need to patch Outlook, they need to fix their entire flawed perception of the importance of security. How many more billions of dollars will have to be lost before someone sees this? Certainly Microsoft has no incentive to change. The IT lemmings will keep jumping off the MS Cliff because they don't know any better, and Microsoft will never have to pay for the flaws in their code because the laws are moving toward favoring the corporation, not the consumer.
Oh, and the 'loose OS' part.... (Score:2)
Re:Oh Pooh! (Score:2)
I've been preaching the "No Attachment" message to my users for three years now and they still think I'm an idoit ("But how will we share files?")
That's not a solution. The problem here is the broken windows software design. Microsoft has made a decision in all of its software to make it easier to use at the cost of security. The real solution here is to disable the auto-matic launching of executable files of any type; to get rid of microsoft word macros, or atleast turn them off by default; to make it so the user needs to initiate any action that could be dangerous to the system.
Solutions like "don't send attachments" or blocking attachments of certain types only provide the user with a false sense of security. What happens when a user gets an email with a link in it that points to "That important document you asked me about"? The user clicks on it thinking 'well it's not an attachment and besides outlook filters out bad stuff so I have to be safe'; word launches, reads and executes the happy go lucky script. The only thing that has changed is how the "virus" spreads. The problem is is that the "virus" is still spreading.
Microsoft and sysadmins in general need to start educating their users and putting some effort into securing things. You can't just hide from a problem and assume everything is ok.
Re:Oh Pooh! (Score:2)
Yes. Because someone would write it so that you had a choice of options. View the attachment, file the attachment, save the attachment to disk, execute the attachment. The broken, brain-damaged Microsoft way is there is only one way to "Open" a file and that is to open it with the program that is associated with that file extension. There are at least three instances of brokenness and/or brain-damage in the preceeding sentence. One of those is that MS uses extentions to associate files with applications, but Office applications use file contents to determine file types. You can save a Word document with a startup macro with a
I have to use Microsoft products at work, but I don't have to like it.
Anomalous: inconsistent with or deviating from what is usual, normal, or expected
Innovation! (Score:4)
---
Re:Oh Pooh! (Score:2)
COPYRIGHT INFRINGMENT (Score:3)
We suggest you take this story down as you quote words directly off our web page.
If not we will crush you.
Thank you.
Micro$oft Lawyer.
Re:Innovation! (Score:2)
Yes, but it's a bug in Outlook that it determines the file type from the extension anyway. Outlook completely ignores the MIME type of attachments, and guesses what they are from the extension. This makes sending a GIF called "image.vbs" non-trivial to someone using Outlook. Similarly, this means I could rename the love letter worm VBS file and call it "image.gif", and Windows would think it's an image. Of course, this means that it won't be run automatically by double clicking on it. Or will it? If your image viewer can execute VB scripts, then you're just as vulnerable. Can IE run VB scripts (it's configured as the default image viewer on many Windows systems)? Sigh.
Re:Cross out that tick-list feature :-) (Score:2)
I always thought it was really stupid how the menu in Program Manager said 'Open' instead of 'Run'. Now Microsoft's decision to blur the lines between the two is coming back to haunt them.
Quick! (Score:3)
Close and lock the barn doors, and shoot all the other horses!
Java (was: Re:MS Is Only Trying To Help) (Score:2)
Java can definitely be a risk. It's weird (as someone else noted) that pretty well all the file types that M$ is limiting are their own products.
If I send you a malicious Java *application*, it can do all kinds of stuff - probably just as well as the VBScript program can (but it would be harder to write, IMHO).
It's a Java *applet* (e.g., run via your friendly Web browser) that's quite limited in what it can do via the sandbox concept. So, Java would not be good as a virus that ran as an applet through your browser, but would work just fine as a virus Java application you ran through your native Java virtual machine (JVM).
The difference is that most people only have a JVM in their Web browser, so they couldn't run a Java application anyway. If Sun has their way, everyone soon will have a JVM....if M$ has their way, maybe we won't. Someone correct me if I'm wrong - I don't think there's any sort of JVM shipping with Windows 98 or 2000, you need to get and install one separately.
Re:Oh Pooh! (Score:2)
Re:"Security levels" for attachments (Score:2)
Very true, and a really good point. However, don't make the assumption that my loved ones would go into my "trusted user" list. My network admins, co-sysadmins, and a few other technical professionals I know might make that list. My mother? No way.
(That's not to say that somebody's mother isn't going to make that list. Just not mine.)
Whoa! Flashback to Kindergarden! (Score:2)
Damn.
Re:The Obvious Answer (Score:2)
Encode you're viruses into HTML documents. Then, ship the documents to whomever. When they open the document, since it's running locally, should allow all scripts to run...automatically.
Another solution (Score:2)
When a file is received as an attachment that matches the "executable" mask (that is, has the extension exe, vbs, bat, etc) the file is renamed by the addition of a ".unsafe" extension, thereby becoming file.exe.unsafe for example. This preserves the integrity of the file but makes it non-executable until the user explicitly renames it back to the executable extension.
Problems I have considered:
1) somebody might predict this and register the ".unsafe" extension to an executable. Could be solved by using a random string. This also implies prior infections, so they're already screwed.
2) most users have "hide extensions" turned on. While they would still see the unregistered ".unsafe", they might not comprehend the significance and require education before they can use their executable attachments. My feeling is that this is a good thing.
Can anyone show me a truly important flaw in this suggestion? I would like to push it internally but I am uncertain of its worth.
-konstant
Yes! We are all individuals! I'm not!
Re:No .doc (Score:2)
What I really don't understand is this... (Score:2)
The vulnerability is from VBA, now if someone is able to write a VBA app which can scan your address book why wouldn't this app be able to select the "OK" button when windows asks the user if it's ok to access the addressbook?
What if the password protect it? The target audience for windows HATES security, because it's a hassle. They'd have to actually remember their passwords! So if they do password protect it do you think that they'd add a "save my password" checkbox to the prompt? If they do we fall back into the VBA vulnerability.
Get eudora and forget about outlook.
LK
Perception IS reality (Score:3)
I guess we're really getting into the twilight zone now - actually, making ppl feel secure and confident in a product is a great marketing strategy - they used to teach us that at one big old-iron firm I worked for, that "consumer confidence" is key. A customers 'mental image' of a company/product is much more important than the actual quality/security of the product, which is often beyond their ken anyway, the sales is there to keep the 'warm fuzzy's' going and the payments coming. Msft can get away with all this as long as they have the public trust and someone else to blame it on (hackers, inept McSE's, etc etc etc). It's amazing how much all of this is a smoke&mirrors, Wizard of OZ, managed media public relations image projection game.
The Ultimate Solution (Score:4)
And then pop up a message saying it *COULD* have nuked their system, but didn't, and that maybe they should finally learn their lesson: don't open attachments!
(Yes, literally: "DON'T OPEN ATTACHMENTS!" Those sorts of dolts are better off never opening them than having to choose which ones to open...)
--
or a virus could `nslookup mail` (Score:2)
I think on most ISP's, "mail", when looked up, gives the address of the mail server, where mail can be sent directly by SMTP.
Alternatively, in Windows, a virus could stay search (like netstat can) for connections to servers with "mail" in their names, assume they are mail servers, and try to send via SMTP through them. Although, this may not work with MSEXCH servers on corporate LANs.
--
Re:Oh Pooh! (Score:2)
The other problem is that unrestricted access to system files makes what a virus can do more dangerous, because it can infect itself into lots of other things. Thankfully, few viruses so far have been really insidious and sophisticated enough to pervasively infect a system and slowly (or at least delayed) start to do things. Think how much more damage these viruses might have done had they only slightly propagated themselves at first so they weren't noticed as quickly, but thoroughly infected the systems, so that at some later point they could go full bore once they had been spread all over the place? Doing this effectively would require that a virus/worm be able to infect system files and not just user files.
Re:Oh Pooh! (Score:2)
I can't imagine that it would ever become popular enough within the Linux/UNIX community
The Linux/UNIX community is changing, just as the internet community changed in the early nineties. In one breath someone here says, "We need to make Linux easier to use and spread its acceptance." and in the next you hear, "I don't want to deal with people who can't use a computer, stay off Linux and use Windows!" In the next breath you hear about a static "Linux/UNIX community" which would never let a program in which would have as many problems as outlook.
Well, the "Linux/UNIX community" is dynamic, very dynamic. You can't read the newsgroups without seeing how many 'newbies' are trying out Linux, and how many others are trying to get Linux/UNIX into homes of windows users.
I'm not discounting SoftwareJanitor, there is a lot of truth in that posting, but I know that the blanket statement "it would [never] become popular enough within the Linux/UNIX community..." is not accurate, since the Linux/UNIX community won't the be same tomorrow as it is today and everyone here seems to want it to be different.
If one wants to advocate an operating system then one needs to help people understand that you just need to be a computer user to use it, you don't need to join some sort of community or exclusive club. The more you talk about 'the community', the more you alienate those who don't understand that it's not exclusive.
-Adam
Re:MS can then say "I told you so" (Score:2)
nmarshall
#include "standard_disclaimer.h"
R.U. SIRIUS: THE ONLY POSSIBLE RESPONSE
Re:The Obvious Answer (Score:2)
VBA macro viruses cannot function until the user has first enabled scripting for their open session of the Office product they are using. When a script attempts to run in an email, two things happen. Firstly Outlook prompts the user, telling them that the mail contains script and asking whether they want to run it. Secondly, if you have not run any script prior to the email in your open session, Outlook prompts you whether you would like to run macro scripts.
Try it at home. Your idea has been covered by Outlook for a long time, however weakly.
-konstant
Yes! We are all individuals! I'm not!
Opportunity (Score:2)
For starters, just because you run NT or 9x, and your staff likes using Word, don't always assume that the Micros~1 solution is the best one, or even the best-integrated. Nearly all third-party apps are designed specifically to be happy in the M$ biosphere. For your environment, you might be better off tracking your software inventory with Tangram Asset Insight instead of SMS. Maybe your HR database should be running on Peoplesoft or Oracle instead of MS-SQL. Maybe not... but each technology decision should be considered on the merits of the tech, rather than just saying "we are a Microsoft shop."
When you use MS products (or any software), don't always take the "biggest d*ck" approach. Outlook Express might serve your needs better than Outlook. The hot new service pack might not be ready for prime time. Keep in mind that you probably have a lot of 2 year-old systems in your office that you are trying to squeeze a little more life out of. What works on your brand new test-lab box might break in the real world.
MCSE grunts might be easy to find and recruit, but even the most die-hard M$ fan would rather learn how to use the right tool for the job, and one person with the right tech is better than three people trying to fix junk. Don't give up on superior solutions out of fear that you can't find "qualified" staff. I bet your SQL guru would love to be sent to Oracle DBA classes... in fact, you might actually retain him/her for a couple more years if you show that your are committed to expanding the skills of your employees.
Most of your staff is probably made up of geeks and hackers who know a lot about security. Don't take their recommendations lightly.
Re:Oh Pooh! (Score:2)
The mere fact that the Linux community is varied, is changing, and is incredibly dynamic is exactly what will probably insure that no single email client ever becomes as ubiquitous in the Linux world as Outlook is in the Windows world. There are very few software packages other than the kernel itself that are truly universally accepted, let alone something as high-level as an email client.
The Windows world is different, because it is a monoculture dominated by a single vendor which has an amazing ability to control what software gets bundled with machines. No single entity in the Linux world has that kind of power. Not Red Hat, not Mandrake not SuSE, not Caldera, not Corel, nobody. The fact that there are many different distributions out there insures that there will be diversity in what packages will be used. The fact that it will probably be a long time (if ever) before the KDE/Gnome split is unified likely insures that no single GUI email package will ever become dominant on Linux the way that Outlook is on Windows.
And as I said before, the thing that will really make sure that something with inherent security problems never gets pervasively deployed is that in order for something to be widely accepted in the Linux world it must be open source, which means problems such as these get dealt with quickly.
As for talking about 'the community', that means something different here on Slashdot than it does if I am talking to someone in a different forum. You are reading something into my words that isn't there if you think I use that terminology to be divisive rather than inclusive.
Re:Need new OS/security model (Score:2)
Re:Innovation! (Score:3)
Microsoft *did* make precisely that change after Melissa. That was also released as a patch. In fact, the complaint in the Outlook group was that nobody had downloaded that patch and consequently had lower security than Outlook actually provided.
When it comes to security patching, you can lead a horse to water, but without "push" or software as a service you can't make him drink.
Ok, that's enough mixing of metaphors for one day.
-konstant
Yes! We are all individuals! I'm not!
however this is okay (Score:2)
--
Titanic Analogy (Score:2)
The Titanic might not have hit an iceberg if the captain had not gone full steam through Iceberg Alley.
Even if it did it would not have suffered such a large gash if there was better quality control on the hull rivets.
Even so it might not have taken on water if it had double-hull construction (available at the time but considered too expensive and bulky).
Even so it might have only flooded one or two compartments if the bulkheads had extended well above water level (this was considered too much of an inconvenience for passengers moving around the ship).
Even if the ship still sank the loss of life would have been less terrible if there were enough lifeboats and the crew was trained to deploy them.
So who's to blame?
The newspapers of the time initially blamed the captain for speeding.
The other problems came out during the inquiry and recent expeditions to the wreck.
The companies that built and operated Titanic were liable and had to pay damages.
The industry was more safety conscious after that - for a while.
what's a security vulnerability? (Score:2)
This update limits certain functionality in Outlook to provide a higher level of security; it was not created to address a security vulnerability within Outlook.
So, basically, allowing any arbitrary VBS script to execute without prompting the user isn't a security vulnerability. What is it, a ''feature''?
Okay, then, providing a higher level of security *doesn't* address a security vulnerability. So, basically, this sentence says:
This update limits certain functionality in Outlook to provide a higher level of security even though Outlook does not have the security vulnerability that this update addresses; it was not created to address a security vulnerability within Outlook because Outlook doesn't have the security vulnerability that this update very specifically addresses..
In other words, Outlook is 100% secure, but this update makes Outlook more secure. I guess this is the new M$ math....
--keith
Re:Security (Score:2)
Re:Well, the guys over at NTbugtraq aren't impress (Score:2)
Anyway, I still think it's moot. Barring bugs, it would be impossible to do anything malicious in an email that is being read with those settings. That's the whole point of restricting scripts. And, again, ILOVEYOU would not work as an embedded script using any default security settings.
Technically I said it would run just as well under Pine.
Sure, that's an outlandish scenario. But it still has nothing to do with Outlook. ILOVEYOU could easily be rewritten to pull addresses from Netscape's address book, or Eudora's, or Pine for Windows', etc. Outlook is only targetted because it's so common.
Oh Pooh! (Score:4)
E-mail without attachments? I don't think so. It said *certain* file types. If somebody wrote a program for linux that allowed shell scripts to run when you double-click 'em, do you really think it would be any more secure?
MS e-mail has been insecure because it has been customary to allow users to easily open attachments of any type. Period. Not because MS mail programs are poorly written or anything of that nature.
Now some people have abused that privelege, and users have not understood it. So the only real solution is to place some restrictions on it. I use MS mail programs and have never had any security problems. I never open attachments from strangers either!
Also, this is really not a bad turn-around time for a patch. Admitedly, it is longer than the turn-arounds for most open source bugfixes, but not by a ridiculous ammount of time, especially when you consider that the security hole is entirely fixable via user education anyway.
Re:Thank You! (Score:2)
In other words, spreading of the email is primarily a user and a client issue, not an OS one. The consequences on the system where the worm is run is an OS issue.
No .doc (Score:2)
E-mail without attachment? WHOHOO! (Score:2)
J.
Re:COPYRIGHT INFRINGMENT (Score:2)
Re:Oh Pooh! (Score:2)
If so, check out NT and 2000.
Re:Scripting host? (Score:2)
However, it would be ok if there were some restrictions on what this script would be allowed to do. I.e. a sandbox model would be appropriate for anything opened from an email client or a browser. Anything which is not labeled as trusted should not be trusted to behave well.
This problem is not unique to windows. Most unix mail clients also leave it to the user what to open. Of course linux mail clients don't have much of an API to script. Apart from that, there's nothing stopping a virus from mailing itself to everyone in the addressbook and removing porn and mp3 on Linux (except the user of course) since it can all be done without requiring root permissions.
Logic? Ha! (Score:3)
What is it, something like 80% of people polled think Msft is 'doing a great job' as it is? Who wants to be a billionaire? Nothing succeeds like success.
Re:Well, the guys over at NTbugtraq aren't impress (Score:2)
The ILOVEYOU "virus" was a trojan horse. As Microsoft has tried to explain to the public for years now, trojan horses cannot be prevented as long as users run untrusted code on their systems. (I'd be happy to hear any ideas, but I don't think it's possible.) But all the computer pundits kept spreading FUD and demanding a solution, so Microsoft implemented the only solution possible: prevent users from getting access to untrusted code in the first place. Kinda like banning cars because people won't fasten their seatbelts.
Anyway... Ahem... I was planning to not rant about that, but I ended up going on for quite a bit. What I really wanted to point out was a small factual correction... actually two. First, I don't know how you have your Outlook configured, but by default, "Restricted Zone" does disable all scripting. Second, despite the "press release" quoted, Outlook's current default security zone is "Internet", not "Trusted". ("Internet" is the default zone for browsing web pages.) I don't know if this was a MS typo or your typo. (By "your" I mean the author of the article that Xemu lifted.)
Changing the security zone defaults is a good idea. But, as few people seem to understand, it has nothing to do with the ILOVEYOU virus, which would run just as well under Pine (assuming you're running Pine on a Windows machine.)
Re:Leading the Way (Score:2)
//rdj
Thank You! (Score:2)
This is all about execution based on file extension. This simply wouldn't happen on this scale in Linux. Sure you could write some sort of cool Linux executable that showed some cool jumping frogs that also offloaded a virus payload, but the user would first have to save it to disk, set the execute bit(s) and run it. Then in order for this virus to spread it would have to read people's address book - on Windows this is just a MAPI call, but on Linux you have to check for pine, mutt, kmail, balsa, communicator, LDAP, etc address books. The scale of this problem for replication means that it would just never happen. It would spread to a few hundred people maximum before people would stop and say "what's going on", fire off a post to some bulletin board, and stop the virus in its tracks.
Thats not to say that it will remain this way on Linux - chances are we might all unify to one email application with a standard interface (CORBA) to access the address book. But you still have to overcome the "save, set +x bit, run" problem which just isn't going to go away soon.
Scripting is good, you just need sandbox (Score:2)
I really disagree. Things should be scriptable. There's too many legitimate uses for it. But access should be limited by the process that attempts it.
If I have a script in my home directory that sends mail, and it's not setuid'ed as anyone else, then the script should be able to do what I can do. It is me.
On the other hand, if I receive a script as an attachment, and instead of saving it and "chmod"ing it as executable (thereby taking responsibility for what it does), I directly run it from inside the email program, then that process should be lauched "su"ed as nobody. Naturally, it shouldn't have access to my address book, just as other users on the system don't have access to my address book. And needless to say, the "nobody" user should not have the ability to send mail or open network connections, among other restrictions.
The problem with apps like Outlook, Word and Excel is twofold: they treat data as code and they aren't written for a multiuser system. Neither of those things would necessarily be fatal, but the combination is.
---
Re:Another solution (Score:2)
A quick read of the threads on this article should show anyone the huge flaw that exists in the MS plan. Personally, I would use that as a key point. MS plans to release this update, and they will then just have to answer for another mistake.
I don't like Windows, etc., but I don't want to see a company with that many good people go down in flames. The employees should really speak up for themselves instead of just accepting upper management's decision.
Maybe with more smart ideas, like this one, they could eventually gain people's confidence. heh.
Re:"Security levels" for attachments (Score:2)
Re:WARNING (Score:2)
Well, for this kind of virus of the future, the new Outlook security patch will work just fine!
Microsoft's next updates (Score:4)
Their final security update will be a patch which automatically powers the computer down before you can boot into Windows... this would be the ultimate in security except that we won't be able to download it because we've already removed all cables connecting us to the internet.
------
IanO
Re:"Security levels" for attachments (Score:2)
The aren't gone or deleted. It will not allow the user to run or save them. If you later change your security policy you can save/run them any time you like. The data is always there.
I think this makes good sense as a default policy for 99% of users. If you can't figure out how to change your policy, you shouldn't be running attachments in the first place.
Everything except .DO* and .XL* (Score:3)
Microsoft can't get too draconian with the patch, lest people refrain from applying it, in which case they are back to where they started.
Ahh well. Virus writers will have to get mildly creative again.
Re:WHY does GNOME need VB compatiable scripting (Score:2)
You don't understand GNOME/KDE. I don't think the primary purpose of these projects is to make a good or ideal environment. The primary purpose is to make a reasonably compatable one, in order to infiltrate Microsoft's market. They are doing the best they can, within that constraint. Using Perl would be pointless in that regard, because the area they're trying to infiltrate doesn't already use Perl. It uses VB.
---
Re:Innovation! (Score:3)
All they needed to do was change it so that it would save it out, and then the user would be able to launch it if they needed to after finding it.
For some user it would stop the viruses since they never would be able to find it one it was on the HD. ;)
subsolar
Re:Oh Pooh! (Score:2)
MS e-mail has been insecure because it has been customary to allow users to easily open attachments of any type. Period.
I would expect that most Linux users wouldn't double-click an attached shell-script without at least reading it first, and trying to figure out what it is. That's one of the benefits of Linux being "hard" - people using it tend to be "power users" at a minimum.
This is something that people developing "easy" distributions of Linux will have to work on and watch out for. If Linux really does become available for the masses, some of those masses will do some pretty stupid things. Imagine a DDOS setup distributed as an e-mail attachment!
One thing which makes Windows and Outlook particularly vulnerable is the relentless drive by MS to hide anything resembling a technical detail. In the default setup in Windows, file extensions aren't visible. So when the e-mail has an attachment "I Love You.txt.vbs", Windows (and outlook) hide the .vbs extension, and the user sees "I love you.txt". A plain text file is safe, as long as that's what the shell thinks it is. I hope Corel and others look hard at some of the MS Windows defaults, and the potential implications of them. Ease of use doesn't have to compromise security.
Re:Thank You! (Score:2)
a specification that allows interoperability between products from different vendors.
then we're still vulnerable to a virus.
Possibly, but not necessarily.
You won't find me to be someone who is saying that viruses/worms are impossible on Linux/UNIX. I do believe they are less likely and less likely to cause as much damage, but I do believe and have been advocating that we make sure to keep vigilant to insure that they don't happen on Linux/UNIX or are at least dealt with as quickly and permanently as possible if they do. Unlike Microsoft, I don't think the Linux/UNIX world should put its head in the sand or live in denial.
On the other hand, history has shown that two products which are similar, and conform to many of the same standards may have very different security issues. For example both Netscape Navigator and Microsoft Internet Explorer have somewhat similar user interfaces. If you can use one, you can probably figure the other out pretty easily. They both implement many of the same standard interfaces. HTML, Java, Javascript, etc. However, both have had at least a few security problems (in general, it seems like IE has had far more and far more serious security related bugs), but in most cases, the security problems they have had have not been the same. Exploits which work against one browser don't necessarily work against the other. The same thing is true of many other types of software. I think it is stretching to say that implementing a common interface or API necessarily puts you at the same risk of 'inbreeding' that having everyone rely on the same vendor's products does (as we see now with products like Outlook).
If it's a close enough interface, then I can probably code something to work with multiple variations.
Maybe, maybe not. I have little doubt that in many cases it makes it far more difficult to create a single virus/worm which can afflict multiple platforms. It very definitely rules out many sorts of binary coded viruses, as they are generally tied to a specific hardware platform or OS API.
I'm not advocating homogenaity of implementation (heck, not even MS purports to do that - multiple system elements may expose the same functionality, even though they are implemented in many different ways (e.g. drivers, etc)), but that if we have near identical interfaces, we're still stuck with the problem.
I'm not saying that there isn't any shred of truth in what you are saying, I just think that you grossly exaggerate the risk that is involved in following open, industry standard interfaces. I think you have a lot more of a point when interfaces are partially secret or totally proprietary, as they are not then exposed to nearly the level of independant review.
Re:Thank You! (Score:2)
Yes, it is. It isn't the only issue, but it is still an issue.
It still comes down to how braindead your mail client is.
The difference is that an email client on Linux/UNIX would have to go out of its way to be as braindead as Outlook is in this case. Just because a file comes down under Linux/UNIX with a certain extension, it isn't immediately going to be executable as it is under Windows.
Let's say a company called Macrosoft made this unix email reader called Inlook, and by default it was configured to execute ".pl" attachments under perl if you double clicked on them.
It would have to intentionally set the execute bits on files based on their extension. That would be an extra effort. If the 'Inlook' email client was open source, something like that would certainly get noticed and fixed quickly. If it wasn't open source, that would seriously limit the number of users who have it on their system, since most of the Linux/UNIX distributions wouldn't include it by default.
Let's say this particular perl program would sit around and watch your mailqueue to grab addresses, and send itself off to all those addresses. The same type of spreading would be accomplished.
This is of course true, but this is only a fraction of what the ILOVEYOU virus, for example, does. It also goes out and wonks around with the system registry, and deletes files. These parts would be less likely to cause problems on Linux than on Windows 9x due to permissions.
This would be possible if as many dumb people used linux as windows,
That isn't quite true, as Linux/UNIX still has a certain amount more security than Windows 9x, and thus will even to a certain extent protect dumb users from themselves.
and if as many people used Inlook as Outlook.
For reasons I've stated before, it is highly unlikely even if Linux/UNIX had the same size user base as Windows that any single email client would ever get the installed base of Outlook.
Re:Oh Pooh! (Score:2)
I am not that sure that signing documents will really help that much, as too many users will be too lazy to bother with setting up encryption or to understand how it works.
Re:Oh Pooh! (Score:2)
Re:Security through file types? (Score:2)
No it won't.
Re:Thank You! (Score:2)
Well, that is a matter of perspective I suppose. One way of looking at it is that both of them rely on the fact that there is little or no security in Windows 9x.
So, addressing the original poster's comments, just because they've got 4 mail programs on their system doesn't mean they're "safe", if they all have essentially the same API's
I think that if an API is standard and multivendor, then it, in itself is less likely to be the target for attack because it will be under the scrutiny of a much larger number of eyes. Specific implementations can of course have their own problems, but that is a slightly different issue.
or similar address book files (perhaps XML), etc.
The address books, or their access methods are only part of the problem, in that it is only related to the propagation of viruses/worms, not necessarily to their destructive potential. It also doesn't take into account that Melissa/ILOVEYOU also rely on the ease with which code from outside can get executed under Windows. For the problem to be as bad under Linux/UNIX as it is under Windows, all three things would have to come together on a significant number of desktops. As long as the Linux developer community and the distribution vendors are aware of this potential problem, it is not nearly so likely to happen.
Just ZIP it (Score:2)
My own research, best solutions (Score:2)
After some research on My Own Company Ltd. (DAQDAQ: MOCL), these are the best solutions we have found depending on the security grade you prefer (higher number, higher security):
1. Delete Outlook Express
2. Don't use email at all
3. Destroy your Internet connections, and your whole LAN if desired
4. Destroy your computer and all your electronic equipment
5. Destroy all your belongings and spend the rest of your life in the Sahara dessert, living alone
This has proven succesful in our labs in a controlled environment, so we can almost assure you that following the points above will solve your computer viruses problem, including those that spread by email, forever.
Well, the guys over at NTbugtraq aren't impressed (Score:5)
Date: Mon, 15 May 2000 21:07:41 -0400
Reply-To: Russ
Sender: Windows NTBugtraq Mailing List
From: Russ
Subject: Outlook Email Security Update
Comments: To: "NTSecurity (E-mail)"
Content-Type: text/plain; charset="iso-8859-1"
Today Microsoft announced the "Outlook Email Security Update", scheduled for
availability from;
http://officeupdate.microsoft.com
on May 22nd, 2000.
I was briefed on this update last week, and during this discussion I
presented several recommendations. Microsoft have chosen not to implement
any of them, despite the nearly 10 days available prior to its availability.
Presumably they still haven't resolved the issues they have getting content
onto their update sites in a timely fashion.
Before I go into what is in this update, there are several critical
incorrect assertions in it. Quoting from the official press release;
"Heightened Outlook default security settings increase the default Internet
security zone setting within Outlook from "trusted" to "restricted." The
restricted zone disables most automatic scripting and ActiveX=AE Controls
from opening without the user's permission. Users who prefer less security
can easily change their Outlook settings to trusted zone."
I guess the Microsoft Office Product Group has never bothered to read my
page on how Outlook works and what needs to be done to the Restricted Sites
Trust Zone for it to be truly safer;
(http://ntbugtraq.ntadvice.com/outlookviews.asp)
Of course without the modifications to the default settings of the
Restricted Sites Trust Zone, Outlook happily runs any Active Scripting, and
will happily invoke any ActiveX control marked safe for scripting and
present on your system (ActiveX downloads are disabled.)
I more than pointed this fact out to the Briefer, one Lisa Gurry from the
Microsoft Office product group when she presented the functionality to me. I
told her to either not make the switch to the Restricted Sites Trust Zone,
or, make the switch and alter the defaults. I explained how just making the
switch would yield very little benefit while misleading folks into thinking
they were more secure, especially against scripting worms.
The fact that ILV was relatively stupid as worms go seems to have been
missed by many people. A slightly modified version sent as HTML that doesn't
bother with the address book (who needs it, most people have lots of mail in
their folders from all sorts of interesting folks to reply to) will likely
get by these new features since scripting can still be done. The fact that
"attachments" won't invoke any more isn't likely going "to thwart the spread
and impact of many computer viruses."
This presumes, of course, that some 45 million people already realize just
how stupid they were to click on that attachment in the first place...and
maybe have told a few friends...;-]
MS seem incapable of doing what some coder at;
http://www.slipstick.com/dev/code/zaphtml.htm
has done with relatively few lines...namely convert inbound HTML-based
emails to something else (Rich Text) which completely eliminates the
vulnerabilities of scripting emails.
Of course they further show their ignorance of the realities of corporate
email systems by providing this quote;
"Given the global impact of the I Love You virus and the growing threat of
malicious hackers, we strongly believe we must take the unprecedented step
of limiting certain popular functionality in Outlook to provide a
significant, additional security option for our customers,"
scanners to throw the message back as containing a worm...duh!
Granted, its unprecedented to remove functionality in favor of
security...after a product's been released. This usually occurs during
development...;-]
Anyway, to the features in this update;
1. "Email Attachment Security":
Attachments won't be put through to users email. That's right, they'll go
into never-never land. I haven't received an answer to my question as to
just where they will go. I've been told that a user will somehow,
miraculously know that there was some sort of attachment on a given piece of
mail but that it's been stripped in the interest of their security...
We'll have to tune in next week to find out where those objects get tossed
to. ISPs may end up with thousands of little (or not-so-little) fragments of
messages left behind by Outlook POP3 users who's mail simply says "Nope, I
don't want that thanks"...with no ability for the user to delete it cause
they can't see it...
A full list of extensions being excluded is below (which will make even more
dumb email gateways break as they can't figure out whether the presence of
the text string "vbs" is a script or not)
2. "Object Model Guard":
Well, to be more precise is the "Address Book Guard" really. If Outlook
detects lookups in your address book (that are somehow distinguishable to an
invocation of the "Find" command", it, um, pops up a dialog. Not sure what
the dialog says, but presumably it will be sufficiently verbose to explain
what might be happening. Haven't seen what the dialog box options are, say,
for someone trying to script a newsletter or a marketing document. Guess
lots of folks are going to learn how to use distribution lists (making
scripting worms easier in future as they just look for distribution lists
instead of lots of addresses.)
I should say, however, that this was one of the features I was looking for.
Would have been nice to know how they're doing that, but...
3. "Heightened Outlook default security settings":
I covered this. They ignored my advice, don't know how their products work,
and then told the world they were doing a good thing(tm)...NOT!
I *have* to believe we'll see different wording in the final web page...I
don't think they'd continue to lie so blatantly about their product.
Get the feeling I'm not going to get briefed again in the future...;-]
Conclusion:
MS dropped the ball. I told them to make this thing appear as an interim
step. It's not a patch, its Outlook on Training Wheels. I thought it was
going to be a complete product (i.e. you download it and that's how that
version works, get the full version to do more harm to yourself). As such,
it made a lot of sense to have a version that was severely restricted. Put
users on that till you're satisfied they aren't going to shoot themselves in
the foot.
Nope, they gotta tout it as more than that.
So, bottom line, unless they change the thing before it gets released next
week, make sure anyone you suggest it to also gets this URL;
http://ntbugtraq.ntadvice.com/outlookviews.asp
and turns off scripting and scripting of activeX components marked safe for
scripting.
I'm not even going into the fact that Outlook Express isn't being updated.
Let's get real Microsoft, its the only email package included in every
shipping OS you make! Oh, and let's not forget the "It can't be removed on
Windows 2000!~!@!$!%" Someone on Bugtraq made a funny post about it being a
virus...come on, we all know it can't replicate itself to another
machine...that's done automatically at installation of the OS...
In case you can't tell, I'm not pleased with the press release, or the
completeness of the update.
That said, I made another suggestion today that hopefully will get
implemented. One of the biggest problems that exist with all of this is the
fact that most people never update their systems with any patches, security
or otherwise. I've suggested that they put a download counter on the site so
we'll be able to see just how many people actually get the thing. Doesn't
say much other than show the realities. MS could put a lot more effort into
a better update, and it probably still wouldn't be applied by most folks
(even if they did something so the patch could apply to more of the millions
of folks the patch isn't intended for, i.e. those that use Outlook Express
only.)
For those interested, here's the list of extensions to be blocked by the
update;
ADE Microsoft Access Project Extension
ADP Microsoft Access Project
ASX Streaming Audio/Video Shortcut
BAS Visual Basic Class Module
BAT Batch Files
CHM Compiled HTML Help File
CMD Windows NT Command Script
COM MS-DOS Application
CPL Control Panel Extension
CRT Security Certificate
EXE Application
HLP Help File
HTA HTML Applications
INF Setup Information
INS Internet Communication Settings
ISP Internet Communication Settings
JS Jscript File
JSE Jscript Encoded Script File
Ink Shortcut
MDB Microsoft Access Application
MDE Microsoft Access MDE Database
MSC Microsoft Common Console Document
MSI Windows Installer Package
MSP Windows Installer Patch
MST Visual Test Source Files
PCD Photo CD Image
PIF Shortcut to MS-DOS Program
REG Registration Entries
SCR Screen Saver
SCT Windows Script Component
SHS Shell Scrap Object
URL Internet Shortcut
VB VBScript File
VBE VBScript Encoded Script File
VBS VBScript Script File
WSC Windows Script Component
WSF Windows Script File
WSH Windows Scripting Host Settings File
Cheers,
Russ - NTBugtraq Editor
"dot-age" (as in "we're in the dot-age") = senility (source Webster's)
Just in the nick of time! (Score:4)
File Types (Score:2)
Does anyone else find it ironic that almost ALL of the file extensions on the list pertain to Microsoft applications?
MS can then say "I told you so" (Score:3)
There will be a loud scream of protest from users who download this patch. They will want to be able to send many of these file types via e-mail. MS will, of course, provide an uninstall for their patch, say "I told you so, you really do want the full level of functionality", and then go on happily ignoring security issues, always refering back to this failed attempt as the reason (ie: "we tried implementing greater security, users hated it, so we removed it").
Only when I laugh... (Score:2)
THIS BETA...SHOULD BE DEPLOYED ONLY ON MACHINES THAT CAN BE REFORMATTED AFTER TESTING WITHOUT SERIOUS CONCERNS.
A nice starter - you know you're in Microsoft's hands now!
This update limits certain functionality in Outlook to provide a higher level of security; it was not created to address a security vulnerability within Outlook.
Absolutely! Keep telling us there's nothing wrong with Outlook and maybe we'll believe you someday.
Certain functionality in Office may be impacted by this update.
What does that mean? Let's follow the link [microsoft.com]
Palm, Windows CE devices (PDAs) have synchronization issues. These include:
Syncing with the Inbox displays a prompt and then fails. This is under investigation.
Ah, that's not a bug, it's 'impacted functionality'. Let me add that to my excuses list.
Since access to certain file attachments in Outlook is restricted by the update, users will need an alternate method for distributing files...
Such as elm/pine/Eudora/Netscape Messenger...
Level 2 security contains only one file type by default:
Ignoring the fact that in Microsoft's world there is only one type of archive - have you noticed how MS deem it okay for you to open it elsewhere, just not near Outlook? What are they trying to hide?
This update...was not created to address a security vulnerability within Outlook.
Ah, yes - so you said. And you know what, I almost believe you...
Re:Security through file types? (Score:2)
Re:Well, the guys over at NTbugtraq aren't impress (Score:2)
- Right click on the attachment
- Choose edit (opens in Notepad)
- Choose save, then open in your favourite text editor.
Not too hard...
Re:"Security levels" for attachments (Score:2)
Re:Oh Pooh! (Score:2)
Does that mean I really expect problems similar to the ILOVEYOU virus? Not any time soon.
What about the ILOVEYOU virus requires root? It needs to read your address book, send e-mail, and replace personal documents (.jpg and .mp3 files). Doesn't sound to me like system file modification is necessary...
Re:File Types (Score:2)
Re:Oh Pooh! (Score:2)
Just to add one thing. ZIP is not on the list. For years I've been telling people to ZIP things anyway, and if you really need to send an EXE as an attachment you can still ZIP it. The user will have to intentionally unZIP it, which will make them think before running it.
Re:yet another kludge fix (Score:2)
cat ~/.addressbook
the various gaping holes allowing access
ILOVEYOU exploited no gaping OS holes that I'm aware of.
the general problems of macro scripts
#!/usr/bin/perl
print "Looks like a macro script to me!";
So does outlook (Score:2)
The problem is not outlook's internal VBA macros, but external programs being able to automate outlook so easily, due to its exposed object model which WSH/VBScript (among others) has easy access to with no regard for security.
With all due respect, you are arrogant. (Score:2)
"Conclusion:
MS dropped the ball. I told them to make this thing appear as an interim step. "
... make "Russ" seem as arrogant as fuck.
Sure, he might be qualified to scrutinize MS' security (hell, it doesn't take much to be in a position where you can poke strong technical holes in MS' security, sheesh), and he may very well have some good points to make, but coming off like "I told them so, but they didn't listen" is really just fundamental geek arrogance at its finest.
The *viewpoint* may be perfectly valid, but the arrogant header containing the packet is going to cause this message to bounce off corporate-mindset firewalls all over the place.
Who the hell does he think he is? The Great God of Microsoft, directing his minions? I thought that position was already filled.
With all due respect, I do *not* know this Russ person at all, and may be treading on a few toes, but since I don't know him, his viewpoint wrapped in arrogance is an unfortunate first intro. (I'm sure he's a technically competent invididual, though.)
This is a perfect example for how *not* to communicate to an industry/public about technology. Better would be to just state the facts, and leave the blame out of the equation - it'll carry better in mainstream media, because media types detest geek arrogance, especially when it involves Microsoft...
No scripts in GNOME mailer? (Score:2)
Re: (Score:2)
Re:Well, the guys over at NTbugtraq aren't impress (Score:3)
*thud*
Outlook does not run embedded programs automatically.
*thud*
Outlook does not run embedded programs automatically.
*thud*
I know I take this too personally, but the rampant ignorance about this issue, among such otherwise intelligent folks, is really depressing.
To clarify: The ILOVEYOU trojan exists as an inert attachment. It will not run when you read the email; it will only run if you then launch the executable attachment. Yes, there are ways to run safe code automatically in Outlook, and yes, there have been bugs that allow you to run unsafe code automatically in Outlook, but none of that is involved here.
Cross out that tick-list feature :-) (Score:3)
Amazing. MS chooses to remove all access to the attachments. Not just stop them running, but actually stop them being saved out to disk. That's going to really impress the user who receives the Kerberos document in EXE form :-)
Cheers,
Toby Haynes
Re:Oh Pooh! (Score:2)
It is also not true that 'only root can change their user id'. Only root can do so without knowing what the password is. I often log in as one user and su to another without ever being root, so I know that is possible. If the user id's password is starred out, then only root can su to that user id.
Re:Oh Pooh! (Score:2)
Re:Perception IS reality (Score:2)
-B
WARNING (Score:2)
An external application is trying to access e-mail addresses you have stored in Outlook. Do you want to allow this?
Allow access for: 1min, 2min, 5min, 10 min
This is so dumb! I am sure that this time restriction is a potential security problem.
You either allow the executing appliation to read the addresses until the app. is terminated, or you disallow it, but you don't allow some app. to do something for 1 or 2 or 5 or 10 minutes. This makes no sense, if I wrote a virus, would I make this virus wait for 10 minutes before it did some damage or spread around? No. The virus would do its business in the very beginning and it usually does not take a minute for the virus to execute.
Micro soft must be some kind of a brain disorder
Re:Leading the Way (Score:2)
//rdj
yet another kludge fix (Score:2)
This won't actually stop the problems that Outlook has or causes, but it will slow it down a little. Now people will save them off to thier disks and run the programs from there allowing more access to Back Orifice, and a
This is typical of what happens when a corporation becomes stale.
Good riddance I say. The more more people are scared away from Microsoft the better.
Re:Oh Pooh! (Score:2)
Sending executable content indiscriminantly in email is what has caused this virus/worm problem in the first place. Most of the things that are sent as executables are pretty worthless easter-egg type things anyway.
They're going to have to figure out that the file is to be executed in some way, with no pretty icon
You can have iconic file managers under Linux/UNIX. Both KDE and Gnome do so. Nothing stops Linux/UNIX email client from doing an iconic representation of attachments, in fact there are a few that do so.
(not to mention an extension).
The extension, or lack thereof is determined by whomever sent the file. Under Linux/UNIX they are just optional, and aren't what determines executability, but there is nothing prohibiting people from adopting a convention for using them.
They're even going to have to run chmod on the file to get a script to run. These limitations are all perfectly reasonable on a server OS. They obviously make the system considerably more secure. But if you think that Joe and Jane user who use this as a desktop OS at work or at home are going to figure all this out, I think your overly optimistic.
Given how much problems that Joe and Jane user cause themselves, maybe it is a good thing if they can't figure this out.
Companies can probably afford a few minor disasters from viruses than losing the productivity they gain from clicking on e-mail attachments and having them do what the sender intended.
The question is, how much productivity do they really gain from this? Is it really worth all of the problems that this type of virus/worm can cause to get a few little animated toys? How many legitimate executables are sent via this type of 'push' through email that can't as effectively be sent through a 'pull' and just sending the users a link to a place to download from?
I know this is a huge security hole which requires the user to determine if the attachment is safe based on who they think sent them the message.
The problem is that user's have a hard time doing that when the virus/worm attacks address books. The message may appear to be from someone that the user knows and trusts if that person's computer is an unwitting host for the virus/worm. Unless you impose some sort of digital signature on attachments which this type of user would probably have just about as much of a hard time with as figuring out how to make files executable, you aren't going to be able to trust any executable attachment, regardless of who it appears to be from.
The question is how much ease of use you want to trade for security.
The question is really, how much purported ease of use are you really getting for the unquestioned security you are trading off here?
I think the solution that many have suggested of showing a dialog box before outlook lets an application send an email is a good place for MS to start.
That is a start, but is pretty much a band-aid. Viruses/worms will find a way to disable or bypass that if they can run in a Windows 9x environment where there is little to no OS security. Also too many users will just blindly click through warnings like that, especially after the first few times they see them.
However, it appears they have made some patches to fix some of their security problems, and that sys admin are very lax in applying them.
Part of the problem is that Microsoft has promoted Windows as 'any idiot can administer it'. So - idiots are administering it. Microsoft hasn't done a very good job of informing and educating their user base, so they are part of the problem. They spend too much time trying to spin-doctor and downplay any problems that happen rather than trying to make sure as many people know about problems and apply patches as possible.
Hopefully both MS and those sys admins have learned their lessons.
You are much more optimistic than I. I am not convinced that it will be possible for Microsoft to retrofit security on their existing infrastructure in any kind of short timeframe. I am convinced that anything less than that will not be effective in stopping the virus/worm threat.
Re:What about doc and xls (Score:2)
Oh this could be good!
Are you absolutely sure? (Score:2)
Note that no one is saying that this happens with all versions and all configuations, so it isn't sufficient to provide one counter-example (i.e. "it didn't auto exceute on my system - so there!").
Russ published a chart showing outlooks behavior when you open or preview email. Note that in Outlook 98 and Outlook Express, when previewing email, active content is executed if the secutity zone allows.
http://www.ntbugtraq.com/default.asp?sid=1&pid=
So Outlook will auto execute scripts iff active scripting is allowed by whatever zone Outlook is using.
Outlook defaults to using the internet zone and I doubt(hope) that active scripting is enabled by default for that zone, but is is likely that many IE users would enable active scripting at some point, since may sites, incluiding MS's IE update, require it.
Re:Thank You! (Score:2)
There is a downside to the push to try to make everything homogenous. One is that it promotes stagnation. Another is evidenced by what we've been talking about here in that lack of diversity can make a system vulnerable to any small weakness that might be found. We need to find a way to allow options for the same interface everywhere, while also allowing for flexibility for people to do things differently.
One thing to think about is that we can have a similar enough look and feel and 'interface' to allow users to use different software without necessarily being forced to all use the exact same products. For instance, if I can drive a Ford or a Toyota, I can adjust to driving a Chevy or a Honda or whatever pretty easily. They aren't exactly the same, the controls may look a little different or be placed slightly different, but it isn't going to keep me from driving. By the same token, if I know how to run one GUI, it doesn't take me long to figure out how to use another.
Having a certain level of diversity in the software community is a good thing. If we had file formats and network formats that were not controlled by vendor interests and fighting, we would be a lot further along here. We could have compatibility to talk to each other without having to be exact clones of each other.
Look at Netscape - they want the same user experience everywhere. This thought process occurs in progamming as well (look at Java - hey, and C!),
The direction that C has gone, and hopefully Java will (and probably would have if it weren't for Microsoft's attempts to derail cross-platform Java) is that it is standardized not on individual products, but on a specification that allows interoperability between products from different vendors.
where if the same interfaces exist in multiple places, it'll be easier to interoperate.
One of the problems the computer world faces is that we need to promote vendor and platform independant standards where they are possible and make sense, while still allowing innovation (as opposed to Microsoft's 'immovation' (immitation)). We (in the sense of the industry as a whole) should change standards or create new standards when there is a good technical reason for doing so, not for vendor specific marketing reasons.
Well... (Score:2)
Microsoft Development Process (Score:5)
1. Start by having your R&D staff search the net and other sources for popular applications until they find one that would look good in a box with the art division's latest logo.
2. The R&D staff must now completely replicate that product, changing the interface slightly and adding no less than 20,000 extra "features," at least 100 of which must really be bugs that they didn't feel like fixing.
3. Do NOT, under any circumstances, test the product. This is a waste of time and money. Ship the first beta that arrives on your desk. In fact, don't bother even getting it on your desk. Just ship every build that comes along. Users like upgrades. Besides, you can charge people for bug-fixes cleverly disguised as "service packages". Users love service packages.
4. Hopefully someone's written a user's manual. In fact, it's probably readable by a normal human being. This is unacceptable; perform a find and replace operation on random English words, replacing them with technical terms and acronyms. Users like acronyms; they add mystery to a product. Never tell what an acronym means; this is unprofessional. You may even wish to make up your own acronyms; again, don't tell what they mean. For every sensible sentence, you lose at least three calls to your $200-per-incident tech support line. Users love calling tech support, especially when there are fifty touch tone menus that all lead to the same two people.
5. Prepare for shipping. Have your team of 57 lawyers create a prefabricated license agreement. If you do not have 57 lawyers, hire or fire as necessary so that you do have 57 lawyers. Be sure that the license agreement includes a "by opening the box, you agree to this" statement. Then put it inside the box. Users will perceive this as a joke and laugh. Users love involuntarily binding themselves to legal agreements.
6. Before shipping, invest in shrink wrap. Shrink wrap the manual. Shrink wrap the CD. Shrink wrap each and every floppy disk separately. Shrink wrap the "getting started" card. Shrink wrap the registration card. Shrink wrap the card from your grandmother. Then dump the whole mess in a box and shrink wrap it. Pack several boxes inside a larger brown box with 5,637 non-decomposable foam peanuts (each one shrink wrapped individually, of course). Be sure the foam peanut count is exactly 5,637. Remove or add shrink-wrapped foam peanuts as necessary. Throw in a roll of bubble wrap because of its entertainment value.
7. Ship the product and move your entire R&D and art staff to the $200-per-incident tech support lines.
The Obvious Answer (Score:4)
Simple re-encode your macro viruses into Word, or Excel or Access or whatever macros, then send that document (with the viruses attached) around...
If I wasn't in trouble with Microsoft before [slashdot.org], I sure am now!
Re:What about doc and xls (Score:3)
It took new and improved MS Outlook to allow more fun ways of nuking computer systems.
The solution isnt to back track, but to figure out how to go forward while sandboxing the current problem so that any code executed in Outlook stays within Outlook.
"Security levels" for attachments (Score:5)
Okay, folks, stop saying "Hey, they took attachments out of Outlook!" Here's what actually happened:
The MS patch revolves around defining various types of security levels for attachments. At present, they only define two levels. At level 1 (.exe, .com, .vbs, et cetera [microsoft.com]), the attachment is deleted. Poof. Gone.
At level two (just .zip files), opening the attachment shows a warning to the effect of, "Hey, this file, it could be really really bad, so be careful before you open it, okay?"
Obvious weaknesses:
What the release gets right:
IE does have a pretty nifty security model in that it offers multiple layers of trust for various sites/domains (trusted, "Internet", restricted, custom). Anything sent by e-mail is now assumed to be from the "restricted" zone, unless manually reset. I'd prefer to see a per-user trust level for e-mail, but that can only come with the widespread adoption of an authentication model (like PGP, for example), which I don't see happening yet.
Re:Oh Pooh! (Score:4)
Slightly, because at least they would only affect one user's files, not system files, libraries, etc. That is unless someone logged in as root were stupid enough to run such an email client. Not nearly as likely. Does that mean that the Linux community doesn't need to keep a watchfull eye out? No. Does that mean I really expect problems similar to the ILOVEYOU virus? Not any time soon.
But the main reason that this isn't typically a problem is that unlike the MS-DOS/Windows method where executability is determined by file extension, in Linux/UNIX executability is determined by file permissions, which are normally set so the file isn't executable when it is downloaded. While it would certainly be possible for a program to be written for Linux with such a misfeature, I can't imagine that it would ever become popular enough within the Linux/UNIX community to become a target for virus authors. In order for something to become ubiquitous in the Linux community, it will need to be open source. And that will ensure that such a glaring problem will likely get fixed before it gets exploited much.
Outlook is such an attractive target for virus authors because it not only has its own security holes in addition to the generally lax security of the Windows 9x platform, but it is so ubiquitous that viruses written for it will affect the vast majority of Windows users that come into contact with it.
Re:Scripting host? (Score:5)
The ILOVEYOU worm just happened to be a VB Script. It could have also been recompiled into an EXE with trivial changes. It could have been coded in Perl, Delphi, C++, and so on. There's nothing special about things running in the scripting host.
The *real* problem is Outlook's automation object model. By providing an API where Exchange data can be scanned and mail can be sent without user interaction, they are setting themselves up for all sorts of worms (or worse, targeted industrial espionage).
What Microsoft should really include is a dialog box -- "Warning -- a program is trying to automatically send a mail message to xxx@yz.com! Proceed? Yes/[No]/See Message". This would stop mail worms pretty quickly. Better yet, give the Exchange admins control over whether things like this are even possible on their systems.
Forcing users to change how they handle executables is a start, but doesn't solve the real problem -- a poorly implemented COM API.
--