Slashdot Mirror
Microsoft Develops Security-Path for Outlook
Reemi writes "On Microsoft's Office update-site they write:
The Outlook® E-mail Security Update is in development... Since access to certain file attachments in Outlook is restricted by the update, users will need an alternate method for distributing files... For a list of file types impacted by this update, read File Types Impacted by the Outlook 98/2000 E-mail Security Update.
It seems Microsoft is setting a new standard: Emails without attachments. "
except .doc, .xls, .ppt and the other Office files, which are just as dangerous as any other.
.zip files, so everybody will just zip their VBS files from now on. :)
When will these people ever learn. And hey, they also don't disable
--
-pf
Make affiliate bucks
It doesn't matter what Microsoft (or anyone else) does or does not do to increase their security, people will always be the biggest security hole.
I have read comments saying that they should do away with the auto-launch, but this would still leave you dependant on the people to not launch the offending files.
With any new functionality that is added to a system, there is another opportunity for people to screw something up. The ILOVEYOU virus just happened to be distributed through email, but it could have been distributed through other channels. If a virus was mailed out on disk with a note that said "Put this in your floppy drive and run everything on the disk" no one would argue against the fact that the people caused damage to themselves. No one would try to blame the post office or the manufacturer of the floppy disk. Any security model is reliant on people.
For every door or window I put in my house, I give someone another easy way to break in. Should we stop using doors and windows (no pun intended)?
A user that installs Linux at home, runs around as root all day, and runs everything that is emailed to him is just as vulnerable to these attacks as a windows user.
Ultimately people are to blame for these incidents and IMHO the best solution is user education. We don't let people drive a car without a license, not just because they may hurt themselves, but because they may hurt others through their carelesness.
--
They're basically building in the excuse for the next round of virii to hit.
You've just gotta love 'em.
We'd probably be no better or worse off with custodians running nuclear plants than with a 'technician' like a Homer Simpson. Seriously, you aren't giving sysadmins enough credit here. Sure, there are lots of MSCE type idiots running around, but there are a lot of highly skilled people working as admins as well. Admins are the people who are ultimately responsible for the security of their networks, who else should be able to control them?
It seems to me that this is Microsoft's way of throwing a tempter tantrum. It seems that they are saying, "Okay, you want tighter security than Outlook provides? We'll release a patch that makes Outlook so secure that you can't access email attachments at all!"
It seems that they could've just disabled execution of attachments, yet left a way for those attachments to be saved.
--- Biffster.org
"Bite my shiny metal ass."
2) Who are you going to sue? Microsoft disclaims all responsibility for the design flaws in their programs. Their initial design and their sorry attempt to patch their original flawed design are nothing less than irrefutable proof that what's happening inside Microsoft is malpractise on a huge scale. They don't need to patch Outlook, they need to fix their entire flawed perception of the importance of security. How many more billions of dollars will have to be lost before someone sees this? Certainly Microsoft has no incentive to change. The IT lemmings will keep jumping off the MS Cliff because they don't know any better, and Microsoft will never have to pay for the flaws in their code because the laws are moving toward favoring the corporation, not the consumer.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
!seineew era srekcah onipiliF omaL
Microsoft could not be reached for comment. Other Anti-virus software vendors said they were looking into the report.
--
Have fun: Join D.N.A. (National Dyslexics Association)
First off, I agree with you in that this does help to some extent, especially from most copycats. .DO* or .XL*? How about renaming an executable? Or a macro in an .xls file that renames/decompresses another file that is mailed with it? This is just giving the average user a false sense of security!
I disagree with you in that this does not help the virus vulnerability issue with Outlook. Do you know how easy it is to write a macro virus in a
I cannot endorse this issue until M$ locks down the default settings. If the user wishes to be vulnerable, then let them change the settings as they wish. Perhaps a notification when they try to execute malicious code??? I know that every time I open a spreadsheet in Excel, it warns me that there could be macro-viruses in the document. Maybe they can add that simple teeny warning into Outlook?!
Yet another reason Open Source rules. I could just add that warning 'feature' myself in less than 10 lines of code.
When I worked for a company that insisted on using Netscape servers on NT I woult try and make the environment as sane as possible by creating directories called etc, bin, and so on... also renaming CGI scripts from foo.exe to foo made no difference, they were still executed. I'm not sure if this is netscape functionality or general Windoze functionality, but it was still windows executing a file that didn't end with .exe (or .com, etc)
Here is an Idea. Why not make it so that If download an attachment
1. Its not set to autorun.
Netscape's Email Proggie Does not autorun attachments like that by default. But Outlook does.
If Microsoft released a patch that switched the Autorun to off by default then 90% of these problems won't happen because, Most people who use outlook are computer dum-dums and won't know how to enable it. Which means that Annoyances like the I Love you virus won't hurt as bad.
2. Instead of disallowing attachments of certain file types how bout this. Make it so that either the attachment is ran in a "Virtual Machine" Which does not have access to your actuall system or set the permissions on your system files to READ-ONLy while an attachment is running so that the program can not modify them.
--------========+++Dont Feed The Lab Techs+++========--------
Quick! Now is the time buy stock in you favorite compression utility as the masses swoon to find a way to mail that 4MB Flash .exe to 30+ people every morning.
(Yeah, yeah.. some of those fscking things are innovative & humorous - but most are useless commercial crap that brings the network to it's knees ~8:30 in the morning)
It's Msft's job to SELL LICENSES . - period. That's what fills the coffers and keeps stockholder grinning. Market research show that ease of access to data is more important than security. Putting security into a system turns users off, and thus sales droop. The teeming millions have enough problems just learning Word, without having to jump thru hoops just to get access to their files. Untill ppl have enough bad experiences to learn to demand security, it won't be a development priority.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Word and Excel can be set to warn you if you are opening a document that has macros. Since most Windows users don't even know what a macro is, it's a pretty good bet that if a document has macros, they are of the viral persuasion. Unfortunately, since most Windows users don't even know what a macro is, they will often click on the OK button in the warning dialog and infect themselves anyway. This has happened several times in this office.
Having said that, it would probably be better if Outlook were set up this way to merely warn a user that they could potentially be opening a virus infected file. Ideally, when a user double-clicks on an attachment in Outlook that can carry a virus like an exe, doc, vbs, etc. file, it should:
If Outlook did this, the last two big virus outbreaks (Melissa and ILOVEYOU) would never have happened.
Does this
Why prohibit transmission of all these files? Why can't they just make Outlook behave like my browser when I attempt to download a file, i.e. user prompt saying blah, blah, blah.
I'm willing to bet people will install this and then not being happy will find out they can't uninstall it without having to do a full Office install.
MS should have posted that they can just zip any files with these extensions and they can e-mail the zip file as usual.
I've been preaching the "No Attachment" message to my users for three years now and they still think I'm an idoit ("But how will we share files?")
That's not a solution. The problem here is the broken windows software design. Microsoft has made a decision in all of its software to make it easier to use at the cost of security. The real solution here is to disable the auto-matic launching of executable files of any type; to get rid of microsoft word macros, or atleast turn them off by default; to make it so the user needs to initiate any action that could be dangerous to the system.
Solutions like "don't send attachments" or blocking attachments of certain types only provide the user with a false sense of security. What happens when a user gets an email with a link in it that points to "That important document you asked me about"? The user clicks on it thinking 'well it's not an attachment and besides outlook filters out bad stuff so I have to be safe'; word launches, reads and executes the happy go lucky script. The only thing that has changed is how the "virus" spreads. The problem is is that the "virus" is still spreading.
Microsoft and sysadmins in general need to start educating their users and putting some effort into securing things. You can't just hide from a problem and assume everything is ok.
-matt
>It took the power of 3 C64s to get man to the moon, and yet Windows95 requires a 486. Anybody see irony in this?
:-)
Actually, win95 runs (well, "walks", or "crawls", but stilll...) on a 386. I once had it running on an i386/33 with 4Mb ram. Quite amusing actually, got great uptimes.
And I'm not condemning Windows as sucky. It IS sucky, but this isn't the reason.
If I was running the (IT) world, my first decree would be: "Let there be...biodiversity!". Multiple operating systems, multiple client apps for each general task (email, web, office, etc). Not only would this solve (or lessen) a lot of security/virus issues, but it would also enhance standards compliance (not to mention standards creation).
Second decree: "Let there be...education!". Teach users not to open everything they get. Teach them that, no matter how much they want to run that "A Different Porn Image On Your Desktop Every Hour" program, installing it right off the Internet is probably not a great idea.
Third decree: "Let there be...cryptography!". I used to think cryptography was about "codes and stuff". Not so. I just finished "Applied Cryptography" and has it ever opened my eyes. There are trustable methods for doing everything AND keeping privacy. For instance what about a protocol that required a sender to identify himself unambiguously but would erase that identification if the sent item turned out harmless? And I don't want to hear anything about circumvention from anyone who hasn't read the book.
--
Have Exchange users? Want to run Linux? Can't afford OpenMail?
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
Do you open attachments when they appear to be from people you DO know - like people who had you in their address book, for instance.
This virus doesn't go far enough. Sure, it blocks access to executables, but I can still think of at least one virus that would still get through:
.jpg in the file name, just to make it impossible to notice that it's an executable.
The "I love Shue" virus: this virus is originally downloaded from the "I love Shue" homepage. It claims to be a jpeg of Elisabeth Shue naked. Instead, when executed, it runs a web server of another "I love Shue" homepage, complete with the executable to download. It then steals all your address book entries, and mails an email to those people telling them "I found this really cool homepage with Elisabeth Shue naked". It looks up your local ip address, and puts the url http://youripaddress/nakedshue.jpg.exe in the nessage. That is a link of course to the exe of the virus. Notice how the ingenious virus writer put
Microsoft is now working on a fix for this virus. Their current plan is to block the copy feature of outlook, so that users can't copy urls into their webbrowser.
ok then your [sic] infringing on my copyright! Could you as [sic] me next time before STEALING my comments for your own?
If somebody wrote a program for linux that allowed shell scripts to run when you double-click 'em, do you really think it would be any more secure?
.rtf extension and MS Word will open the file and execute the Macro. The user has no means to determine if the file has what it's extension says it has.
Yes. Because someone would write it so that you had a choice of options. View the attachment, file the attachment, save the attachment to disk, execute the attachment. The broken, brain-damaged Microsoft way is there is only one way to "Open" a file and that is to open it with the program that is associated with that file extension. There are at least three instances of brokenness and/or brain-damage in the preceeding sentence. One of those is that MS uses extentions to associate files with applications, but Office applications use file contents to determine file types. You can save a Word document with a startup macro with a
I have to use Microsoft products at work, but I don't have to like it.
Anomalous: inconsistent with or deviating from what is usual, normal, or expected
Anomalous: deviating from what is usual, normal, or expected
Canard: a false or unfounded repor
I love Outlook. This will just make it that much better than crap like SendMail.
I think it needed some patches too.
Yeah, a big one over the floppy drive to stop anyone putting a disk in, cycling the power and booting another OS.
And it only took an estimated 10 billion dollars worth of damage worldwide before they did something about the security problems... whoo! :)
---
The company I work for uses Norton and enables 'virus like activity' detection on all of the desktops.
It is essentially useless. You'd think registry editing by a VB script would quality...nope. It might offer a little protection from anything that writes directly to a boot sector but that is so 'old tech' that anything that tries probably already appears in the virus list.
What with the ease of scripting who'd bother?
Icebox
according to the BBC the fix is only for Outlook and there will not be a fix for outlook express, where the majority of the clueless lie. seems to be a bit of a waste of time
I am a Microsoft Lawyer. Sorry for the AC I couldn't figure out how to log in.
We suggest you take this story down as you quote words directly off our web page.
If not we will crush you.
Thank you.
Micro$oft Lawyer.
Send an email to a competitor and have it send to an anonymous ftp server all the MS Office files it finds, and infect the rest of the office.
Some inteligence could be used if there were titles used, so the program would look for Vice Presidents, CIO, CEO, etc. and grab from their access first. Heck, have it also resend the email to some hotmail account, and then delete the notices from the sent message folder.
Now image hooking this into something like worm net, and then letting it lose. Good grief, the damage would be in the billions.
III.IIVIVIXIIVIVIIIVVIIIIXVIIIXIIIIIIIIVIIIIVVIII
Can anyone explain why GNOME would need VB compatiable scripting?
Try here for a pretty good description of their reasoning.
Isn't it just a matter of disabling the scripting host thingy by default? I haven't touched wintendo for ages, so I'm only guessing, please correct me
Unable to read configuration file '/bigassraid/htdig//conf/14229.conf'
Geocrawler error message.
The whole thing stems from one fundamental confusion: failing to distinguish between _viewing_ a file, and _executing_ the instructions in that file. If filetypes like VBS macros had two separate commands for these, with the default being 'view', then worms like this could not spread.
I always thought it was really stupid how the menu in Program Manager said 'Open' instead of 'Run'. Now Microsoft's decision to blur the lines between the two is coming back to haunt them.
-- Ed Avis ed@membled.com
Here's a good patch for outlook: GET RID OF IT!! USE PINE!!! I can't stand waiting for Outlook/Exchange Server to synchonize and do other things BEFORE I can read my e-mail. I think a Pentium III 500 w/128MB RAM should be sufficient to run a mail client without using much overhead.
But then again, this is Microsoft. They do things in a special way.
Quick! The second horse has gone!
Close and lock the barn doors, and shoot all the other horses!
PigPog.
Yup, the feature is described as "Object Model Guard", and is definately a big start for Microsoft. For one, they are (sorta) admitting that there is a problem with Outlook's design, and it isn't just a "best practices" problem.
It should also be noted that there are valid corporate 'routing' applications which rely on addressbook scanning and automated mail sending. You commonly see these in Lotus Notes shops, and to some extent in more advanced Exchange environments. So the question is how to let the "good" scripts run while still stopping the "bad" scripts...
--
Business. Numbers. Money. People. Computer World.
Java can definitely be a risk. It's weird (as someone else noted) that pretty well all the file types that M$ is limiting are their own products.
If I send you a malicious Java *application*, it can do all kinds of stuff - probably just as well as the VBScript program can (but it would be harder to write, IMHO).
It's a Java *applet* (e.g., run via your friendly Web browser) that's quite limited in what it can do via the sandbox concept. So, Java would not be good as a virus that ran as an applet through your browser, but would work just fine as a virus Java application you ran through your native Java virtual machine (JVM).
The difference is that most people only have a JVM in their Web browser, so they couldn't run a Java application anyway. If Sun has their way, everyone soon will have a JVM....if M$ has their way, maybe we won't. Someone correct me if I'm wrong - I don't think there's any sort of JVM shipping with Windows 98 or 2000, you need to get and install one separately.
Mind you, if people are transferring Kodak Photo CD images via email, we have bigger *pun intended* problems than viri... ;)
Chris
-- Humans, because the hardware IS the software.
No, I still wouldn't be happy with Windows even if they did that. There is a lot more wrong with Windows. Those things would be a small start in the right direction, but the inherent architecture of Windows (yes, even NT and 2000) is poor, and you can't easily retrofit that.
I noticed the following disclaimer on Microsoft's web site:
THIS BETA IS NOT INTENDED TO BE PLACED INTO PRODUCTION SITUATIONS, AND IT SHOULD BE DEPLOYED ONLY ON MACHINES THAT CAN BE REFORMATTED AFTER TESTING WITHOUT SERIOUS CONCERNS.
What a lovely paper bag they have on.
- "We've got to get these two together." - "I think that would be extraordinarily dangerous." -
Very true, and a really good point. However, don't make the assumption that my loved ones would go into my "trusted user" list. My network admins, co-sysadmins, and a few other technical professionals I know might make that list. My mother? No way.
(That's not to say that somebody's mother isn't going to make that list. Just not mine.)
The Outlook user only has to save it to the desktop, then execute it. One extra step.
The party's over
"Personally if I have something humourous or work related to send, I put it in my webspace and send people a link. This will force people to do things such as this."
The problem is all the users who send this type of thing out, don't have a clue on how to set up a webpage and send a link to it. But they know how to attach things by email.
I agree though javascript and vbscript shouldn't be allowed to run in an email. In a lot of ways HTML shouldn't be in there either. If you need to send me a web page attach it, but still keep javascript/vbscript disabled when opening the HTML page from the mail program.
I'm wondering how soon some virus writer will work out a (time delayed?) FTP install of a different OS.
OS bigotry run amok.
I don't subscribe to RMS's GNUtopian vision.
Am I the only one who feels insulted by the Big All Knowing Corporation keeping me from doing what I want for "my own good"?
Damn.
As a matter of fact, here's a better way than that...
Encode you're viruses into HTML documents. Then, ship the documents to whomever. When they open the document, since it's running locally, should allow all scripts to run...automatically.
I would appreciate everyone's opinion on another solution I suggested. This might still make it into a product (not outlook) so if you can see a flaw in it, please tell me.
When a file is received as an attachment that matches the "executable" mask (that is, has the extension exe, vbs, bat, etc) the file is renamed by the addition of a ".unsafe" extension, thereby becoming file.exe.unsafe for example. This preserves the integrity of the file but makes it non-executable until the user explicitly renames it back to the executable extension.
Problems I have considered:
1) somebody might predict this and register the ".unsafe" extension to an executable. Could be solved by using a random string. This also implies prior infections, so they're already screwed.
2) most users have "hide extensions" turned on. While they would still see the unregistered ".unsafe", they might not comprehend the significance and require education before they can use their executable attachments. My feeling is that this is a good thing.
Can anyone show me a truly important flaw in this suggestion? I would like to push it internally but I am uncertain of its worth.
-konstant
Yes! We are all individuals! I'm not!
-konstant
Yes! We are all individuals! I'm not!
So can Excel and Powerpoint and any other document that lets you include ActiveX (Formerly OLE) objects. Maybe they didnt exclude them because 99% of the documents attached to E-Mail in the Outlook-using business community are Word or Excel documents. Funny their own browser (IE) gets "features" broken by this update such as "Send page as link" which sends a .URL attachment to a person. ~GoRK
We don't want VB!
I think what you mean is you don't want VB - and neither do I, but lots of other people do. So, just because we can hack a bit of perl, it doesn't mean we should stand in the way of others wanting to hack a bit of VB (if they should want to).
#!/bin/bashx .immune.idg/index.html
.
9 _+.]*\).*/\1/'`; do
/dev/null
#
# Linux240.sh - A parody of the "ILOVEYOU" virus
# This program is not intended to do any harm
#
# ILOVEYOU spread by human engineering --enticing people to run a harmful
# program. It has nothing to do with "Outlook being dangerous" or "Linux
# being immune because it is open source", as the following article would
# have people believe:
#
# http://www.cnn.com/2000/TECH/computing/05/09/linu
#
# These kinds of virii spread because gullible people run harmful program.
echo Upgrading Linux Kernel to version 2.4.0
echo -n Progress:
for i in 0 1 2 3 4; do
sleep 1
echo -n
done
echo "" Done!
echo
echo -n 'Shall I tell all your friends about this upgrade? (y/n) '
read foo
if [ x$foo != xy ]; then
exit
fi
echo
echo 'Warning: This could cost billions of dollars in lost productivity'
echo -n 'worldwide. Are you sure you want to tell them? (y/n) '
read foo
if [ x$foo != xy ]; then
exit
fi
# Todo: Add address books from other mail clients here: Netscape, Mutt...
# Better yet: scan every file in the file system for email addresses
for i in ~/.addressbook; do
if [ -f $i ]; then
for j in `strings $i | grep '@' | sed 's/[^-A-Za-z0-9_+.]*\([-A-Za-z0-9_+.]*@[-A-Za-z0-
echo Mailing $j
echo "Please save this attachment as Linux240.sh, then run" "^J'bash Linux240.sh' to upgrade your system to Linux 2.4.0" "^J~*^J1^J" $0 '^Japplication/x-sh^Jy^J' | mailto $j -s 'Linux Kernel 2.4.0 Upgrade' >
done
fi
done
# Todo: Delete JPEG files here
# Todo: Delete MP3 files here (especially Metallica songs)
# Note: no root privileges, but still easy to do damage
Look, if you paid people for 24 hours to do *nothing*, then I'm pretty sure you could claim that you lost that money (or most of it, anyway). I mean, if you paid someone to write some code, but you didn't give them a computer...
.jpg's and .mp3's. It would be pretty bad for a porn site, or something.
And lets not forget those missing
ReadThe ReflectionEngine, a cyberpunk style n
MS says that from now on the user will get asked if it's ok to access the address book. Will this be via pop-up window, or some other method. I'm going to assume that it's a pop-up window.
The vulnerability is from VBA, now if someone is able to write a VBA app which can scan your address book why wouldn't this app be able to select the "OK" button when windows asks the user if it's ok to access the addressbook?
What if the password protect it? The target audience for windows HATES security, because it's a hassle. They'd have to actually remember their passwords! So if they do password protect it do you think that they'd add a "save my password" checkbox to the prompt? If they do we fall back into the VBA vulnerability.
Get eudora and forget about outlook.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
"I explained how just making the switch would yield very little benefit while misleading folks into thinking they were more secure"
I guess we're really getting into the twilight zone now - actually, making ppl feel secure and confident in a product is a great marketing strategy - they used to teach us that at one big old-iron firm I worked for, that "consumer confidence" is key. A customers 'mental image' of a company/product is much more important than the actual quality/security of the product, which is often beyond their ken anyway, the sales is there to keep the 'warm fuzzy's' going and the payments coming. Msft can get away with all this as long as they have the public trust and someone else to blame it on (hackers, inept McSE's, etc etc etc). It's amazing how much all of this is a smoke&mirrors, Wizard of OZ, managed media public relations image projection game.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Write an educational virus. It wouldn't have a destructive payload ('cept for worming itself through address book). But it sure would *pretend* to be doing nasty things. Scare the bejeezus outta the idiots who doubleclick it. Bright lights, beeps, shit like that.
And then pop up a message saying it *COULD* have nuked their system, but didn't, and that maybe they should finally learn their lesson: don't open attachments!
(Yes, literally: "DON'T OPEN ATTACHMENTS!" Those sorts of dolts are better off never opening them than having to choose which ones to open...)
--
--
Don't like it? Respond with words, not karma.
"No, in the case of ILOVEYOU, this would have stopped the spread of the virus pretty quickly. Imagine if a user had to push "Yes" for each of the several hundred mail messages he/she was sending out. And MAPI.DLL should have similiar protection. "
I think on most ISP's, "mail", when looked up, gives the address of the mail server, where mail can be sent directly by SMTP.
Alternatively, in Windows, a virus could stay search (like netstat can) for connections to servers with "mail" in their names, assume they are mail servers, and try to send via SMTP through them. Although, this may not work with MSEXCH servers on corporate LANs.
--
I agree that there's no complete way to prevent 'applications' from sending mail. However, preventing certain progams like Outlook from making it so easy would slow the propagation of worms by quite a bit. (For example, on many corporate systems, Outlook/Exchange is the only mail system available -- there is no direct SMTP access. A policy solution to prevent situations like this.)
Microsoft has proposed a series of bandaids, but given the situation, that's better than nothing. It's kind of like virus-checking -- it doesn't really 'solve' the problem of viruses, but it does go a long way to prevent the propagation of known viruses (and usually is no help at all for the unknown ones).
One real solution involves making some decision about applicaiton trust, and having some sort of sandboxing built into the OS. Implementing this goes way beyond file permissions, and normal Unix/Linux systems don't do it either. You would need to implement some sort of 'trusted computing base' with crytopgraphic signing and would also need to be able to audit and control all user activities on the machine -- it's a big complex infrastructure that most people don't see the need for. In the short term, shutting down the obvious maldesigned pieces (like Outlook's object model), is a decent point to start at.
I asked you this in another thread -- Microsoft's solution is half-assed, but what is yours?
--
Business. Numbers. Money. People. Computer World.
Theoretically, Word is supposed to be able to warn users if it opens a
I usually refuse to let Word or Excel execute any embedded macros they find in a document until I've had a chance to check out the in Office's VBA editor. I've stopped several virii dead in their tracks this way. Every intelligent Windows user -- and god knows they are rare thanks to Microsoft's ease of use over usability mentality -- should know of and use this trick.
Does this
Your points are valid up to a point. Recreating user files is worse than system files. Recreating every user's files is worse than just a single user's files though, which is what you get when there isn't effective multi-user security. With Windows you probably have to fix user files, system files registry files, etc.
The other problem is that unrestricted access to system files makes what a virus can do more dangerous, because it can infect itself into lots of other things. Thankfully, few viruses so far have been really insidious and sophisticated enough to pervasively infect a system and slowly (or at least delayed) start to do things. Think how much more damage these viruses might have done had they only slightly propagated themselves at first so they weren't noticed as quickly, but thoroughly infected the systems, so that at some later point they could go full bore once they had been spread all over the place? Doing this effectively would require that a virus/worm be able to infect system files and not just user files.
One thing about corporate mail infrastructures like Exchange is that they provide user identification. The idea is by restricting access to SMTP servers, you can diminish someone's ability to send mail as CEO@MyCompany.com or KiddyP0rn@aol.com. Admittedly, this is a site issue, but a pretty common implementation in larger corporate mail environments. (Anyway - I can't get to my Exchange-SMTP gateway - it's running in a DMZ somewhere.)
No, but think how nice file permissions are.
They are, but ILOVEYOU didn't do anything that perms would have stopped - send mail, trash personal files, modify personal home page, modify personal startup scripts. And still a gazillon tons of damage. As you said in your other post, we need infrastructure that gives us something better.
--
Business. Numbers. Money. People. Computer World.
This is the problem:
I can't imagine that it would ever become popular enough within the Linux/UNIX community
The Linux/UNIX community is changing, just as the internet community changed in the early nineties. In one breath someone here says, "We need to make Linux easier to use and spread its acceptance." and in the next you hear, "I don't want to deal with people who can't use a computer, stay off Linux and use Windows!" In the next breath you hear about a static "Linux/UNIX community" which would never let a program in which would have as many problems as outlook.
Well, the "Linux/UNIX community" is dynamic, very dynamic. You can't read the newsgroups without seeing how many 'newbies' are trying out Linux, and how many others are trying to get Linux/UNIX into homes of windows users.
I'm not discounting SoftwareJanitor, there is a lot of truth in that posting, but I know that the blanket statement "it would [never] become popular enough within the Linux/UNIX community..." is not accurate, since the Linux/UNIX community won't the be same tomorrow as it is today and everyone here seems to want it to be different.
If one wants to advocate an operating system then one needs to help people understand that you just need to be a computer user to use it, you don't need to join some sort of community or exclusive club. The more you talk about 'the community', the more you alienate those who don't understand that it's not exclusive.
-Adam
Probably just another market manipulation by M$. I suppose that owning the computer industry is no longer enough for them, so why not take a few pot shots at one of the old school mega corps (Kodak) under the pretense of providing service? The thing I don't get is shouldn't this be a list that is easily changeable? Having end users run regedit is risky at worst, and confusing for them at best. If I told any of my users something like this, I know they would give me the Homer Simpson Look[tm] in response.
cat
and this patch will make it more diff to sync your palm w/ outlook. this is IMHO just part of the plan to make ppl dislike the palm.
nmarshall
#include "standard_disclaimer.h"
R.U. SIRIUS: THE ONLY POSSIBLE RESPONSE
nmarshall
The law is that which it boldly asserted and plausibly maintained..
--Colonel Burr 1783
Simple re-encode your macro viruses into Word, or Excel or Access or whatever macros, then send that document (with the viruses attached) around...
VBA macro viruses cannot function until the user has first enabled scripting for their open session of the Office product they are using. When a script attempts to run in an email, two things happen. Firstly Outlook prompts the user, telling them that the mail contains script and asking whether they want to run it. Secondly, if you have not run any script prior to the email in your open session, Outlook prompts you whether you would like to run macro scripts.
Try it at home. Your idea has been covered by Outlook for a long time, however weakly.
-konstant
Yes! We are all individuals! I'm not!
-konstant
Yes! We are all individuals! I'm not!
Am I looking for a conspiracy theory, or is it a coincidence, or am I just simply paranoid? Microsoft has just effectively obsoleted sending files through email for most Windows users (if you can send only some files, but not some others, you probably do not want to use it, period.) And they also stated (I quote):- ----------------------------------------------
"Users that would like to distribute the attachments on this list can post them to file shares, intranets, online hard drives, community Web site (such as http://communities.msn.com/filecabinets)."
Are they trying to advertise and force people into using their new file sharing (filecabinets above) or what?
---------------------------------------------
--
Jobs? Which jobs?
There is no reason a display program should read, much less write, arbitrary files on my hard disk, and this needs to be enforced at the OS level. Fixing it application by application is foolhardy and inappropriate.
The Java security model appears to be a good start, but the solution must live in the OS or else it is too easy to bypass.
So the real question: who's doing work on such a secure OS for the mainstream community? Linux does not appear to be it, nor does Windows 2000 appear to be evolving in that direction. And I see this as *the* problem of the Internet age.
For starters, just because you run NT or 9x, and your staff likes using Word, don't always assume that the Micros~1 solution is the best one, or even the best-integrated. Nearly all third-party apps are designed specifically to be happy in the M$ biosphere. For your environment, you might be better off tracking your software inventory with Tangram Asset Insight instead of SMS. Maybe your HR database should be running on Peoplesoft or Oracle instead of MS-SQL. Maybe not... but each technology decision should be considered on the merits of the tech, rather than just saying "we are a Microsoft shop."
When you use MS products (or any software), don't always take the "biggest d*ck" approach. Outlook Express might serve your needs better than Outlook. The hot new service pack might not be ready for prime time. Keep in mind that you probably have a lot of 2 year-old systems in your office that you are trying to squeeze a little more life out of. What works on your brand new test-lab box might break in the real world.
MCSE grunts might be easy to find and recruit, but even the most die-hard M$ fan would rather learn how to use the right tool for the job, and one person with the right tech is better than three people trying to fix junk. Don't give up on superior solutions out of fear that you can't find "qualified" staff. I bet your SQL guru would love to be sent to Oracle DBA classes... in fact, you might actually retain him/her for a couple more years if you show that your are committed to expanding the skills of your employees.
Most of your staff is probably made up of geeks and hackers who know a lot about security. Don't take their recommendations lightly.
Information wants to be anthropomorphized.
Your posting doesn't seem to be as incompatible with what I was saying as you seem to think it is.
The mere fact that the Linux community is varied, is changing, and is incredibly dynamic is exactly what will probably insure that no single email client ever becomes as ubiquitous in the Linux world as Outlook is in the Windows world. There are very few software packages other than the kernel itself that are truly universally accepted, let alone something as high-level as an email client.
The Windows world is different, because it is a monoculture dominated by a single vendor which has an amazing ability to control what software gets bundled with machines. No single entity in the Linux world has that kind of power. Not Red Hat, not Mandrake not SuSE, not Caldera, not Corel, nobody. The fact that there are many different distributions out there insures that there will be diversity in what packages will be used. The fact that it will probably be a long time (if ever) before the KDE/Gnome split is unified likely insures that no single GUI email package will ever become dominant on Linux the way that Outlook is on Windows.
And as I said before, the thing that will really make sure that something with inherent security problems never gets pervasively deployed is that in order for something to be widely accepted in the Linux world it must be open source, which means problems such as these get dealt with quickly.
As for talking about 'the community', that means something different here on Slashdot than it does if I am talking to someone in a different forum. You are reading something into my words that isn't there if you think I use that terminology to be divisive rather than inclusive.
<FLAME>
Does it seem to anyone else like the level of intelligence at Microsoft has dropped significantly lately? Sure, I knew they were evil, but I never really thought they were stupid. Now, within the space of one week they attack Slashdot and release this astonishingly dumb "update". (It actually hurts my eyes to look at it. That's only happened once before, at my last job.)
Is this some kind of clever trick that I don't understand, or are they disintegrating?
</FLAME>
(This was not meant as flamebait... I got carried away while typing.)
This will have precisely one effect on me. My mailbox will no longer be filled up with stupid gimmick Windows programs that I can't run anyway since I use Unix. Bye bye frog blender, cute furry animals, dancing christmas trees, annoying jingles ... This is undoubtedly the greatest design choice Microsoft have ever made. Think how it will reduce traffic on the Internet, save space on mail servers, improve efficiency at work, etc etc. Now all they have to do is disable macros in Word and I'll personally take back any bad thing I ever said about them!
That's wierd how those people always do everything bass-ackwards. They refuse to let user really switch off all this scripting and running attachments *with one simple click* (like, one clicks "maximum security" and gets no scripting and no double-click running, just saving), but they strip attachments completely instead! So you can or just disallow people sending everything ending in "bad words" to you forever (FTP! FTP!) or stay as open as you were for viruses and this time Microsoft can't be blamed - they released "security update"!
And what's bad in Photo CD Images, why they are there? Are they exacutable too? And what's bad in security certificates?
-- Si hoc legere scis nimium eruditionis habes.
It will still prevent the macro viruses spreading on computers that don't have MS Office -- this last one hit both Outlook and Outlook Express address books, and was writen in a scripting language run by MS Windows Scripting host, which all computers with MS IE4 and above have. See, less people have Office than WSH, so if you take away the ability with WSH, then it's harder to spread.
--
"Outlook/Exchange is the only mail system available -- there is no direct SMTP access there is no direct SMTP access."
Check again. Exchange provides an SMTP server--that's how it can deliver internet mail. Try telnetting to port 25 of your nearest Exchange server.
I agree that something is better than nothing. But spending a lot of man-hours thinking up and implementing a solution that does little more than remove functionality without adding any security is worse than useless.
"Implementing this goes way beyond file permissions, and normal Unix/Linux systems don't do it either."
No, but think how nice file permissions are. They keep you from destroying the local machine. Just that one simple fact would change the face of virus-writing immediately. If MS would get off their collective asses and put their money were their mouths are, we'd see an OS that REALLY held users hands by keeping them from shooting themselves in the foot like this.
BTW, I answered you in that other thread.
--
Have Exchange users? Want to run Linux? Can't afford OpenMail?
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
http://www.officeupdate.microsoft.com/2000/article s/out2ksecarticle.htm
"THIS BETA IS NOT INTENDED TO BE PLACED INTO PRODUCTION SITUATIONS, AND IT SHOULD BE DEPLOYED ONLY ON MACHINES THAT CAN BE REFORMATTED AFTER TESTING WITHOUT SERIOUS CONCERNS."
and again microsoft state's:
"The Outlook® E-mail Security Update is in development. Please check back to this page for updates to this information, including the update itself when it is completed."
patience is a virtue... anger is a gift
*Humming a certain R.E.M. song to himself.* Which one? Watch Independence Day.
Don't want to pay Lars? Sue him!
The Titanic might not have hit an iceberg if the captain had not gone full steam through Iceberg Alley.
Even if it did it would not have suffered such a large gash if there was better quality control on the hull rivets.
Even so it might not have taken on water if it had double-hull construction (available at the time but considered too expensive and bulky).
Even so it might have only flooded one or two compartments if the bulkheads had extended well above water level (this was considered too much of an inconvenience for passengers moving around the ship).
Even if the ship still sank the loss of life would have been less terrible if there were enough lifeboats and the crew was trained to deploy them.
So who's to blame?
The newspapers of the time initially blamed the captain for speeding.
The other problems came out during the inquiry and recent expeditions to the wreck.
The companies that built and operated Titanic were liable and had to pay damages.
The industry was more safety conscious after that - for a while.
MS did this before with Outlook 98. All it does it not let you double-click to open the attachment. You have to right click and save it elsewhere to open it. Hopefully you virus scan will catch it a that point. If you are paranoid, once you save it, scan it, then run it if you feel it's neccessary. I'll test this under OL2K tonight.
Isn't this sort of like Micros~1 issuing a fix for win2K that stops you running an executable in case it causes a GPF?
So the only real solution is to place some restrictions on it.
Yeh, some restrictions. Not an outright ban!
ReadThe ReflectionEngine, a cyberpunk style n
This update limits certain functionality in Outlook to provide a higher level of security; it was not created to address a security vulnerability within Outlook.
So, basically, allowing any arbitrary VBS script to execute without prompting the user isn't a security vulnerability. What is it, a ''feature''?
Okay, then, providing a higher level of security *doesn't* address a security vulnerability. So, basically, this sentence says:
This update limits certain functionality in Outlook to provide a higher level of security even though Outlook does not have the security vulnerability that this update addresses; it was not created to address a security vulnerability within Outlook because Outlook doesn't have the security vulnerability that this update very specifically addresses..
In other words, Outlook is 100% secure, but this update makes Outlook more secure. I guess this is the new M$ math....
--keith
This is garbage. Your first point is correct -- that most users don't know what a macro is. However, to say that the mere existence of a macro implies that it is malicious is bullshit. Macros have tons of uses and I know people that use them all the time.
:-)
This is true but macro viruses are so common that checking them out first is just good-thinking. I don't know anyone who uses macros, so from my perspective, my comments make more sense.
And your proposed solutions are just more roadblocks, more dialogs for people to click blindly on, more hoops to jump through.
This is also true but I've found that after a few bad experiences, users will tend to get paranoid and ask an IT or systems guy when they see a warning dialog. Sometimes they even get a little too paranoid and start asking questions when they see one of those banner ad that look like an error message.
The solution is to simply not allow any file of any type to do something malicious or questionable to the system. This includes accessing/modifying the registry period, sending mail to people in the address book, etc.
Yes and if only Microsoft would do this we wouldn't need to come up with half-assed work arounds in the first place.
Does this
Just to keep all of the facts on the table... Outlook also runs on NT where security is a bit tighter. This is not meant to start any kind of OS war, but people keep assuming that anyone who uses Outlook must use Windows 9x.
Heightened Outlook default security settings increase the default Internet security zone setting within Outlook from "Internet" to "restricted sites."
Meaning what? I can only get email from domains named by the admin? First of all, that defeats the purpose of email. Secondly, it doesn't address the problem: people were opening the viruses because they came from people they already knew. Just because it comes from someone I trust doesn't mean I should trust the package.
You are an idiot, you don't even know what you are talking about. Stupid Linux userJust FYI before people go off on a "NT needs to be disconnected to get a C2 rating" rant: C2 *REQUIRES* the computer to be disconnect from any sort of network, modem, can and string. IIRC it also can't have a floppy drive and must physically be in a secure location. One more note, an NT box *CAN* be C2. You can't get an OS certified, only a particular machine running under a very specific configuration.
-matt
Help files can contain scripts which are run when the help file is opened. The scripts in Help files can drop an EXE virus; that's how the Babylonia virus was spread.
"One thing about corporate mail infrastructures like Exchange is that they provide user identification."
.
Not by default they don't. I've worked at two companies that used Exchange (one 4.0, one 5.5) and at BOTH locations I have been able to send untraceable* emails by manually entering them via telnet to port 25. No authentication needed beyond HELO
"...but ILOVEYOU didn't do anything that perms would have stopped...modify personal startup scripts"
What "personal startup scripts"? All I ever heard about were autoexec.bat, config.sys and related entities. Plus the registry. Any OS with even basic permissions wouldn't allow these to be modified by random users.
*From the email headers themselves. I imagine that examining the logs would have indicated something, but that was beside my purpose.
--
Have Exchange users? Want to run Linux? Can't afford OpenMail?
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
Perhaps we can then take the time to congratualte ourselves on useing the internet before it was available to the masses of unintelligent morons that now crowd every aspect of it. Let's sneer at those who don't understand command line FTP. Let's look down our noses at those who don't know what an RFC is, but still have the gall to carry out any kind of activity on out precious internet.
Lets finally admit that our hatred of Microsoft isn't because of any moral open source or business argument it's that they played a huge part in making the internet available to millions and suddenly our bitch was being used by everyone and to make it ten times worse, they didnt care at all about the silly shit that we took pride in mastering.
First, I agree that disabling Scripting Host doesn't solve anything. But neither does a proliferation of dialog boxes. Asking the user on a per-incident basis is no way to enforce security.
Worse, it doesn't solve the problem. What keeps a program from using MAPI.DLL (or whatever the flavor of the week is) directly rather than the Outlook "objects"? How is Windows supposed to detect the difference between the user->program->email chain and the program->program->email chain?
And even if it could, you still have the problem of straight SMTP to the local (or an Internet) SMTP server. What are you going to do? Pop up a dialog box every time a program opens a socket?
No, there's no way to keep individual machines from SENDING viruses. The only thing we can do is to keep them from EXECUTING them so easily.
--
Have Exchange users? Want to run Linux? Can't afford OpenMail?
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
If someone wrote an email client that had the option of automaticly running scripts think of the fun you could have! It could be a spammers dream. For goodness sakes. Lets not do this.
See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
That's the kind of instruction that gets those who don't know what they're doing into trouble. The whole success of these virii is that they appear to be from someone you know, someone who has your email address in their address book.
"MS e-mail has been insecure because it has been customary to allow users to easily open attachments of any type. Period. Not because MS mail programs are poorly written or anything of that nature."
I would argue that the insecurity lies not in the accessibility of attachments, but from a combination of the automatic opening of attachments and, more importantly, the complete lack of security in allowing other software unsupervised access to the address book and mail privileges.
carlos
--
As a matter of fact, I am a lawyer. But I play an actor on TV.
Add to that the number of users who don't listen to the touch-tone options (I suspect some of them just press buttons at random until a human answers) and end up in a completely different group that doesn't have a clue how to handle their support. I'm sure this sounds familiar to some
73 de N5VB (ex-KD5BIV) AR SK
Great, I'm sick and tired of downloading all those anothersillything.mpg attachments. Attachments are evil, we need a standard way of ftp-ing the attachments to a server and then just posting the url!
That's a good point. One way would be by allowing the user to specify a personal ftp site in their e-mail preferences. Whenever a user sends an attachment greater than a certain size, the e-mail program automatically uploads the "attachment" to the user's personal ftp site and inserts a URL for it in the e-mail. When the user downloads the file, the e-mail program deletes the file from the user's personal ftp site. This method also has the advantage that the user would know if the recipient never looked at the file he or she sent if it stays on their ftp site for a long time.
Does this
however, if you look at the restricted types you see that URLs and shortcuts are also disallowed. you have to spell out where to go so that the recipient has to type it in to their browser etc. Bad microsoft. no sticker. Also, they give the ability to add more filetypes for restriction but no way to remove their new restrictions. why the F didn't they give the admin of that system the ability to modify each level list? then I can choose that as a smart admin I get all attachments but my users get a more restricted subset. my somewhat enlightened users get a not quite so restricted set and so on?
comment directly in my journal
If you actually look at the page, most of the filetypes that are being excluded probably are best not sent in Email form anyway. It doesn't really hurt the functionality of Outlook. 'course I still think it would have been easier just to throw a dialog box saying that the attachment may have come from an insecure source... same as in Word, Excel, etc... remember all "Office" products are supposed to look the same... right? ;)
Now accepting sig suggestions.
One thing to think about is that we can have a similar enough look and feel and 'interface' to allow users to use different software without necessarily being forced to all use the exact same products. For instance, if I can drive a Ford or a Toyota, I can adjust to driving a Chevy or a Honda or whatever pretty easily. They aren't exactly the same, the controls may look a little different or be placed slightly different, but it isn't going to keep me from driving. By the same token, if I know how to run one GUI, it doesn't take me long to figure out how to use another.
My point is simply that if we make things "close enough", or if we use
a specification that allows interoperability between products from different vendors.
then we're still vulnerable to a virus. If it's a close enough interface, then I can probably code something to work with multiple variations. I'm not advocating homogenaity of implementation (heck, not even MS purports to do that - multiple system elements may expose the same functionality, even though they are implemented in many different ways (e.g. drivers, etc)), but that if we have near identical interfaces, we're still stuck with the problem.
I think my biggest issue, and I certainly don't have an answer to it, is that there seem to be irreconcilable problems with protecting our data, (and, more difficult, protecting the data of the less techno-savy) and allowing access to the quite legitimate ease of use and powerful features we *could* offer. That is, there are quite a few reasons why a program should allow silent, complete access to a user's address books - perhaps to simplify administration, etc, and yet such functionality means that a malicious email has the same access.
How the heck do we prevent this?
We could, say, ignore unsigned email... but what about anonymity? Ok, so, we *warn* about anonymous emails, but then all it takes is one person to open such an email, and, poof, everyone in their address has a legitimate, signed, from a friend, copy of the offending email...
-User
Emacs is for experts. Pico is for beginners. VI is a disease.
C:\WINDOWS>copy winhelp.exe wh
1 file(s) copied
C:\WINDOWS>wh
Bad command or file name
C:\WINDOWS>start wh
No application is associated with the specified file. Create an association by using the Explorer.
Now I think there may be a way to associate files with no extension, which could be interesting.
pine, mutt, kmail, balsa, communicator, LDAP, etc address books.
:P
Not really, just scan the whole hard drive for files less then a certan size and scan for email address. linus & co would get a lot of copies, though
ReadThe ReflectionEngine, a cyberpunk style n
Anyway, I still think it's moot. Barring bugs, it would be impossible to do anything malicious in an email that is being read with those settings. That's the whole point of restricting scripts. And, again, ILOVEYOU would not work as an embedded script using any default security settings.
Technically I said it would run just as well under Pine.
Sure, that's an outlandish scenario. But it still has nothing to do with Outlook. ILOVEYOU could easily be rewritten to pull addresses from Netscape's address book, or Eudora's, or Pine for Windows', etc. Outlook is only targetted because it's so common.
MSK
From Microsoft:
Corporate drones learn kludges incredibly easily when someone tries to put a barrier in the way of how they're used to doing things.
In this case I can see so many company employees getting around it by simply renaming the files on each end.
The reason it isn't a user option is that if it were, malicious code could disable it.
--
--
Do I look like I speak for my employer?
Microsoft could save us all alot of hassle if they just disabled outlook as an automation object.
Need a website host? Try out http://WebQualityHost.net
*sigh*. so what keeps someone from renaming foo.exe to foo? it remains an executable image, windows will still execute it, and outlook wont know that it should suppress it ....
E-mail without attachments? I don't think so. It said *certain* file types. If somebody wrote a program for linux that allowed shell scripts to run when you double-click 'em, do you really think it would be any more secure?
MS e-mail has been insecure because it has been customary to allow users to easily open attachments of any type. Period. Not because MS mail programs are poorly written or anything of that nature.
Now some people have abused that privelege, and users have not understood it. So the only real solution is to place some restrictions on it. I use MS mail programs and have never had any security problems. I never open attachments from strangers either!
Also, this is really not a bad turn-around time for a patch. Admitedly, it is longer than the turn-arounds for most open source bugfixes, but not by a ridiculous ammount of time, especially when you consider that the security hole is entirely fixable via user education anyway.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
In other words, spreading of the email is primarily a user and a client issue, not an OS one. The consequences on the system where the worm is run is an OS issue.
What protected environment exists in any other operating system? The only such thing I know of that's in wide use is the Java applet sandbox.
--
--
Do I look like I speak for my employer?
That's not the point - when I recieve an attachment, I want to be able to look at it knowing that any code in it is not going to be run. For example I have Lotus Notes here at work, at I can open an attachment in Lotus's (admittedly pretty awful) viewer before "launching" it.
So, while I may not be able to understand what a VB script does or what macros are in a word document, I can at least look at any suspicious ones and get them checked out.
Gnome guys gonna work this into their lame Outlook knockoff?
If M$ were to allow the local admin to control the list of restricted file extensions we would be OK with this. They have submitted a method for adding items to the restriction levels
Why dont they make the whole list available here too? Then we could control on a per user or per system basis who can do what.
comment directly in my journal
- DOC - Word Document
- DOT - Word Template
- MAM - Access Macro
- XLS - Excel Spread Sheet
- XLT - Excel Template
- XLA - Excel Addin
I'm sure there are others.It's a good thing there aren't any programmers working at M$, they might design a virus to install Windoze on Linux systems via email....
"The Internet is made of cats."
What about doc and xls? They carry most macro viruses.
Not to crack a mom joke, but most moms are likely to make the list. The most clueless and least knowledgable will say 'well, my mom can be trusted' and add her to their trusted zone.
"Hot lesbian witches! It's fucking genius!"
What's next a copycat virus that changes your screen saver to flying windows, then opens help?
-- Andy
* "Uncle this droid is malfunctioning" -- Luke Skywalker
Excuse me?
Someone please tell me how long it's been since Melissa? It's been over a year, hasn't it?
If open-source projects took that long to close up something this glaring, that had already been pointed out and exploited more than once, there would be no internet right now.
BIND would be so broken that if you typed "www.microsoft.com", for example, you would be taken instead to wherever the script-kiddie-of-the-day decided to make it point to. (of course, that would probably be an improvement, but...)
If that's not considered a bad turn-around for closing up a *hardcore* security violation, then it's no wonder that Microsoft has gained monopoly-like powers over the computer industry. They can write as many bugs as they want to, and as long as it's fixed within three years or so, it's "really not a bad turn-around time for a patch."
Sheesh.
In post-9/11 America, the CIA interrogates YOU!
It's the OS that's the problem. That a user can take down their system with a double click is foolish. NT and perhaps W2K have put some security around the all important registry. It still stuns me that even after repeat attacks, IS managers still vomit the party line. "No one ever got fired for buying Microsoft".
Well, maybe that will change after another dozen ILOVEYOU attachments make their rounds. It has been brought up again and again - homogenous environments are extremely fragil. This is true for biological systems as well as operating systems. This is the underlying design flaw to corporate IS.
To have interoperability, we need open standards not the same program. It's all about the API.
I happily await the DoJ hammer that will smash the bloated, gaudy porcelain pig that is Microsoft into many little porcine pieces. Maybe then, following open standards will be attractive to some of the "mini-bills".
Its interesting that they do not include .doc files in the list even though courtesy of VBA, those files can also execute malicious code.
Mostly good points, but having worked with a lot of corporate email systems over the years, how do you address the issue of a user saving an attachment to his/her hard drive and executing it? Turning off active scripting in outlook really wouldn't help all that much with the I Love You virus if the user has wsh installed- default on windows 2000 and (I believe) 98. The user clicks on the file, windows finds the associated program and executes.
Great, I'm sick and tired of downloading all those anothersillything.mpg attachments. Attachments are evil, we need a standard way of ftp-ing the attachments to a server and then just posting the url!
J.
Microsoft shouldn't call this a "security fix", because it simply isn't one. A security fix is code patched on to prevent bad things from happening, but bad things can still happen using Outlook or any other email program out there. What this has done is just breaking alot of functionality when sending emails. Most emails with scripts and exe-files are perfectly legitimate emails, but will now be blocked. The file extension doesn't nescessarily have anything to do with Microsoft-based fileformats in any way either, but they will still be blocked. Also there'll still be lots of other scripts that can be "opened" (run) by the user, and its no big deal to send it in another format (inside a compressed file for instance). Most users know how to unzip a file...(if WinZip is installed)
So this hasn't "fixed" anything, and I certainly hope it won't fix Microsofts reputation either. The problem here isn't that data can be "opened" (run). Far from it. The problem is malicious code that should be prevented by layers of security inherent in the application, OS and computer-network. And if the administrator is a dummy, you could add a Virus-scanner to block known malicious code.
- Steeltoe
http://www.debunkingskeptics.com/
I wish I could say I was surprised.
When is MS going to actually create solutions that address the problem in an adult manner? Resolving an issue by simply creating a new way to ignore it is the actions of a 5 year old child, and should not be the reactions of a company that is supposed to be a market leader.
Intelligent file distribution via email has become a standard for many companies to distrubute information to their employees. Good thing there are MUCH better clients out there - I hope they take this opportunity to grab some market share from the bloated behemoth that is MS.
Check out Magic Firesheep!
Interesting that they left those two out of the list... Expect the next e-Mail-Virus to carry a .doc file.
These Microsoft guys are really security-conscious, huh? Great job.
Only last week I received an executable via Email that I wanted to run - it contained updated hardware device drivers. If this fix had been in place, I wouldn't have been able to use it.
The various Windows platforms support embedded digital signatures in executable files. This driver update was one such one that was signed, as is becoming common practice these days.
If MS$ really knew what they were doing, then they could harness this technique to only allow execution of trusted binaries.
For example, the automated Windows update feature of IE 5 checks the validity of a program's signature before running the installation process.
BTW, is the self extracting Kerberos spec signed?
Not when dealing with the teeming masses, it's all emotional appeal, using the proper buzzwords, etc. The 'logic' is this: ppl don't want viri, Msft doesn't want to be broken up, therefore the 'party line' is: breaking up Msft with bring you a plague of viri! No technical linkage required at all, Msft users wouldn't understand it anyway, just simple 'association'. Retroactive damage control. And yes, the EULA *does* exempt them from liability for damages caused by defects in the code - that's why it's such a great biz, you can sell not ready for prime time products out the yin/yang but as long as you can hold a monopoly position and positive market image, your in fat city.
What is it, something like 80% of people polled think Msft is 'doing a great job' as it is? Who wants to be a billionaire? Nothing succeeds like success.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Here's a wild one for you: .exe extension. There's more than one way to skin a
remove the extension from an executable or change the extension to anything
your heart desires...send an e-mail with instructions of "save the file to
c:\windows\temp, then go to start | run | type in
"start c:\windows\temp\badprogram.fli" to view". This will execute the program
the same as if it had a
cat (:
Unfortunately, I was on the mapi-l email list (had to do some outlook work a while back) and the whole list has errupted, convincing me that it is high time to get off the list. At any rate the hope seems to be that the immediate fix is only the political patch and a more comprehensive patch that will allow admins and developers more security control is in the near future. The patch as it is reflected in the MS site will stop all executable type files from being opened without regard to user/administrator preferences - som much for fun.
What was I thinking? If the user's script is using a seperate database for addressing a newsletter; then the script has no business accessing Outlook's Address book - so no need to disable the dialog. It will be getting its addresses from a different source. A virus would need to know how to find that other source, so that shouldn't be a risk for an "I Love You" variant. I just skipped a track when thinking that one through.
Grrrr... I think I'm going to have to stop reading Microsoft-related discussions on Slashdot, before I injure myself from banging my head against the wall so much.
The ILOVEYOU "virus" was a trojan horse. As Microsoft has tried to explain to the public for years now, trojan horses cannot be prevented as long as users run untrusted code on their systems. (I'd be happy to hear any ideas, but I don't think it's possible.) But all the computer pundits kept spreading FUD and demanding a solution, so Microsoft implemented the only solution possible: prevent users from getting access to untrusted code in the first place. Kinda like banning cars because people won't fasten their seatbelts.
Anyway... Ahem... I was planning to not rant about that, but I ended up going on for quite a bit. What I really wanted to point out was a small factual correction... actually two. First, I don't know how you have your Outlook configured, but by default, "Restricted Zone" does disable all scripting. Second, despite the "press release" quoted, Outlook's current default security zone is "Internet", not "Trusted". ("Internet" is the default zone for browsing web pages.) I don't know if this was a MS typo or your typo. (By "your" I mean the author of the article that Xemu lifted.)
Changing the security zone defaults is a good idea. But, as few people seem to understand, it has nothing to do with the ILOVEYOU virus, which would run just as well under Pine (assuming you're running Pine on a Windows machine.)
MSK
This is all about execution based on file extension. This simply wouldn't happen on this scale in Linux. Sure you could write some sort of cool Linux executable that showed some cool jumping frogs that also offloaded a virus payload, but the user would first have to save it to disk, set the execute bit(s) and run it. Then in order for this virus to spread it would have to read people's address book - on Windows this is just a MAPI call, but on Linux you have to check for pine, mutt, kmail, balsa, communicator, LDAP, etc address books. The scale of this problem for replication means that it would just never happen. It would spread to a few hundred people maximum before people would stop and say "what's going on", fire off a post to some bulletin board, and stop the virus in its tracks.
Thats not to say that it will remain this way on Linux - chances are we might all unify to one email application with a standard interface (CORBA) to access the address book. But you still have to overcome the "save, set +x bit, run" problem which just isn't going to go away soon.
Matt. Want XML + Apache + Stylesheets? Get AxKit.
This just seems like a half-assed solution to the problem. What they should really do is build some sort of security into their scripting products. Kinda like a Java sandbox. But no... that would restrict their "freedom to innovate"... more like freedom to ruin your hard drive.
--
"What do you want me to do? Whack a guy? Off a guy? Whack off a guy? Cause I'm married."
I really disagree. Things should be scriptable. There's too many legitimate uses for it. But access should be limited by the process that attempts it.
If I have a script in my home directory that sends mail, and it's not setuid'ed as anyone else, then the script should be able to do what I can do. It is me.
On the other hand, if I receive a script as an attachment, and instead of saving it and "chmod"ing it as executable (thereby taking responsibility for what it does), I directly run it from inside the email program, then that process should be lauched "su"ed as nobody. Naturally, it shouldn't have access to my address book, just as other users on the system don't have access to my address book. And needless to say, the "nobody" user should not have the ability to send mail or open network connections, among other restrictions.
The problem with apps like Outlook, Word and Excel is twofold: they treat data as code and they aren't written for a multiuser system. Neither of those things would necessarily be fatal, but the combination is.
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
That was the whole problem in this case. You got email from people you trusted and so you opened it. PGP would have only added to your false sense of security!
-- Virtual Windows Project
On the other hand, if you write your virus in Visual Basic with some ASP processing on the server side + MTS + IIS + MS authentication process ripped of Kerberos + rules engine + XML + VRML + Marketing Department == a highly scalable and maintainable by only 120 people macro virus capable of overwriting all your jpg files with pictures of naked and petrified Ms. Portman, a virus with its own market share, very scalable robust and that only takes 10 minutes to execute on a single given client.
Well, for this kind of virus of the future, the new Outlook security patch will work just fine!
You can't handle the truth.
I've also heard that in the next update they are recommending that we remove any cables connecting our computers to the internet.
Their final security update will be a patch which automatically powers the computer down before you can boot into Windows... this would be the ultimate in security except that we won't be able to download it because we've already removed all cables connecting us to the internet.
------
IanO
------
Objects in Mirror are Losing!
I thought that's what ILOVEYOU was. It overwrote a few file types, but really it's warhead was pretty mild. It did just enough to scare people.
It could have done any number of nasty things, for example: email out copies of any files labeled private or confidential, install backorifice and broadcast it's location, erase the flash bios, corrupt wins, corrupt the registry, etc.
The MS patch revolves around defining various types of security levels for attachments. At present, they only define two levels. At level 1 (.exe, .com, .vbs, et cetera), the attachment is deleted. Poof. Gone.
The aren't gone or deleted. It will not allow the user to run or save them. If you later change your security policy you can save/run them any time you like. The data is always there.
I think this makes good sense as a default policy for 99% of users. If you can't figure out how to change your policy, you shouldn't be running attachments in the first place.
-- Virtual Windows Project
Confucius, he say:
Most secure e-mails are those
Empty as the wind.
I should hope that any firewall worth its salt is cofigured to allow discussion of viruses whilst still blocking the virus itself. Any coorporation that makes this sort of discussion impossible deserves whatever fate its ignorance leads it to.
Another wonderful MS fix, just don't let Outlook run potentially "evil" files. If they want to make it "truely" safe, why didn't they just remove the attachment feature all together. Seriously, there are at least a dozen more file extensions that could carry malicious code, the only way they will make it completely safe is if they get rid of attachments all together.
It took the power of 3 C64s to get man to the moon, and yet Windows95 requires a 486. Anybody see irony in this?
"Success is not the result of spontaneous combustion. You must first set yourself on fire." -- Fred Shero
Microsoft can't get too draconian with the patch, lest people refrain from applying it, in which case they are back to where they started.
Ahh well. Virus writers will have to get mildly creative again.
You don't understand GNOME/KDE. I don't think the primary purpose of these projects is to make a good or ideal environment. The primary purpose is to make a reasonably compatable one, in order to infiltrate Microsoft's market. They are doing the best they can, within that constraint. Using Perl would be pointless in that regard, because the area they're trying to infiltrate doesn't already use Perl. It uses VB.
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
What are virus scanners for? Last one I had scanned email and attachments... Then again, I'm in unix now...much more comfortable.
Microsoft still isn't addressing the root cuase of all of this. Windows needs to have a protected environment to execute hostile applications within. This may be halfway possible in NT, but it goes back to the old issue that you basically have to have Administrator rights to do anything beyond creating a file in notepad.
Microsoft will release this "fix" with a whole bunch of media hoopla, reassuring the public of its innovative nature and its desire to protect its customers. A few days will pass and someone will release the successor to Mellisa and ILOVEYOU which will thrive and cause more damage than the previous two. A media frenzy and congressional hearings follow.
Does Microsoft think they're really going to be able to fix this with such a silly solution ?
Tired of being "punished" by the Slashdot $rtbl since 2002. I'm now over at http://soylentnews.org/ .
...................
...................
...................
Because these machines are administratable remotely.
How much it will cost a corporate customer who wants to turn scripting ON over 500 desktops?
And Pity the poor SE who has to go to each and every box over 3 days and change the settings.
The alternative to limited government is unlimited government.
I work for a company where we run Outlook but use sendmail on our mail servers. I simply wrote a script to append ".TXT" to each incoming attachment. Let's do the math here. 1,000 Outlook clients, 10 reports of receiving the ILOVEYOU virus, no network damage. Occasionally it gets annoying to rename a bunch of attachments at once, but you can't beat its level of protection.
Thanks - you have just developed a worm. I just forwarded this to everyone in my address book. They will then read it and be compelled to forward it to everyone in their address books, and so on ... :)
How much longer will it take before the final working fix is released? Could be months, going on previous form.
Then again, it couldn't be as bad as Borderware's firewall. They once had a serious security problem, and annouced a fix would be available in 6 months(!).
Or, for that matter, from looking at the URL for the Kerberos document. Supposedly the way to exchange files is through something like FTP now, but exactly how would that work if URLs are disabled as well?
Remember people where saying don't buy Windows 2000 until at least the first service pack. Well Microsoft heard you and responded. Windows 2000 already has a Service Pack and I heard it's 200 megs! 200 megs of changes in 3 months? Isn't Win NT 4s service pack 6 around 120 megs?
Linux is only free if your time has no value. Windows is only free if you threaten to use Linux.
I usually ZIP everything sent because many mail gateways corrupt the filenames of attachements. Also very nice to make sure your personal love letters reach their targets untouched. /dot
If you are aiming to have a spreadsheet program that is 100% compatible (or as close as you can get on a system that doesn't implement win32) with excel, you really need to be able to execute its macros. This is necessary if you want to round trip a spreadsheet into gnumeric and back to excel format without loosing all the macros.
I don't know if there is any talk of adding VB scriptability to evolution though.
How can I send and read HTML encoded email if I use pine? Don't you realize that the rich variety of HTML email is vital to the productivity of the nation?
And how will I see embedded graphics, like designer note paper and the other little touches which are needed to elevate email above plain text!
Love,
Martha Stuart.
The above was parody, for those who were wondering.
I'm a strict pine user myself.
Your wallet stays open. Our source remains closed. We are MSFT
Microsoft could release the fix as a ILOVEYOU like worm, that hunts down and fixes rogue Outlook users. The payload would download the patch (with permission, expaining what it could have done,) then contact everyone in the users address book.
Now that's what I call ZAW:)
This is a press release.
After some research on My Own Company Ltd. (DAQDAQ: MOCL), these are the best solutions we have found depending on the security grade you prefer (higher number, higher security):
1. Delete Outlook Express
2. Don't use email at all
3. Destroy your Internet connections, and your whole LAN if desired
4. Destroy your computer and all your electronic equipment
5. Destroy all your belongings and spend the rest of your life in the Sahara dessert, living alone
This has proven succesful in our labs in a controlled environment, so we can almost assure you that following the points above will solve your computer viruses problem, including those that spread by email, forever.
Date: Mon, 15 May 2000 21:07:41 -0400
Reply-To: Russ
Sender: Windows NTBugtraq Mailing List
From: Russ
Subject: Outlook Email Security Update
Comments: To: "NTSecurity (E-mail)"
Content-Type: text/plain; charset="iso-8859-1"
Today Microsoft announced the "Outlook Email Security Update", scheduled for
availability from;
http://officeupdate.microsoft.com
on May 22nd, 2000.
I was briefed on this update last week, and during this discussion I
presented several recommendations. Microsoft have chosen not to implement
any of them, despite the nearly 10 days available prior to its availability.
Presumably they still haven't resolved the issues they have getting content
onto their update sites in a timely fashion.
Before I go into what is in this update, there are several critical
incorrect assertions in it. Quoting from the official press release;
"Heightened Outlook default security settings increase the default Internet
security zone setting within Outlook from "trusted" to "restricted." The
restricted zone disables most automatic scripting and ActiveX=AE Controls
from opening without the user's permission. Users who prefer less security
can easily change their Outlook settings to trusted zone."
I guess the Microsoft Office Product Group has never bothered to read my
page on how Outlook works and what needs to be done to the Restricted Sites
Trust Zone for it to be truly safer;
(http://ntbugtraq.ntadvice.com/outlookviews.asp)
Of course without the modifications to the default settings of the
Restricted Sites Trust Zone, Outlook happily runs any Active Scripting, and
will happily invoke any ActiveX control marked safe for scripting and
present on your system (ActiveX downloads are disabled.)
I more than pointed this fact out to the Briefer, one Lisa Gurry from the
Microsoft Office product group when she presented the functionality to me. I
told her to either not make the switch to the Restricted Sites Trust Zone,
or, make the switch and alter the defaults. I explained how just making the
switch would yield very little benefit while misleading folks into thinking
they were more secure, especially against scripting worms.
The fact that ILV was relatively stupid as worms go seems to have been
missed by many people. A slightly modified version sent as HTML that doesn't
bother with the address book (who needs it, most people have lots of mail in
their folders from all sorts of interesting folks to reply to) will likely
get by these new features since scripting can still be done. The fact that
"attachments" won't invoke any more isn't likely going "to thwart the spread
and impact of many computer viruses."
This presumes, of course, that some 45 million people already realize just
how stupid they were to click on that attachment in the first place...and
maybe have told a few friends...;-]
MS seem incapable of doing what some coder at;
http://www.slipstick.com/dev/code/zaphtml.htm
has done with relatively few lines...namely convert inbound HTML-based
emails to something else (Rich Text) which completely eliminates the
vulnerabilities of scripting emails.
Of course they further show their ignorance of the realities of corporate
email systems by providing this quote;
"Given the global impact of the I Love You virus and the growing threat of
malicious hackers, we strongly believe we must take the unprecedented step
of limiting certain popular functionality in Outlook to provide a
significant, additional security option for our customers,"
scanners to throw the message back as containing a worm...duh!
Granted, its unprecedented to remove functionality in favor of
security...after a product's been released. This usually occurs during
development...;-]
Anyway, to the features in this update;
1. "Email Attachment Security":
Attachments won't be put through to users email. That's right, they'll go
into never-never land. I haven't received an answer to my question as to
just where they will go. I've been told that a user will somehow,
miraculously know that there was some sort of attachment on a given piece of
mail but that it's been stripped in the interest of their security...
We'll have to tune in next week to find out where those objects get tossed
to. ISPs may end up with thousands of little (or not-so-little) fragments of
messages left behind by Outlook POP3 users who's mail simply says "Nope, I
don't want that thanks"...with no ability for the user to delete it cause
they can't see it...
A full list of extensions being excluded is below (which will make even more
dumb email gateways break as they can't figure out whether the presence of
the text string "vbs" is a script or not)
2. "Object Model Guard":
Well, to be more precise is the "Address Book Guard" really. If Outlook
detects lookups in your address book (that are somehow distinguishable to an
invocation of the "Find" command", it, um, pops up a dialog. Not sure what
the dialog says, but presumably it will be sufficiently verbose to explain
what might be happening. Haven't seen what the dialog box options are, say,
for someone trying to script a newsletter or a marketing document. Guess
lots of folks are going to learn how to use distribution lists (making
scripting worms easier in future as they just look for distribution lists
instead of lots of addresses.)
I should say, however, that this was one of the features I was looking for.
Would have been nice to know how they're doing that, but...
3. "Heightened Outlook default security settings":
I covered this. They ignored my advice, don't know how their products work,
and then told the world they were doing a good thing(tm)...NOT!
I *have* to believe we'll see different wording in the final web page...I
don't think they'd continue to lie so blatantly about their product.
Get the feeling I'm not going to get briefed again in the future...;-]
Conclusion:
MS dropped the ball. I told them to make this thing appear as an interim
step. It's not a patch, its Outlook on Training Wheels. I thought it was
going to be a complete product (i.e. you download it and that's how that
version works, get the full version to do more harm to yourself). As such,
it made a lot of sense to have a version that was severely restricted. Put
users on that till you're satisfied they aren't going to shoot themselves in
the foot.
Nope, they gotta tout it as more than that.
So, bottom line, unless they change the thing before it gets released next
week, make sure anyone you suggest it to also gets this URL;
http://ntbugtraq.ntadvice.com/outlookviews.asp
and turns off scripting and scripting of activeX components marked safe for
scripting.
I'm not even going into the fact that Outlook Express isn't being updated.
Let's get real Microsoft, its the only email package included in every
shipping OS you make! Oh, and let's not forget the "It can't be removed on
Windows 2000!~!@!$!%" Someone on Bugtraq made a funny post about it being a
virus...come on, we all know it can't replicate itself to another
machine...that's done automatically at installation of the OS...
In case you can't tell, I'm not pleased with the press release, or the
completeness of the update.
That said, I made another suggestion today that hopefully will get
implemented. One of the biggest problems that exist with all of this is the
fact that most people never update their systems with any patches, security
or otherwise. I've suggested that they put a download counter on the site so
we'll be able to see just how many people actually get the thing. Doesn't
say much other than show the realities. MS could put a lot more effort into
a better update, and it probably still wouldn't be applied by most folks
(even if they did something so the patch could apply to more of the millions
of folks the patch isn't intended for, i.e. those that use Outlook Express
only.)
For those interested, here's the list of extensions to be blocked by the
update;
ADE Microsoft Access Project Extension
ADP Microsoft Access Project
ASX Streaming Audio/Video Shortcut
BAS Visual Basic Class Module
BAT Batch Files
CHM Compiled HTML Help File
CMD Windows NT Command Script
COM MS-DOS Application
CPL Control Panel Extension
CRT Security Certificate
EXE Application
HLP Help File
HTA HTML Applications
INF Setup Information
INS Internet Communication Settings
ISP Internet Communication Settings
JS Jscript File
JSE Jscript Encoded Script File
Ink Shortcut
MDB Microsoft Access Application
MDE Microsoft Access MDE Database
MSC Microsoft Common Console Document
MSI Windows Installer Package
MSP Windows Installer Patch
MST Visual Test Source Files
PCD Photo CD Image
PIF Shortcut to MS-DOS Program
REG Registration Entries
SCR Screen Saver
SCT Windows Script Component
SHS Shell Scrap Object
URL Internet Shortcut
VB VBScript File
VBE VBScript Encoded Script File
VBS VBScript Script File
WSC Windows Script Component
WSF Windows Script File
WSH Windows Scripting Host Settings File
Cheers,
Russ - NTBugtraq Editor
"dot-age" (as in "we're in the dot-age") = senility (source Webster's)
Tell your friends about xenu.net
I am sorry folks, but this is not Microsoft's problem. And this so-called "security update" is nothing more than dulling a knife so that morons don't stab themselves. The fact is that there are too many ignorant computer users out there. I really don't want to defend Microsoft, they certainly don't deserve it, but lets look at it realistically. I think we all work with people who use computers but don't really understand them. Well maybe they don't need to know what the hardware abstraction layer is, but people should know better than to run something that was sent to them via email. (I love computers and I love cars, so here is an analogy). Most people don't really know how the engine of a car works but most people can drive, and almost all of them know better than to go 90Mph around a blind turn. Why is there not the same common sense for computer use?
Yes, it was a trojan horse, however this does address on issue, it creates a distinction beteween opening files that will execute arbitrary actions on your machine, and files that are more likely to be "just data"
Wow! Thanks, Redmond! Word has it that Windows 2000 Service Pack 8 will also have built in invulnerability to the Morris Worm!
We're going down, in a spiral to the ground
This is not a troll, just pointing something out.
Does anyone else find it ironic that almost ALL of the file extensions on the list pertain to Microsoft applications?
It is a blatant overreaction, and limiting the attachments doesn't address the underlying security flaws; it only hides them. Prevent executables from running directly from within Outlook, or if they are ran, greatly limit their functionality if they are ran from within Outlook. For instance, if a script is ran externally from Outlook, assume that the user ran it him/herself, and give it access to the Outlook Address book (there are legitimate times when this is useful). If the script is ran from within Outlook, then it should be assumed to be insecure and not be given access to the Outlook Address book, and should not be able to modify other files on the system.
There will be a loud scream of protest from users who download this patch. They will want to be able to send many of these file types via e-mail. MS will, of course, provide an uninstall for their patch, say "I told you so, you really do want the full level of functionality", and then go on happily ignoring security issues, always refering back to this failed attempt as the reason (ie: "we tried implementing greater security, users hated it, so we removed it").
*ROTFLMAO* I'm sorry, but there is so much in this document to laugh at. As laughter is good therapy, here's the entire thing potted into a syringe-sized dose:
.ZIP files. If a message contains a .ZIP attachment, you are prompted to save the file to disk if you try to open it.
THIS BETA...SHOULD BE DEPLOYED ONLY ON MACHINES THAT CAN BE REFORMATTED AFTER TESTING WITHOUT SERIOUS CONCERNS.
A nice starter - you know you're in Microsoft's hands now!
This update limits certain functionality in Outlook to provide a higher level of security; it was not created to address a security vulnerability within Outlook.
Absolutely! Keep telling us there's nothing wrong with Outlook and maybe we'll believe you someday.
Certain functionality in Office may be impacted by this update.
What does that mean? Let's follow the link
Palm, Windows CE devices (PDAs) have synchronization issues. These include:
Syncing with the Inbox displays a prompt and then fails. This is under investigation.
Ah, that's not a bug, it's 'impacted functionality'. Let me add that to my excuses list.
Since access to certain file attachments in Outlook is restricted by the update, users will need an alternate method for distributing files...
Such as elm/pine/Eudora/Netscape Messenger...
Level 2 security contains only one file type by default:
Ignoring the fact that in Microsoft's world there is only one type of archive - have you noticed how MS deem it okay for you to open it elsewhere, just not near Outlook? What are they trying to hide?
This update...was not created to address a security vulnerability within Outlook.
Ah, yes - so you said. And you know what, I almost believe you...
Hey Dunderhead, this patch from Microsoft does exactly what you suggest!
It pops up a box and says "Hey, some program is trying to send email... do you want it to?"
In Outlook:
- Right click on the attachment
- Choose edit (opens in Notepad)
- Choose save, then open in your favourite text editor.
Not too hard...
How does removing executable attachments hurt the little guy any more than it hurts the big guy?
It shows pretty clearly how pathetic this idea of discriminating files by their extension is. Because the OS happens to be configured to execute files with this or that extension, the cure is to prevent the mail client from transferring files with this extension. This is so clearly a fix for the wrong problem. The right solution would be to alter both the OS and the mail client so it doesn't automatically execute anything that just comes off of the wire. But preventing the client from transmitting files with certain extensions is so obviously a flawed design decision. But then again, what can you expect from MS.
Even on a multiuser OS, users have full permissions on their own data. This means that if they can be tricked into running any kind of file that contains executable and/or script code, that file will be able to do all kinds of nasty things to their data, since it will run with their permissions.
It is important to note, as others have said here, that to a user their data is more important than system files. Which would you rather have deleted: your /etc directory (or registry for windows users) or all of your important documents? I think that all of us would rather still have our documents - after all, you can always just do a reinstall to recover system files. User-created documents are not always recoverable, and are therefore more valuable.
What's the solution to this? Banning certain file extentions from being transmitted via e-mail does not seem like a real solution. One solution would be "go back to the command line, since that forces users to think about what they are doing instead of just reflexively double-clicking everything". But that would require giving up years of interface design. Is there a way to keep a friendly user interface without making it all too easy for users to run destructive programs?
It'd prolly pick up Windows and think it was a virus anyway.
cat ~/.addressbook
the various gaping holes allowing access
ILOVEYOU exploited no gaping OS holes that I'm aware of.
the general problems of macro scripts
#!/usr/bin/perl
print "Looks like a macro script to me!";
Outlook does this as well, but that's not the problem. Few people actually have macros in Outlook, but if they do, by default they'll see a message box saying "This outlook session contains macros..." yadda yadda.
The problem is not outlook's internal VBA macros, but external programs being able to automate outlook so easily, due to its exposed object model which WSH/VBScript (among others) has easy access to with no regard for security.
-CausticPuppy "Of all the people I know, you're certainly one of them." -Somebody I don't know
Really, it's been about 2 weeks since the "Love Bug" (Herbie come back please!!!) and M$ "fixes" the problem by disabling certain attachments? Now, Outlook is less usefull than before and how long before people figure out the holes in this security patch?
Now there is no way for some M$ dedicated shops to get a simple HTML fix for their web page, Access data base for their customers lists, or even a Security Certificate (!?!) for their web server.
Why not fix the root of the problem instead of triming the tree down?
Photo CD can't run code. It was designed to be platform indpendant.
Which is why I suspect MS is tring to get rid of it. May the DOJ will notice but I'm guessing not for a few years.
Statements such as this:
"Conclusion:
MS dropped the ball. I told them to make this thing appear as an interim step. "
... make "Russ" seem as arrogant as fuck.
Sure, he might be qualified to scrutinize MS' security (hell, it doesn't take much to be in a position where you can poke strong technical holes in MS' security, sheesh), and he may very well have some good points to make, but coming off like "I told them so, but they didn't listen" is really just fundamental geek arrogance at its finest.
The *viewpoint* may be perfectly valid, but the arrogant header containing the packet is going to cause this message to bounce off corporate-mindset firewalls all over the place.
Who the hell does he think he is? The Great God of Microsoft, directing his minions? I thought that position was already filled.
With all due respect, I do *not* know this Russ person at all, and may be treading on a few toes, but since I don't know him, his viewpoint wrapped in arrogance is an unfortunate first intro. (I'm sure he's a technically competent invididual, though.)
This is a perfect example for how *not* to communicate to an industry/public about technology. Better would be to just state the facts, and leave the blame out of the equation - it'll carry better in mainstream media, because media types detest geek arrogance, especially when it involves Microsoft...
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
Rather than doing something creative like remvbs.kix available at securityfocus.com
E-mail attachment security prevents users from accessing several file types when sent as e-mail attachments. Impacted file types include executables, batch files and other file types that contain executable code often used by malicious hackers to spread viruses.
.doc files that are really plain text? Wouldn't a better solution be user-modifiable (and admin-lockable) filter mechanism? Better yet, how about just not auto-launching?
What about
Object Model Guard prompts customers with a dialog box when an external program attempts to access their Outlook address book or send e-mail on their behalf, which is how insidious viruses such as I Love You spread.
'Cuz we know you READ all those dialog boxes. "Spell check cancelled. Continue anyway?" "Mouse device moved. Move on-screen pointer?" The problem is not programmitic sending of email--after all, a virus could just call MAPI.DLL itself.
Heightened Outlook default security settings increase the default Internet security zone setting within Outlook from "Internet" to "restricted sites."
Meaning what? I can only get email from domains named by the admin? First of all, that defeats the purpose of email. Secondly, it doesn't address the problem: people were opening the viruses because they came from people they already knew. Just because it comes from someone I trust doesn't mean I should trust the package.
I wish I had the time and space to quote a refute the whole thing, but work awaits.
--
Have Exchange users? Want to run Linux? Can't afford OpenMail?
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
What the fuck!?! This is amazingly stupid, even for Microsoft, I mean; it isn't even a user option. And they didn't block .DOC files ether, witch I'm sure can contain as much malicious code as a PhotoCD file. Why the hell would they simply ban those file extensions.
I mean, why not let the user, or admin simply configure those options himself. or for god sakes, change the default option from "shell-execute' when you double-click on it.
Of course, if they would have blocked, it would have fucked up winword (not that this dosn't mess up a lot of their other programs). whoever thought this up at MS should be fired.
ReadThe ReflectionEngine, a cyberpunk style n
GNOME's VB-compatible scripting host is sandboxed; scripts can't touch anything outside their sandbox.
Will I retire or break 10K?
Comment removed based on user account deletion
Surely setting an aliased account for everyday use, and logging in as root *only when really necessary* is the solution
No, no! You want to set up all your users with uid 0, but with their own login id and home directory. That way they all get full access to the system, and you get the full windows flavor while running *nix.
(Note for the humor impaired -- this was meant to be a joke)
Always and inevitably everyone underestimates the number of stupid individuals in circulation
Information is not Knowledge
Oh, Wait..
Your wallet stays open. Our source remains closed. We are MSFT
No wait, 'Every program strives to become an email client'.
I think... hell, I forget, but the point is this, If every program strives to become an E-mail client then what do e-mail clients strive to become?
Web browsers?
Phone books?
PIM's?
Multi media platforms?
And my favorite... Program launchers? What the..heck?
I realize that that Microsoft has to be inovative, but why in the hell do they have to make all there programs do everything that all their other applications do?
I beleive its under the guise of being inovative. (maybe they have problems developing beyond parity with competative products)
Why do they do this sort of thing with a complete disregard to security or anything else?
Its all in an effort to make thier products warm and fuzzy. No thought (comparatively) to the security of their userbase.
I once saw an article from MS that described how they were taking security very serious in the development of win2k. They actually dedicated 10 personel to doing nothing but finding security holes in Windows 2000.
10 people out of 30,000. Pretty depressive. I am utterly demazed. Wonder how many janitors they have?
Wonder how many man hours it took to find thier current secure E-mail solution?
I know none of these answers so dont ask.
But here is one I would not mind having answered: why do they not just make an E-mail client?
Not a web browser, not a multimedia platform, not a program louncher. Just E-mail. Oh, and they might even include attachments of whatever flavor, like every other E-mail client. Or is this in the works for Outlook 2002?
Hell, they could call it inovative. I'd let em.
I think you underestimate just how much I just dont care.
Yeah. Most users will change the security policy exactly *one time* to the relaxed setting and leave it there.
Great security advancement.
No offense, but screw that, the problem is that MS has taken control from the user by default and designed the system to execute code oe not execute based on predefined criteria. "Is this a trusted site"? "Is this a trusted freind"? .DOC file execute by command.com. That dont really bother me so much as the fact that this is from the same company that wants to hide those ugly file name extentions from the user by default.
To hell with the whole auto execution model entirely. If the user want to execute something fine. Its on them. Dont make any decisions for the user. This is not the OS's job.
Oh oops. Outlook is not part of the OS. Or is the jury still out on that?
Basically, let the user decide, dont take control and functionality from the user. Or at most let it be a sysadmin setting. Let the SA decide what types of files will be executed, but let the user have the last say.
VB is just one aspect of a very bad policy. Who are they to choose policy?
And now they want to exclude certain file extentions from attachments. Ya this is great, except that you can make a
ARRRGGGG!!! I cant rant enuff about this. Its not you though this whole damn thing has me angry.
I think you underestimate just how much I just dont care.
- Microsoft implemented the only solution possible: prevent users from getting access to untrusted code in the first place.
Uhm - no. That was not the only solution. The best solution is to do what everyone else on the fscking planet does with e-mail - DON'T RUN EMBEDDED PROGRAMS AUTOMATICALLY - Duh. When I click on an e-mail with an attachment in anything other than Outlook, I get a link within the message that I can click on to try to get at the attachment. This lets me actually *READ* the message before deciding to run the possibly dangerous code contained inside. If this were the default in Outlook, the ILOVEYOU trojan would not have spread as fast. The idea of having the default setting be to automatically RUN PROGRAMS sent as e-mail when clicked is the dumbest thing ever. e-mail is not about running programs. It's about sending messages. You should be paranoid about anyone who felt the need to send a program rather than a document in an e-mail. And your e-mail reader should allow you to be that paranoid. And it should be that paranoid as the default setting, not some option that most people won't bother to find out about and change.Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.
The following file types, in my opinion, should not be on the list.
.H file in C.
.BAS Visual Basic Class Module. - Pretty much the VB equivalent of a
.CRT Security Certificate? - Since when has a security certificate been a security risk ?
.HLP Windows Help File - This made me laugh.
.INF Setup Information File - Just a text file, usually holds setup information for programs, but can also be used as a script. By default, when you execute this file, it just opens up in notepad as a text file. It can't execute anything unless you right click on it and click "Install" from the popup menu. 99 percent of windows users don't know this and would never be able to execute this script.
.LNK Shortcut. - Basically the same thing as a symbolic link in unix, but less powerful. Links to a file ALREADY on your system in the first place.
.PCD Photo CD Image. - Since when could a photo execute any malicious code?
URL - Internet Shortcut hmm, IE is the ONLY browser I know of that someone could build a web site that could damage your computer if you went to it.
I'm sure there are a few more on this list that shouldn't be there either. Instead of blocking certain file types, maybe they should have thought about the security risks in the first place.
How can PhotoCD Images execute malicious code?
.sig(arettes)
I think it's very odd to have a image file format
on that list.
---
Just say no to
*thud*
Outlook does not run embedded programs automatically.
*thud*
Outlook does not run embedded programs automatically.
*thud*
I know I take this too personally, but the rampant ignorance about this issue, among such otherwise intelligent folks, is really depressing.
To clarify: The ILOVEYOU trojan exists as an inert attachment. It will not run when you read the email; it will only run if you then launch the executable attachment. Yes, there are ways to run safe code automatically in Outlook, and yes, there have been bugs that allow you to run unsafe code automatically in Outlook, but none of that is involved here.
MSK
Amazing. MS chooses to remove all access to the attachments. Not just stop them running, but actually stop them being saved out to disk. That's going to really impress the user who receives the Kerberos document in EXE form :-)
Cheers,
Toby Haynes
Anything I post is strictly my own thoughts and doesn't necessarily have anything to do with the opinions of IBM.
Microsoft did this months ago - see http://support.microsoft.com/support/kb/articles/Q 259/2/28.ASP
... and it didn't work. People running SR1 still opened the iloveyou attachment.
Hey didnt u guys post this before?? Wow a miscrosoft update how original.... that alone wont solve the problem...they need to raise the awareness of the user...they dont quite see the massive gaping security holes that microsoft leave in their excellently produced programs!!!(ahem sarcasm all around) lovely! bring on the updates EVIL EMPIRE!
"Thats the way the cookie gets totally stomped on!"
The worst is when you even press all the correct options and someone picks up the phone with:"Customer Service how can we help you?".
They should know by now how they can help you, you want $SPECIFIC_HELP for $RANDOM_PROBLEM as per $SERVICE_AGREEMENT, as should be obvious by now with all the questions you answered already to the automated touch-tone system!!!
If a trainstation is the place where trains stop, what is a workstation?
Concentrations will be on the tools used to create viruses, the ease of creation, informative bits about macro viruses, how certain applications (ie Outlook) "autolaunch" virus-ridden files, and so forth.
If you want to contact him, his email address is supleec@washpost.com.
Do *not* spam this guy - he's a nice guy trying to write an informative story, but if you have some pointers for him or some interesting URLs I'm sure he'd appreciate them. He might need interview candidates, but I'm not certain about that. Perhaps a simple offer of assistance would be the best bet. Consider this your heads-up from the /. Wash Post insider. :)
stil
So the Outlook feature of allowing a program to connect to the Windows Scripting Host and send email to everyone on your address book without your permission isn't important? Maybe the Pine ILOVEYOU virus will pop up an alert box asking you politely to spend 10 minutes on Pine sending copies of it to your friends.
Wah!
Exchange 5.5 and later allow for access to the global address list via LDAP, so you can use just about any LDAP client to search for addresses.
Exchange also supports by defaul access via POP3 or IMAP4 so you could use Pine, mail, MAIL, Netscape, Eudora, etc. to acess mail on the server.
Calendaring gets a bit more tricky, but if you really don't want to use Outlook as your default mail client you could use Outlook Web Access (OWA) to access your calendar when necessary. If OWA is installed on your Exchange server it would be accessable at the following URL http://servername/exchange or https://servername/exchange if they're using SSL. (If they're not using SSL, feel free to laugh)
You administrator could also install a script to allow for web based address searches. There's a sample application which does just that here: http://www.cdolive.com
I think this logic is reversed. The rule has tradionally been that everything not explicitely allowed is denied. In particular, there should be a minimal set of attachments that can be executed (in the Windows sense of double clicking a file) for viewing. This shouldn't be any different than the way IE deals with the problem. If you click an executable file, you have the option of either saving it or executing it. The last thing we need is an arbitrarily selected list of files that are disparaged upon. This will not benefit anyone other than WinZip Computing et al.
Nuff said.
MS OUTLOOK:
An external application is trying to access e-mail addresses you have stored in Outlook. Do you want to allow this?
Allow access for: 1min, 2min, 5min, 10 min
This is so dumb! I am sure that this time restriction is a potential security problem.
You either allow the executing appliation to read the addresses until the app. is terminated, or you disallow it, but you don't allow some app. to do something for 1 or 2 or 5 or 10 minutes. This makes no sense, if I wrote a virus, would I make this virus wait for 10 minutes before it did some damage or spread around? No. The virus would do its business in the very beginning and it usually does not take a minute for the virus to execute.
Micro soft must be some kind of a brain disorder
You can't handle the truth.
Instead of actually increasing the security of thier mailer and stopping the ease of access to the address book, the various gaping holes allowing access to the O/S and the general probelms of macro scripts, they block access to certain filetypes.
.BAT containing "Deltree /y c:\"
This won't actually stop the problems that Outlook has or causes, but it will slow it down a little. Now people will save them off to thier disks and run the programs from there allowing more access to Back Orifice, and a
This is typical of what happens when a corporation becomes stale.
Good riddance I say. The more more people are scared away from Microsoft the better.
That's not true. VBScript/JScript don't get run automatically in preview window. If the content is HTML, script tags are strip from it. In the case, it is a attachment, and has to be explicit run by user.
But I agree with your solution. They should not turn off all executable or script but have various levels of security to script Outlook. However, it is a fundamental design problem in Outlook and can't be patched over (not in 2 weeks anyway).
MAM - Access Macro
LOL... they've blocked MDB - Access DB File, which as far as I'm aware (Flame on if I'm wrong) doesn't execute a thing, unless you explicitly run a query, or open a form or such.
Virus scanners are for known viruses. They don't work well on new ones. That's why ILOVEYOU got past them and did so much damage.
Theoretically you could look for "virus-like behavior". I think a lot of scanners can do that, however they usually ship with that disabled. I guess the heuristics aren't good enough yet, and they don't want to annoy people with false hits.
My understanding is that certain versions of outlook with certain confiiguations will run the vb script when viewing the email text (either in a sperate window or in the preview pane).
4 7&aid=56
Note that no one is saying that this happens with all versions and all configuations, so it isn't sufficient to provide one counter-example (i.e. "it didn't auto exceute on my system - so there!").
Russ published a chart showing outlooks behavior when you open or preview email. Note that in Outlook 98 and Outlook Express, when previewing email, active content is executed if the secutity zone allows.
http://www.ntbugtraq.com/default.asp?sid=1&pid=
So Outlook will auto execute scripts iff active scripting is allowed by whatever zone Outlook is using.
Outlook defaults to using the internet zone and I doubt(hope) that active scripting is enabled by default for that zone, but is is likely that many IE users would enable active scripting at some point, since may sites, incluiding MS's IE update, require it.
- bridgette
Yup, I know approximatively 50 000 little applications whose propagation will be hurt by this functionality :D.
"The obvious mathematical breakthrough would be development of an easy way to factor large prime numbers." Bill Gates,
An NT box *IS* C2 in a disconnected configuration. And would probably be considered B2 or better in a configuration where it's powered off, unplugged and locked in a safe...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
..especially Microsoft. Not only do you see Sandra Bullock in a swimsuit, but you also see what closed-source security solutions might be setting you up for. World domination by the back door. It was shown recently on UK TV and it seemed so appropriate. If the GateKeeper software had been open source then the backdoors would have been spotted, the bad guys wouldn't have had a chance, and Sandra wouldn't have had to wear that swimsuit. Oh, maybe there's a good side to closed-source...
Anyway, serious point - closed source, bad for security. Sorry if I'm preaching to the converted.
Baz
kaphka sez: Anyway... Ahem... I was planning to not rant about that, but I ended up going on for quite a bit. What I really wanted to point out was a small factual correction... actually two. First, I don't know how you have your Outlook configured, but by default, "Restricted Zone" does disable all scripting.
Factual correction to the factual correction: russ is correct. Outlook's (and Explorer's) "Restricted Zone" uses the "High" level of security, which leaves "Script ActiveX controls marked safe for scripting" and "Active Scripting" enabled. In order to turn these off you need to use a "Custom" level of security in which you turn these things off.
kaphka sez: it has nothing to do with the ILOVEYOU virus, which would run just as well under Pine (assuming you're running Pine on a Windows machine.)
Hm. How would it propagate itself?
=wl
Geez. It's not like Outlook is the best mail client, but under windoze it offeres the best combination of multiple accounts + Palm integration. Now I have to go find some other client so I don't lose the ability to send attachments at *my* discretion.
All because there are many, many folks who aren't real bright? This was news to anyone?
-- "Vote Democrat. Because the current crop of conservatives are just bugnut crazy."
As part of its effort to standardize the user interface and functionality of all Microsoft programs, Windows producer Microsoft has proposed the following guidelines. They will make your development strategy consistent with the development strategy at Microsoft.
1. Start by having your R&D staff search the net and other sources for popular applications until they find one that would look good in a box with the art division's latest logo.
2. The R&D staff must now completely replicate that product, changing the interface slightly and adding no less than 20,000 extra "features," at least 100 of which must really be bugs that they didn't feel like fixing.
3. Do NOT, under any circumstances, test the product. This is a waste of time and money. Ship the first beta that arrives on your desk. In fact, don't bother even getting it on your desk. Just ship every build that comes along. Users like upgrades. Besides, you can charge people for bug-fixes cleverly disguised as "service packages". Users love service packages.
4. Hopefully someone's written a user's manual. In fact, it's probably readable by a normal human being. This is unacceptable; perform a find and replace operation on random English words, replacing them with technical terms and acronyms. Users like acronyms; they add mystery to a product. Never tell what an acronym means; this is unprofessional. You may even wish to make up your own acronyms; again, don't tell what they mean. For every sensible sentence, you lose at least three calls to your $200-per-incident tech support line. Users love calling tech support, especially when there are fifty touch tone menus that all lead to the same two people.
5. Prepare for shipping. Have your team of 57 lawyers create a prefabricated license agreement. If you do not have 57 lawyers, hire or fire as necessary so that you do have 57 lawyers. Be sure that the license agreement includes a "by opening the box, you agree to this" statement. Then put it inside the box. Users will perceive this as a joke and laugh. Users love involuntarily binding themselves to legal agreements.
6. Before shipping, invest in shrink wrap. Shrink wrap the manual. Shrink wrap the CD. Shrink wrap each and every floppy disk separately. Shrink wrap the "getting started" card. Shrink wrap the registration card. Shrink wrap the card from your grandmother. Then dump the whole mess in a box and shrink wrap it. Pack several boxes inside a larger brown box with 5,637 non-decomposable foam peanuts (each one shrink wrapped individually, of course). Be sure the foam peanut count is exactly 5,637. Remove or add shrink-wrapped foam peanuts as necessary. Throw in a roll of bubble wrap because of its entertainment value.
7. Ship the product and move your entire R&D and art staff to the $200-per-incident tech support lines.
-- What you do today will cost you a day of your life.
Simple re-encode your macro viruses into Word, or Excel or Access or whatever macros, then send that document (with the viruses attached) around...
If I wasn't in trouble with Microsoft before, I sure am now!
Kudos to MS for taking the first steps in securing one of their most notorious products, but I think the method that they're using isn't an ideal solution.
There are plenty of legitimate uses for most of those extensions, and restricting them too severely may push many users away from applying this patch.
I think a better solution may be to implement a "Save to Disk"-only option. This way, executables (and scripts, etc) could still be attached to emails - and read by the client, but not executed automatically.
Is the real issue people getting programs and scripts through email? I don't think that it is. Disabling the automatic execution of potentially rogue programs/scripts is the answer - not disabling access to the attachment altogether.
-Jeff
Recently we added security features to Outlook that make your computer safer and less threatening to your children. By doing this, we've also reduced the risk of "CPU Bomb" attacks, where a hacker can turn your CPU into a bomb and blow up your house.
One specific detail of our new security measure is strict limitations placed on .ZIP files. .ZIP files are very dangerous to use and are a playground for hackers transmitting virii. We at Microsoft are among the first to recognize this problem... this is why we are introducing a new type of .ZIP standard... its the new Microsoft SafetyZIP (tm). Its safer to use because nobody can send you a virus in a SafetyZIP file. In fact, nobody will be able to send you anything usefull in a SafetyZIP file... especially those hacker linux users.
The new SafetyZIP standard* utilizes the latest technology in high security email attachments, where only Microsoft programs can send attachments to your inbox.
*Note: Windows users only.
Skiers and Riders -- http://www.snowjournal.com
This fix does not improve the user's security. It improves Microsoft's security. On the web page, they basically say: "We don't give a f* about how you share files over the internet, as long as you are not using MS Outlook".
Obviously, the only reason for this is that they don't want the negative press next time an email worm starts traveling.
This move shows that MS doesn't care about the customer's security. If they would, the right move was to encourage users to use Outlook for sending their attachments, but implement a security model so it would not be dangerous.
Thanks, Microsoft. Thank you for caring.
Yes, you are right there. -- Another glass of champagne?
Attachments in and of themselves were not the problem. The problem was that Outlook ran certain types of attachments automatically. You don't even have to open the email, because when a mail shows up in the preview window, the VBScript gets run automatically.
The only way to stop this behaviour is to set scripts to disabled or prompt in explorer. If you set them to disabled, you can't search the net from altavista, read slashdot, etc.
I think the real solution would be to change the security level of VBscript. There is no reason a web script should have access to all the shares on your network, and all the files on your hard drive. That is bad design. They should also not have scripts running automatically in email. On the web it is usually safe to run scripts, but on email there is not a purpose in it. (Though some web sites do have windows-killer scripts, they are generally linked with an "I hate windows" or "this is why windows sucks" kind of tagline and in any event a web site is a kind of real estate and owners can be tracked much easier than those of email.)
Still it is a good thing to see microsoft, even belatedly, actually addressing security in their products.
Amazing...MS has outdone itself on this one...
Outlook has got to be the biggest piece of crap excuse for a mail client in the world.
Does anyone actually use the VB scripting functions in outlook for anything useful???
I still like the guy who said they should change the name to LookOut!
----- Leghorn "Not responsible for program content"
It's better than the current versions of OSS, *nix clients, with all the GREAT features from the 1960's. Quote: "It was built right the frist time, so it doesn't need to be updated". Yeah.... and so was the Model-T.
it is hilarious. To paraphrase M$, "We're removing a popular part of our program that only 1% of our customers use in order to provide a security enhancements, not fix a security hole that has allowed email viruses to flourish."
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
My one pet peeve about windows is that they hide the file extensions by default from the user. As if I can remember what all the little icons mean. They also make customization difficult for your "start" menu (Linux or Unix would be simply editing a text file... windows you have to edit the registry).
If I ruled the world, no one would send HTML within emails (it was THE reason I switched from Pine, people didn't realize they were sending HTML email and I ended up yelling at brick walls about the issue). AOL would use real standards (right now if an AOLer forwards something it ends up as an attachment, and AOLers can't send more than one attachment or it all gets zipped, and there's the screwy thing where they insert images that only other AOLers can see).
What I find ironic about the whole thing is that for the Melissa virus, Microsoft said it was the users fault, not their fault. For the ILOVEYOU virus, they said the same thing and said they didn't intend on fixing their software. It's only after everyone still blamed them and they decided they didn't need the extra bad publicity that they decided to release a patch.
What kind of "functionality" does outlook give you that the other products don't? I use dtmail and calendar (the Solaris one) and at home I use Netscape messenger. (and StarOffice at home and work) I haven't seen anything extra that Outlook does other than propogate viruses for people.
(and my mom's been bitching up a storm because [IIRC] she can't print labels directly from her address book in Outlook, and then some other problem about it not liking being moved to a D drive)
Hmm I think I said everything I wanted to. My thinking is disjointed today. I blame it on being Tuesday.
Object Model Guard prompts customers with a dialog box when an external program attempts to access their Outlook address book or send e-mail on their behalf, which is how insidious viruses such as I Love You spread.
'Cuz we know you READ all those dialog boxes. "Spell check cancelled. Continue anyway?" "Mouse device moved. Move on-screen pointer?" The problem is not programmitic sending of email--after all, a virus could just call MAPI.DLL itself.
They're really only addressing accessing the address book through easy VB extensions. A virus can also open address books raw and search for text strings that look like email addresses i.e. (whitespace)*@*.[com|net|org|uk|ch|de etc...].
--
Okay, folks, stop saying "Hey, they took attachments out of Outlook!" Here's what actually happened:
The MS patch revolves around defining various types of security levels for attachments. At present, they only define two levels. At level 1 (.exe, .com, .vbs, et cetera), the attachment is deleted. Poof. Gone.
At level two (just .zip files), opening the attachment shows a warning to the effect of, "Hey, this file, it could be really really bad, so be careful before you open it, okay?"
Obvious weaknesses:
What the release gets right:
IE does have a pretty nifty security model in that it offers multiple layers of trust for various sites/domains (trusted, "Internet", restricted, custom). Anything sent by e-mail is now assumed to be from the "restricted" zone, unless manually reset. I'd prefer to see a per-user trust level for e-mail, but that can only come with the widespread adoption of an authentication model (like PGP, for example), which I don't see happening yet.
LOL, somebody moderate this down before I kill myself laughing.....
Secure messaging: http://quickmsg.vreeken.net/
Actually, ZIP files are addressed: Outlook now pops open a message warning the user that the file may contain evil Blue Meanies (or words to that effect). It's really more of a deterrent than anything else, but it's a better deterrent than was there before.
Except, of course, CAB, ARJ, TAR, and GZIP files don't carry an equivalent warning. Such is life when you're inside the box, so to speak.
Did Microsoft shut off the thing where if someone previews a file (.xls, .doc even...) it runs the program and the person inadvertantly infects their computer?
heh...
another good reason for people to switch to unix.
rkt
As an Outlook user (at work, at home pine) I think this is a good thing. Not so much that you can't send attachments as easy. If I think about how hard our mail server works when some dork sends off a 4 meg attachement to 20 of his closest friends (Even I have been guilty of this at one time before enlightenment) it makes me want to spew. Personally if I have something humourous or work related to send, I put it in my webspace and send people a link. This will force people to do things such as this.
Now.. on the other end of the scale... WTF don't they just disable Javascipt and VBScript in email... not disable.. REMOVE completely. Don't give me some crap about how Yahoo can't inundate my email from their pop users with banner ads at the bottom... Its not needed... There is nothing wrong with linking an image as HTML as a lesser evil and just rotating these images on the server side for each request.. If such a beast hasn't been created for their web server, they have enough money to add a feature such as that to their webserver software. BAH!
So now I'm 50/50 on this point.
- Xabbu
- Jimbob
There is therefore no need to use Microsoft's handy community website services. As an added bonus, using Winzip might actually decrease download time for recipients with low-bandwidth connections!
A virus can also open address books raw ...
By this I meant, even in VBS you can open files raw.
--
For the fact that users are too stupid not to execute atachments? Sad, very sad...
DrLunch.com The site that tells you what's for lunch!
Well, it's certainly about time.
--
--
Mod up a post Rob doesn't like and you'll never mod again
Can anyone explain why GNOME would need VB compatiable scripting?
;)
For compatibility with Office/Outlook/etc, I suppose. Personally, I wouldn't want any kind of script being executing by my mailer (unless of course it's already installed in the system and is explicitly invoked). But then I use pine so I guess I'm ok there.
...and into the real world. I administer a network of 60 Windows machines (but not on the server - *shudder*), and well over 95% of the viruses that I see are Word and Excel macro viruses. To be honest, I haven't even heard of half the files extensions listed. And as for the rest of them - PhotoCD files? Can you really execute a virus from a PhotoCD file?
Furthermore - what's going to stop people from just archiving these files? When the next worm is an attachment sent in a ZIP file, will Outlook nuke all ZIP files?
This is asinine. The problem here is the execution of the malicious code, not the file attachment. Of course it's much easier to just nuke a few file attachments that try to design an e-mail client that isn't Swiss cheese from a security standpoint.
These reeks to me like a punative mode; M$ got tired of the bad press and knew that had to do something: "Fine. You don't like Outlook? Joke's on you pal - we're going to nuke all file attachments that developers might use. The bad news is that your company is going to keep buying Outlook. Forever. Bwahahahaha."
This isn't as much "normalization" as it is "don't take so many drugs when you're designing tables."
Excuse me...not that I know of a file extension named URL, but I had to note they were forbidden too. Does that mean that when I send an URL on e-mail, people reading it in outlook wont be able to open it? What a pitty. (ROTFL)
-><- no
GNOME's VB-compatible scripting host is sandboxed; scripts can't touch anything outside their sandbox.
Can anyone explain why GNOME would need VB compatiable scripting?
--
What Microsoft should really include is a dialog box -- "Warning -- a program is trying to automatically send a mail message to xxx@yz.com! Proceed? Yes/[No]/See Message".
As I understand it from this article there will be a message if a script attempts to access the windows address book (The ease with which virii and trojans can access the address book would seem to be the core of the problem.)
Microsoft Security Response Center:
This is a general issue, not a Microsoft issue. You can write a virus for any platform.
(New York Times 5/5/00)
Mr. Scott Culp of Microsoft Public Relations
This is by-design behavior, not a security vulnerability.
(CNET 5/5/00)
--
Why pay for drugs when you can get Linux for free ?
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
i noticed that there was a distinct absence of .DOT (M$ Word Templates) on the list. IIRC, at least one "virus" was spread as an attachment in a Word file. of course, it was a .DOC file (which, technically, isn't supposed to have executable code in it, but any monkey can change the extension and Word won't seem to care a bit)....
yet another half-assed "solution" from the Infinite Minds of PunySquishy....
I KNOW that there are some "good guys" at M$. why can't THEY be the ones that get these fix-em-up assignments, so it'll at least be thought out reasonably?
Just another computer geek....
When politicians are involved, everyone loses.
What gives? Isn't Word(tm) the vehicle of choice for these macro 'viruses'? Why is it not on their blacklist?
This is lame. Melissa would still work after the update, though not ILOVEYOU, I suppose, but I really don't get their thinking.
They need to separate Outlook from IE - I mean, pictures in email are not bad, per se, but I really don't want my email setting cookies, running scripts or downloading files without my knowledge.
These are not features that the casual user is going to put into an email, so I don't want them. These are things used to track 'Customers' and generate demographics statistics.
It seems that MS has been positioning Outlook to be a vehicle for marketing, not person-to-person communication. Now it's biting them on the ass.
In the meantime, I downloaded Eudora for Windows 3.11 - It does everything I need and nothing I don't.
Jim In Tokyo
-- My Weblog.
This seems assinine. Denying all attatchments instead of just improving security checks? You've got to be kidding. I hope there's a class action lawsuit if this happens to be the case.
We use Exchange Server where I work. I'd love to quit using Outlook but I can't find a client (preferably free) that allows me to access the address list on the server. It's probably just an LDAP server but I haven't experimented with it too much.
I'd be interested to hear what mail clients other people are using on Windows and Linux and how well they work with Exchange Server. Personally, I think Eudora Light is the best thing out there for Windows (but I can't live without the Exchange address book).
I'm wondering why a suit hasn't come up yet... does the EULA really protect them against this kind of thing?
Ten. Billion. Dollars.
$10,000,000,000
---