Slashdot Mirror
Microsoft Develops Security-Path for Outlook
Reemi writes "On Microsoft's Office update-site they write:
The Outlook® E-mail Security Update is in development... Since access to certain file attachments in Outlook is restricted by the update, users will need an alternate method for distributing files... For a list of file types impacted by this update, read File Types Impacted by the Outlook 98/2000 E-mail Security Update.
It seems Microsoft is setting a new standard: Emails without attachments. "
We'd probably be no better or worse off with custodians running nuclear plants than with a 'technician' like a Homer Simpson. Seriously, you aren't giving sysadmins enough credit here. Sure, there are lots of MSCE type idiots running around, but there are a lot of highly skilled people working as admins as well. Admins are the people who are ultimately responsible for the security of their networks, who else should be able to control them?
It seems to me that this is Microsoft's way of throwing a tempter tantrum. It seems that they are saying, "Okay, you want tighter security than Outlook provides? We'll release a patch that makes Outlook so secure that you can't access email attachments at all!"
It seems that they could've just disabled execution of attachments, yet left a way for those attachments to be saved.
--- Biffster.org
"Bite my shiny metal ass."
2) Who are you going to sue? Microsoft disclaims all responsibility for the design flaws in their programs. Their initial design and their sorry attempt to patch their original flawed design are nothing less than irrefutable proof that what's happening inside Microsoft is malpractise on a huge scale. They don't need to patch Outlook, they need to fix their entire flawed perception of the importance of security. How many more billions of dollars will have to be lost before someone sees this? Certainly Microsoft has no incentive to change. The IT lemmings will keep jumping off the MS Cliff because they don't know any better, and Microsoft will never have to pay for the flaws in their code because the laws are moving toward favoring the corporation, not the consumer.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
It's Msft's job to SELL LICENSES . - period. That's what fills the coffers and keeps stockholder grinning. Market research show that ease of access to data is more important than security. Putting security into a system turns users off, and thus sales droop. The teeming millions have enough problems just learning Word, without having to jump thru hoops just to get access to their files. Untill ppl have enough bad experiences to learn to demand security, it won't be a development priority.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
I've been preaching the "No Attachment" message to my users for three years now and they still think I'm an idoit ("But how will we share files?")
That's not a solution. The problem here is the broken windows software design. Microsoft has made a decision in all of its software to make it easier to use at the cost of security. The real solution here is to disable the auto-matic launching of executable files of any type; to get rid of microsoft word macros, or atleast turn them off by default; to make it so the user needs to initiate any action that could be dangerous to the system.
Solutions like "don't send attachments" or blocking attachments of certain types only provide the user with a false sense of security. What happens when a user gets an email with a link in it that points to "That important document you asked me about"? The user clicks on it thinking 'well it's not an attachment and besides outlook filters out bad stuff so I have to be safe'; word launches, reads and executes the happy go lucky script. The only thing that has changed is how the "virus" spreads. The problem is is that the "virus" is still spreading.
Microsoft and sysadmins in general need to start educating their users and putting some effort into securing things. You can't just hide from a problem and assume everything is ok.
-matt
If somebody wrote a program for linux that allowed shell scripts to run when you double-click 'em, do you really think it would be any more secure?
.rtf extension and MS Word will open the file and execute the Macro. The user has no means to determine if the file has what it's extension says it has.
Yes. Because someone would write it so that you had a choice of options. View the attachment, file the attachment, save the attachment to disk, execute the attachment. The broken, brain-damaged Microsoft way is there is only one way to "Open" a file and that is to open it with the program that is associated with that file extension. There are at least three instances of brokenness and/or brain-damage in the preceeding sentence. One of those is that MS uses extentions to associate files with applications, but Office applications use file contents to determine file types. You can save a Word document with a startup macro with a
I have to use Microsoft products at work, but I don't have to like it.
Anomalous: inconsistent with or deviating from what is usual, normal, or expected
Anomalous: deviating from what is usual, normal, or expected
Canard: a false or unfounded repor
And it only took an estimated 10 billion dollars worth of damage worldwide before they did something about the security problems... whoo! :)
---
according to the BBC the fix is only for Outlook and there will not be a fix for outlook express, where the majority of the clueless lie. seems to be a bit of a waste of time
I am a Microsoft Lawyer. Sorry for the AC I couldn't figure out how to log in.
We suggest you take this story down as you quote words directly off our web page.
If not we will crush you.
Thank you.
Micro$oft Lawyer.
The whole thing stems from one fundamental confusion: failing to distinguish between _viewing_ a file, and _executing_ the instructions in that file. If filetypes like VBS macros had two separate commands for these, with the default being 'view', then worms like this could not spread.
I always thought it was really stupid how the menu in Program Manager said 'Open' instead of 'Run'. Now Microsoft's decision to blur the lines between the two is coming back to haunt them.
-- Ed Avis ed@membled.com
Quick! The second horse has gone!
Close and lock the barn doors, and shoot all the other horses!
PigPog.
Java can definitely be a risk. It's weird (as someone else noted) that pretty well all the file types that M$ is limiting are their own products.
If I send you a malicious Java *application*, it can do all kinds of stuff - probably just as well as the VBScript program can (but it would be harder to write, IMHO).
It's a Java *applet* (e.g., run via your friendly Web browser) that's quite limited in what it can do via the sandbox concept. So, Java would not be good as a virus that ran as an applet through your browser, but would work just fine as a virus Java application you ran through your native Java virtual machine (JVM).
The difference is that most people only have a JVM in their Web browser, so they couldn't run a Java application anyway. If Sun has their way, everyone soon will have a JVM....if M$ has their way, maybe we won't. Someone correct me if I'm wrong - I don't think there's any sort of JVM shipping with Windows 98 or 2000, you need to get and install one separately.
No, I still wouldn't be happy with Windows even if they did that. There is a lot more wrong with Windows. Those things would be a small start in the right direction, but the inherent architecture of Windows (yes, even NT and 2000) is poor, and you can't easily retrofit that.
Very true, and a really good point. However, don't make the assumption that my loved ones would go into my "trusted user" list. My network admins, co-sysadmins, and a few other technical professionals I know might make that list. My mother? No way.
(That's not to say that somebody's mother isn't going to make that list. Just not mine.)
Am I the only one who feels insulted by the Big All Knowing Corporation keeping me from doing what I want for "my own good"?
Damn.
As a matter of fact, here's a better way than that...
Encode you're viruses into HTML documents. Then, ship the documents to whomever. When they open the document, since it's running locally, should allow all scripts to run...automatically.
I would appreciate everyone's opinion on another solution I suggested. This might still make it into a product (not outlook) so if you can see a flaw in it, please tell me.
When a file is received as an attachment that matches the "executable" mask (that is, has the extension exe, vbs, bat, etc) the file is renamed by the addition of a ".unsafe" extension, thereby becoming file.exe.unsafe for example. This preserves the integrity of the file but makes it non-executable until the user explicitly renames it back to the executable extension.
Problems I have considered:
1) somebody might predict this and register the ".unsafe" extension to an executable. Could be solved by using a random string. This also implies prior infections, so they're already screwed.
2) most users have "hide extensions" turned on. While they would still see the unregistered ".unsafe", they might not comprehend the significance and require education before they can use their executable attachments. My feeling is that this is a good thing.
Can anyone show me a truly important flaw in this suggestion? I would like to push it internally but I am uncertain of its worth.
-konstant
Yes! We are all individuals! I'm not!
-konstant
Yes! We are all individuals! I'm not!
So can Excel and Powerpoint and any other document that lets you include ActiveX (Formerly OLE) objects. Maybe they didnt exclude them because 99% of the documents attached to E-Mail in the Outlook-using business community are Word or Excel documents. Funny their own browser (IE) gets "features" broken by this update such as "Send page as link" which sends a .URL attachment to a person. ~GoRK
MS says that from now on the user will get asked if it's ok to access the address book. Will this be via pop-up window, or some other method. I'm going to assume that it's a pop-up window.
The vulnerability is from VBA, now if someone is able to write a VBA app which can scan your address book why wouldn't this app be able to select the "OK" button when windows asks the user if it's ok to access the addressbook?
What if the password protect it? The target audience for windows HATES security, because it's a hassle. They'd have to actually remember their passwords! So if they do password protect it do you think that they'd add a "save my password" checkbox to the prompt? If they do we fall back into the VBA vulnerability.
Get eudora and forget about outlook.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
"I explained how just making the switch would yield very little benefit while misleading folks into thinking they were more secure"
I guess we're really getting into the twilight zone now - actually, making ppl feel secure and confident in a product is a great marketing strategy - they used to teach us that at one big old-iron firm I worked for, that "consumer confidence" is key. A customers 'mental image' of a company/product is much more important than the actual quality/security of the product, which is often beyond their ken anyway, the sales is there to keep the 'warm fuzzy's' going and the payments coming. Msft can get away with all this as long as they have the public trust and someone else to blame it on (hackers, inept McSE's, etc etc etc). It's amazing how much all of this is a smoke&mirrors, Wizard of OZ, managed media public relations image projection game.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Write an educational virus. It wouldn't have a destructive payload ('cept for worming itself through address book). But it sure would *pretend* to be doing nasty things. Scare the bejeezus outta the idiots who doubleclick it. Bright lights, beeps, shit like that.
And then pop up a message saying it *COULD* have nuked their system, but didn't, and that maybe they should finally learn their lesson: don't open attachments!
(Yes, literally: "DON'T OPEN ATTACHMENTS!" Those sorts of dolts are better off never opening them than having to choose which ones to open...)
--
--
Don't like it? Respond with words, not karma.
"No, in the case of ILOVEYOU, this would have stopped the spread of the virus pretty quickly. Imagine if a user had to push "Yes" for each of the several hundred mail messages he/she was sending out. And MAPI.DLL should have similiar protection. "
I think on most ISP's, "mail", when looked up, gives the address of the mail server, where mail can be sent directly by SMTP.
Alternatively, in Windows, a virus could stay search (like netstat can) for connections to servers with "mail" in their names, assume they are mail servers, and try to send via SMTP through them. Although, this may not work with MSEXCH servers on corporate LANs.
--
Your points are valid up to a point. Recreating user files is worse than system files. Recreating every user's files is worse than just a single user's files though, which is what you get when there isn't effective multi-user security. With Windows you probably have to fix user files, system files registry files, etc.
The other problem is that unrestricted access to system files makes what a virus can do more dangerous, because it can infect itself into lots of other things. Thankfully, few viruses so far have been really insidious and sophisticated enough to pervasively infect a system and slowly (or at least delayed) start to do things. Think how much more damage these viruses might have done had they only slightly propagated themselves at first so they weren't noticed as quickly, but thoroughly infected the systems, so that at some later point they could go full bore once they had been spread all over the place? Doing this effectively would require that a virus/worm be able to infect system files and not just user files.
This is the problem:
I can't imagine that it would ever become popular enough within the Linux/UNIX community
The Linux/UNIX community is changing, just as the internet community changed in the early nineties. In one breath someone here says, "We need to make Linux easier to use and spread its acceptance." and in the next you hear, "I don't want to deal with people who can't use a computer, stay off Linux and use Windows!" In the next breath you hear about a static "Linux/UNIX community" which would never let a program in which would have as many problems as outlook.
Well, the "Linux/UNIX community" is dynamic, very dynamic. You can't read the newsgroups without seeing how many 'newbies' are trying out Linux, and how many others are trying to get Linux/UNIX into homes of windows users.
I'm not discounting SoftwareJanitor, there is a lot of truth in that posting, but I know that the blanket statement "it would [never] become popular enough within the Linux/UNIX community..." is not accurate, since the Linux/UNIX community won't the be same tomorrow as it is today and everyone here seems to want it to be different.
If one wants to advocate an operating system then one needs to help people understand that you just need to be a computer user to use it, you don't need to join some sort of community or exclusive club. The more you talk about 'the community', the more you alienate those who don't understand that it's not exclusive.
-Adam
and this patch will make it more diff to sync your palm w/ outlook. this is IMHO just part of the plan to make ppl dislike the palm.
nmarshall
#include "standard_disclaimer.h"
R.U. SIRIUS: THE ONLY POSSIBLE RESPONSE
nmarshall
The law is that which it boldly asserted and plausibly maintained..
--Colonel Burr 1783
Simple re-encode your macro viruses into Word, or Excel or Access or whatever macros, then send that document (with the viruses attached) around...
VBA macro viruses cannot function until the user has first enabled scripting for their open session of the Office product they are using. When a script attempts to run in an email, two things happen. Firstly Outlook prompts the user, telling them that the mail contains script and asking whether they want to run it. Secondly, if you have not run any script prior to the email in your open session, Outlook prompts you whether you would like to run macro scripts.
Try it at home. Your idea has been covered by Outlook for a long time, however weakly.
-konstant
Yes! We are all individuals! I'm not!
-konstant
Yes! We are all individuals! I'm not!
For starters, just because you run NT or 9x, and your staff likes using Word, don't always assume that the Micros~1 solution is the best one, or even the best-integrated. Nearly all third-party apps are designed specifically to be happy in the M$ biosphere. For your environment, you might be better off tracking your software inventory with Tangram Asset Insight instead of SMS. Maybe your HR database should be running on Peoplesoft or Oracle instead of MS-SQL. Maybe not... but each technology decision should be considered on the merits of the tech, rather than just saying "we are a Microsoft shop."
When you use MS products (or any software), don't always take the "biggest d*ck" approach. Outlook Express might serve your needs better than Outlook. The hot new service pack might not be ready for prime time. Keep in mind that you probably have a lot of 2 year-old systems in your office that you are trying to squeeze a little more life out of. What works on your brand new test-lab box might break in the real world.
MCSE grunts might be easy to find and recruit, but even the most die-hard M$ fan would rather learn how to use the right tool for the job, and one person with the right tech is better than three people trying to fix junk. Don't give up on superior solutions out of fear that you can't find "qualified" staff. I bet your SQL guru would love to be sent to Oracle DBA classes... in fact, you might actually retain him/her for a couple more years if you show that your are committed to expanding the skills of your employees.
Most of your staff is probably made up of geeks and hackers who know a lot about security. Don't take their recommendations lightly.
Information wants to be anthropomorphized.
Your posting doesn't seem to be as incompatible with what I was saying as you seem to think it is.
The mere fact that the Linux community is varied, is changing, and is incredibly dynamic is exactly what will probably insure that no single email client ever becomes as ubiquitous in the Linux world as Outlook is in the Windows world. There are very few software packages other than the kernel itself that are truly universally accepted, let alone something as high-level as an email client.
The Windows world is different, because it is a monoculture dominated by a single vendor which has an amazing ability to control what software gets bundled with machines. No single entity in the Linux world has that kind of power. Not Red Hat, not Mandrake not SuSE, not Caldera, not Corel, nobody. The fact that there are many different distributions out there insures that there will be diversity in what packages will be used. The fact that it will probably be a long time (if ever) before the KDE/Gnome split is unified likely insures that no single GUI email package will ever become dominant on Linux the way that Outlook is on Windows.
And as I said before, the thing that will really make sure that something with inherent security problems never gets pervasively deployed is that in order for something to be widely accepted in the Linux world it must be open source, which means problems such as these get dealt with quickly.
As for talking about 'the community', that means something different here on Slashdot than it does if I am talking to someone in a different forum. You are reading something into my words that isn't there if you think I use that terminology to be divisive rather than inclusive.
One way of preventing these problems is to require all executable programs/scripts to be digitally signed by the vendor or a local administrator or security officer. I've read about some old operating systems that made the creation of executable files a privileged operation. The compiler had the privilege of creating an executable file. It enforced security policy by treating certain actions in the source code as fatal compilation errors. This allowed an insecure operating system to be protected from the programs of unprivileged users. A problem is that you can't use languages like C that allow the programmer to dynamically generate and execute code.
Mea navis aericumbens anguillis abundat
It will still prevent the macro viruses spreading on computers that don't have MS Office -- this last one hit both Outlook and Outlook Express address books, and was writen in a scripting language run by MS Windows Scripting host, which all computers with MS IE4 and above have. See, less people have Office than WSH, so if you take away the ability with WSH, then it's harder to spread.
--
The Titanic might not have hit an iceberg if the captain had not gone full steam through Iceberg Alley.
Even if it did it would not have suffered such a large gash if there was better quality control on the hull rivets.
Even so it might not have taken on water if it had double-hull construction (available at the time but considered too expensive and bulky).
Even so it might have only flooded one or two compartments if the bulkheads had extended well above water level (this was considered too much of an inconvenience for passengers moving around the ship).
Even if the ship still sank the loss of life would have been less terrible if there were enough lifeboats and the crew was trained to deploy them.
So who's to blame?
The newspapers of the time initially blamed the captain for speeding.
The other problems came out during the inquiry and recent expeditions to the wreck.
The companies that built and operated Titanic were liable and had to pay damages.
The industry was more safety conscious after that - for a while.
This update limits certain functionality in Outlook to provide a higher level of security; it was not created to address a security vulnerability within Outlook.
So, basically, allowing any arbitrary VBS script to execute without prompting the user isn't a security vulnerability. What is it, a ''feature''?
Okay, then, providing a higher level of security *doesn't* address a security vulnerability. So, basically, this sentence says:
This update limits certain functionality in Outlook to provide a higher level of security even though Outlook does not have the security vulnerability that this update addresses; it was not created to address a security vulnerability within Outlook because Outlook doesn't have the security vulnerability that this update very specifically addresses..
In other words, Outlook is 100% secure, but this update makes Outlook more secure. I guess this is the new M$ math....
--keith
I saw something on Freshmeat.net the other day called Outlook2Ical that purports to be able to convert Outlook calendar messages to Ical calendar entries. Might be just what you are looking for.
Anyway, I still think it's moot. Barring bugs, it would be impossible to do anything malicious in an email that is being read with those settings. That's the whole point of restricting scripts. And, again, ILOVEYOU would not work as an embedded script using any default security settings.
Technically I said it would run just as well under Pine.
Sure, that's an outlandish scenario. But it still has nothing to do with Outlook. ILOVEYOU could easily be rewritten to pull addresses from Netscape's address book, or Eudora's, or Pine for Windows', etc. Outlook is only targetted because it's so common.
MSK
E-mail without attachments? I don't think so. It said *certain* file types. If somebody wrote a program for linux that allowed shell scripts to run when you double-click 'em, do you really think it would be any more secure?
MS e-mail has been insecure because it has been customary to allow users to easily open attachments of any type. Period. Not because MS mail programs are poorly written or anything of that nature.
Now some people have abused that privelege, and users have not understood it. So the only real solution is to place some restrictions on it. I use MS mail programs and have never had any security problems. I never open attachments from strangers either!
Also, this is really not a bad turn-around time for a patch. Admitedly, it is longer than the turn-arounds for most open source bugfixes, but not by a ridiculous ammount of time, especially when you consider that the security hole is entirely fixable via user education anyway.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
In other words, spreading of the email is primarily a user and a client issue, not an OS one. The consequences on the system where the worm is run is an OS issue.
Its interesting that they do not include .doc files in the list even though courtesy of VBA, those files can also execute malicious code.
Great, I'm sick and tired of downloading all those anothersillything.mpg attachments. Attachments are evil, we need a standard way of ftp-ing the attachments to a server and then just posting the url!
J.
The real problem is much more fundamental then the outlook API. The real problem is the lack of a proper security model. You don't want to have your newly downloaded script to interact with an API that basicly lets it do anything it wants. A downloaded executable has access to the full win32 API. Just changing the outlook interface won't help preventing worms since there are other ways to retrieve the list of addresses in the addressbook.
However, it would be ok if there were some restrictions on what this script would be allowed to do. I.e. a sandbox model would be appropriate for anything opened from an email client or a browser. Anything which is not labeled as trusted should not be trusted to behave well.
This problem is not unique to windows. Most unix mail clients also leave it to the user what to open. Of course linux mail clients don't have much of an API to script. Apart from that, there's nothing stopping a virus from mailing itself to everyone in the addressbook and removing porn and mp3 on Linux (except the user of course) since it can all be done without requiring root permissions.
Jilles
Not when dealing with the teeming masses, it's all emotional appeal, using the proper buzzwords, etc. The 'logic' is this: ppl don't want viri, Msft doesn't want to be broken up, therefore the 'party line' is: breaking up Msft with bring you a plague of viri! No technical linkage required at all, Msft users wouldn't understand it anyway, just simple 'association'. Retroactive damage control. And yes, the EULA *does* exempt them from liability for damages caused by defects in the code - that's why it's such a great biz, you can sell not ready for prime time products out the yin/yang but as long as you can hold a monopoly position and positive market image, your in fat city.
What is it, something like 80% of people polled think Msft is 'doing a great job' as it is? Who wants to be a billionaire? Nothing succeeds like success.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Grrrr... I think I'm going to have to stop reading Microsoft-related discussions on Slashdot, before I injure myself from banging my head against the wall so much.
The ILOVEYOU "virus" was a trojan horse. As Microsoft has tried to explain to the public for years now, trojan horses cannot be prevented as long as users run untrusted code on their systems. (I'd be happy to hear any ideas, but I don't think it's possible.) But all the computer pundits kept spreading FUD and demanding a solution, so Microsoft implemented the only solution possible: prevent users from getting access to untrusted code in the first place. Kinda like banning cars because people won't fasten their seatbelts.
Anyway... Ahem... I was planning to not rant about that, but I ended up going on for quite a bit. What I really wanted to point out was a small factual correction... actually two. First, I don't know how you have your Outlook configured, but by default, "Restricted Zone" does disable all scripting. Second, despite the "press release" quoted, Outlook's current default security zone is "Internet", not "Trusted". ("Internet" is the default zone for browsing web pages.) I don't know if this was a MS typo or your typo. (By "your" I mean the author of the article that Xemu lifted.)
Changing the security zone defaults is a good idea. But, as few people seem to understand, it has nothing to do with the ILOVEYOU virus, which would run just as well under Pine (assuming you're running Pine on a Windows machine.)
MSK
yup.. the two are really comparable, they're supposed to do the same thing. yup. really. And MS excel is a way better spreadsheet than oracle.
//rdj
No one can understand the truth until he drinks of coffee's frothy goodness.
--Sheikh Abd-Al-Kadir, 1587
This is all about execution based on file extension. This simply wouldn't happen on this scale in Linux. Sure you could write some sort of cool Linux executable that showed some cool jumping frogs that also offloaded a virus payload, but the user would first have to save it to disk, set the execute bit(s) and run it. Then in order for this virus to spread it would have to read people's address book - on Windows this is just a MAPI call, but on Linux you have to check for pine, mutt, kmail, balsa, communicator, LDAP, etc address books. The scale of this problem for replication means that it would just never happen. It would spread to a few hundred people maximum before people would stop and say "what's going on", fire off a post to some bulletin board, and stop the virus in its tracks.
Thats not to say that it will remain this way on Linux - chances are we might all unify to one email application with a standard interface (CORBA) to access the address book. But you still have to overcome the "save, set +x bit, run" problem which just isn't going to go away soon.
Matt. Want XML + Apache + Stylesheets? Get AxKit.
I really disagree. Things should be scriptable. There's too many legitimate uses for it. But access should be limited by the process that attempts it.
If I have a script in my home directory that sends mail, and it's not setuid'ed as anyone else, then the script should be able to do what I can do. It is me.
On the other hand, if I receive a script as an attachment, and instead of saving it and "chmod"ing it as executable (thereby taking responsibility for what it does), I directly run it from inside the email program, then that process should be lauched "su"ed as nobody. Naturally, it shouldn't have access to my address book, just as other users on the system don't have access to my address book. And needless to say, the "nobody" user should not have the ability to send mail or open network connections, among other restrictions.
The problem with apps like Outlook, Word and Excel is twofold: they treat data as code and they aren't written for a multiuser system. Neither of those things would necessarily be fatal, but the combination is.
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
That was the whole problem in this case. You got email from people you trusted and so you opened it. PGP would have only added to your false sense of security!
-- Virtual Windows Project
On the other hand, if you write your virus in Visual Basic with some ASP processing on the server side + MTS + IIS + MS authentication process ripped of Kerberos + rules engine + XML + VRML + Marketing Department == a highly scalable and maintainable by only 120 people macro virus capable of overwriting all your jpg files with pictures of naked and petrified Ms. Portman, a virus with its own market share, very scalable robust and that only takes 10 minutes to execute on a single given client.
Well, for this kind of virus of the future, the new Outlook security patch will work just fine!
You can't handle the truth.
I've also heard that in the next update they are recommending that we remove any cables connecting our computers to the internet.
Their final security update will be a patch which automatically powers the computer down before you can boot into Windows... this would be the ultimate in security except that we won't be able to download it because we've already removed all cables connecting us to the internet.
------
IanO
------
Objects in Mirror are Losing!
The MS patch revolves around defining various types of security levels for attachments. At present, they only define two levels. At level 1 (.exe, .com, .vbs, et cetera), the attachment is deleted. Poof. Gone.
The aren't gone or deleted. It will not allow the user to run or save them. If you later change your security policy you can save/run them any time you like. The data is always there.
I think this makes good sense as a default policy for 99% of users. If you can't figure out how to change your policy, you shouldn't be running attachments in the first place.
-- Virtual Windows Project
Microsoft can't get too draconian with the patch, lest people refrain from applying it, in which case they are back to where they started.
Ahh well. Virus writers will have to get mildly creative again.
You don't understand GNOME/KDE. I don't think the primary purpose of these projects is to make a good or ideal environment. The primary purpose is to make a reasonably compatable one, in order to infiltrate Microsoft's market. They are doing the best they can, within that constraint. Using Perl would be pointless in that regard, because the area they're trying to infiltrate doesn't already use Perl. It uses VB.
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
No it won't.
I usually ZIP everything sent because many mail gateways corrupt the filenames of attachements. Also very nice to make sure your personal love letters reach their targets untouched. /dot
This is a press release.
After some research on My Own Company Ltd. (DAQDAQ: MOCL), these are the best solutions we have found depending on the security grade you prefer (higher number, higher security):
1. Delete Outlook Express
2. Don't use email at all
3. Destroy your Internet connections, and your whole LAN if desired
4. Destroy your computer and all your electronic equipment
5. Destroy all your belongings and spend the rest of your life in the Sahara dessert, living alone
This has proven succesful in our labs in a controlled environment, so we can almost assure you that following the points above will solve your computer viruses problem, including those that spread by email, forever.
Date: Mon, 15 May 2000 21:07:41 -0400
Reply-To: Russ
Sender: Windows NTBugtraq Mailing List
From: Russ
Subject: Outlook Email Security Update
Comments: To: "NTSecurity (E-mail)"
Content-Type: text/plain; charset="iso-8859-1"
Today Microsoft announced the "Outlook Email Security Update", scheduled for
availability from;
http://officeupdate.microsoft.com
on May 22nd, 2000.
I was briefed on this update last week, and during this discussion I
presented several recommendations. Microsoft have chosen not to implement
any of them, despite the nearly 10 days available prior to its availability.
Presumably they still haven't resolved the issues they have getting content
onto their update sites in a timely fashion.
Before I go into what is in this update, there are several critical
incorrect assertions in it. Quoting from the official press release;
"Heightened Outlook default security settings increase the default Internet
security zone setting within Outlook from "trusted" to "restricted." The
restricted zone disables most automatic scripting and ActiveX=AE Controls
from opening without the user's permission. Users who prefer less security
can easily change their Outlook settings to trusted zone."
I guess the Microsoft Office Product Group has never bothered to read my
page on how Outlook works and what needs to be done to the Restricted Sites
Trust Zone for it to be truly safer;
(http://ntbugtraq.ntadvice.com/outlookviews.asp)
Of course without the modifications to the default settings of the
Restricted Sites Trust Zone, Outlook happily runs any Active Scripting, and
will happily invoke any ActiveX control marked safe for scripting and
present on your system (ActiveX downloads are disabled.)
I more than pointed this fact out to the Briefer, one Lisa Gurry from the
Microsoft Office product group when she presented the functionality to me. I
told her to either not make the switch to the Restricted Sites Trust Zone,
or, make the switch and alter the defaults. I explained how just making the
switch would yield very little benefit while misleading folks into thinking
they were more secure, especially against scripting worms.
The fact that ILV was relatively stupid as worms go seems to have been
missed by many people. A slightly modified version sent as HTML that doesn't
bother with the address book (who needs it, most people have lots of mail in
their folders from all sorts of interesting folks to reply to) will likely
get by these new features since scripting can still be done. The fact that
"attachments" won't invoke any more isn't likely going "to thwart the spread
and impact of many computer viruses."
This presumes, of course, that some 45 million people already realize just
how stupid they were to click on that attachment in the first place...and
maybe have told a few friends...;-]
MS seem incapable of doing what some coder at;
http://www.slipstick.com/dev/code/zaphtml.htm
has done with relatively few lines...namely convert inbound HTML-based
emails to something else (Rich Text) which completely eliminates the
vulnerabilities of scripting emails.
Of course they further show their ignorance of the realities of corporate
email systems by providing this quote;
"Given the global impact of the I Love You virus and the growing threat of
malicious hackers, we strongly believe we must take the unprecedented step
of limiting certain popular functionality in Outlook to provide a
significant, additional security option for our customers,"
scanners to throw the message back as containing a worm...duh!
Granted, its unprecedented to remove functionality in favor of
security...after a product's been released. This usually occurs during
development...;-]
Anyway, to the features in this update;
1. "Email Attachment Security":
Attachments won't be put through to users email. That's right, they'll go
into never-never land. I haven't received an answer to my question as to
just where they will go. I've been told that a user will somehow,
miraculously know that there was some sort of attachment on a given piece of
mail but that it's been stripped in the interest of their security...
We'll have to tune in next week to find out where those objects get tossed
to. ISPs may end up with thousands of little (or not-so-little) fragments of
messages left behind by Outlook POP3 users who's mail simply says "Nope, I
don't want that thanks"...with no ability for the user to delete it cause
they can't see it...
A full list of extensions being excluded is below (which will make even more
dumb email gateways break as they can't figure out whether the presence of
the text string "vbs" is a script or not)
2. "Object Model Guard":
Well, to be more precise is the "Address Book Guard" really. If Outlook
detects lookups in your address book (that are somehow distinguishable to an
invocation of the "Find" command", it, um, pops up a dialog. Not sure what
the dialog says, but presumably it will be sufficiently verbose to explain
what might be happening. Haven't seen what the dialog box options are, say,
for someone trying to script a newsletter or a marketing document. Guess
lots of folks are going to learn how to use distribution lists (making
scripting worms easier in future as they just look for distribution lists
instead of lots of addresses.)
I should say, however, that this was one of the features I was looking for.
Would have been nice to know how they're doing that, but...
3. "Heightened Outlook default security settings":
I covered this. They ignored my advice, don't know how their products work,
and then told the world they were doing a good thing(tm)...NOT!
I *have* to believe we'll see different wording in the final web page...I
don't think they'd continue to lie so blatantly about their product.
Get the feeling I'm not going to get briefed again in the future...;-]
Conclusion:
MS dropped the ball. I told them to make this thing appear as an interim
step. It's not a patch, its Outlook on Training Wheels. I thought it was
going to be a complete product (i.e. you download it and that's how that
version works, get the full version to do more harm to yourself). As such,
it made a lot of sense to have a version that was severely restricted. Put
users on that till you're satisfied they aren't going to shoot themselves in
the foot.
Nope, they gotta tout it as more than that.
So, bottom line, unless they change the thing before it gets released next
week, make sure anyone you suggest it to also gets this URL;
http://ntbugtraq.ntadvice.com/outlookviews.asp
and turns off scripting and scripting of activeX components marked safe for
scripting.
I'm not even going into the fact that Outlook Express isn't being updated.
Let's get real Microsoft, its the only email package included in every
shipping OS you make! Oh, and let's not forget the "It can't be removed on
Windows 2000!~!@!$!%" Someone on Bugtraq made a funny post about it being a
virus...come on, we all know it can't replicate itself to another
machine...that's done automatically at installation of the OS...
In case you can't tell, I'm not pleased with the press release, or the
completeness of the update.
That said, I made another suggestion today that hopefully will get
implemented. One of the biggest problems that exist with all of this is the
fact that most people never update their systems with any patches, security
or otherwise. I've suggested that they put a download counter on the site so
we'll be able to see just how many people actually get the thing. Doesn't
say much other than show the realities. MS could put a lot more effort into
a better update, and it probably still wouldn't be applied by most folks
(even if they did something so the patch could apply to more of the millions
of folks the patch isn't intended for, i.e. those that use Outlook Express
only.)
For those interested, here's the list of extensions to be blocked by the
update;
ADE Microsoft Access Project Extension
ADP Microsoft Access Project
ASX Streaming Audio/Video Shortcut
BAS Visual Basic Class Module
BAT Batch Files
CHM Compiled HTML Help File
CMD Windows NT Command Script
COM MS-DOS Application
CPL Control Panel Extension
CRT Security Certificate
EXE Application
HLP Help File
HTA HTML Applications
INF Setup Information
INS Internet Communication Settings
ISP Internet Communication Settings
JS Jscript File
JSE Jscript Encoded Script File
Ink Shortcut
MDB Microsoft Access Application
MDE Microsoft Access MDE Database
MSC Microsoft Common Console Document
MSI Windows Installer Package
MSP Windows Installer Patch
MST Visual Test Source Files
PCD Photo CD Image
PIF Shortcut to MS-DOS Program
REG Registration Entries
SCR Screen Saver
SCT Windows Script Component
SHS Shell Scrap Object
URL Internet Shortcut
VB VBScript File
VBE VBScript Encoded Script File
VBS VBScript Script File
WSC Windows Script Component
WSF Windows Script File
WSH Windows Scripting Host Settings File
Cheers,
Russ - NTBugtraq Editor
"dot-age" (as in "we're in the dot-age") = senility (source Webster's)
Tell your friends about xenu.net
Wow! Thanks, Redmond! Word has it that Windows 2000 Service Pack 8 will also have built in invulnerability to the Morris Worm!
We're going down, in a spiral to the ground
This is not a troll, just pointing something out.
Does anyone else find it ironic that almost ALL of the file extensions on the list pertain to Microsoft applications?
It is a blatant overreaction, and limiting the attachments doesn't address the underlying security flaws; it only hides them. Prevent executables from running directly from within Outlook, or if they are ran, greatly limit their functionality if they are ran from within Outlook. For instance, if a script is ran externally from Outlook, assume that the user ran it him/herself, and give it access to the Outlook Address book (there are legitimate times when this is useful). If the script is ran from within Outlook, then it should be assumed to be insecure and not be given access to the Outlook Address book, and should not be able to modify other files on the system.
There will be a loud scream of protest from users who download this patch. They will want to be able to send many of these file types via e-mail. MS will, of course, provide an uninstall for their patch, say "I told you so, you really do want the full level of functionality", and then go on happily ignoring security issues, always refering back to this failed attempt as the reason (ie: "we tried implementing greater security, users hated it, so we removed it").
*ROTFLMAO* I'm sorry, but there is so much in this document to laugh at. As laughter is good therapy, here's the entire thing potted into a syringe-sized dose:
.ZIP files. If a message contains a .ZIP attachment, you are prompted to save the file to disk if you try to open it.
THIS BETA...SHOULD BE DEPLOYED ONLY ON MACHINES THAT CAN BE REFORMATTED AFTER TESTING WITHOUT SERIOUS CONCERNS.
A nice starter - you know you're in Microsoft's hands now!
This update limits certain functionality in Outlook to provide a higher level of security; it was not created to address a security vulnerability within Outlook.
Absolutely! Keep telling us there's nothing wrong with Outlook and maybe we'll believe you someday.
Certain functionality in Office may be impacted by this update.
What does that mean? Let's follow the link
Palm, Windows CE devices (PDAs) have synchronization issues. These include:
Syncing with the Inbox displays a prompt and then fails. This is under investigation.
Ah, that's not a bug, it's 'impacted functionality'. Let me add that to my excuses list.
Since access to certain file attachments in Outlook is restricted by the update, users will need an alternate method for distributing files...
Such as elm/pine/Eudora/Netscape Messenger...
Level 2 security contains only one file type by default:
Ignoring the fact that in Microsoft's world there is only one type of archive - have you noticed how MS deem it okay for you to open it elsewhere, just not near Outlook? What are they trying to hide?
This update...was not created to address a security vulnerability within Outlook.
Ah, yes - so you said. And you know what, I almost believe you...
windows will still execute it No it won't. uh ... there is *no* requirement that an executable file image be attached to a program with a .exe extension in any modern version of windows. I can create an executable named foo, and as long as windows detects the correct information in the header, it will execute it. Hell, I *have* done this, regularly. (It also is no longer true that .com files have to be under 64K in size or adhere to the compact memory model ... that was true in win31, but no more). Now, its possible that *outlook* wont invoke it, because a lot of the automagic file invocation stuff happens with checks through the registry to discover what should be used to open a particular file, and outlook might be stupid enough to not know that something not named .exe is actually an executable --- i dont know, as i havent run outlook more than once or twice. but theres no inherent windows limitation, and hasnt been for years. -- Robert West Delphi R&D
In Outlook:
- Right click on the attachment
- Choose edit (opens in Notepad)
- Choose save, then open in your favourite text editor.
Not too hard...
How does removing executable attachments hurt the little guy any more than it hurts the big guy?
That's not ironic, that's the point. The extensions on the list are those that are part of Windows or that belong to MS applications. There are plenty of other applications that could also be dangerous -- if you install Perl, for instance, .pl files are just as dangerous as .vbs files -- but Microsoft is letting the vendors of those products add extensions to the banned list themselves. (Disallowing files belonging to other companies could be seen as anticompetitive.)
cat ~/.addressbook
the various gaping holes allowing access
ILOVEYOU exploited no gaping OS holes that I'm aware of.
the general problems of macro scripts
#!/usr/bin/perl
print "Looks like a macro script to me!";
Outlook does this as well, but that's not the problem. Few people actually have macros in Outlook, but if they do, by default they'll see a message box saying "This outlook session contains macros..." yadda yadda.
The problem is not outlook's internal VBA macros, but external programs being able to automate outlook so easily, due to its exposed object model which WSH/VBScript (among others) has easy access to with no regard for security.
-CausticPuppy "Of all the people I know, you're certainly one of them." -Somebody I don't know
Statements such as this:
"Conclusion:
MS dropped the ball. I told them to make this thing appear as an interim step. "
... make "Russ" seem as arrogant as fuck.
Sure, he might be qualified to scrutinize MS' security (hell, it doesn't take much to be in a position where you can poke strong technical holes in MS' security, sheesh), and he may very well have some good points to make, but coming off like "I told them so, but they didn't listen" is really just fundamental geek arrogance at its finest.
The *viewpoint* may be perfectly valid, but the arrogant header containing the packet is going to cause this message to bounce off corporate-mindset firewalls all over the place.
Who the hell does he think he is? The Great God of Microsoft, directing his minions? I thought that position was already filled.
With all due respect, I do *not* know this Russ person at all, and may be treading on a few toes, but since I don't know him, his viewpoint wrapped in arrogance is an unfortunate first intro. (I'm sure he's a technically competent invididual, though.)
This is a perfect example for how *not* to communicate to an industry/public about technology. Better would be to just state the facts, and leave the blame out of the equation - it'll carry better in mainstream media, because media types detest geek arrogance, especially when it involves Microsoft...
; -- the corruption of government starts with its secrets. a truly free people keep no secrets. --
GNOME's VB-compatible scripting host is sandboxed; scripts can't touch anything outside their sandbox.
Will I retire or break 10K?
Comment removed based on user account deletion
*thud*
Outlook does not run embedded programs automatically.
*thud*
Outlook does not run embedded programs automatically.
*thud*
I know I take this too personally, but the rampant ignorance about this issue, among such otherwise intelligent folks, is really depressing.
To clarify: The ILOVEYOU trojan exists as an inert attachment. It will not run when you read the email; it will only run if you then launch the executable attachment. Yes, there are ways to run safe code automatically in Outlook, and yes, there have been bugs that allow you to run unsafe code automatically in Outlook, but none of that is involved here.
MSK
Amazing. MS chooses to remove all access to the attachments. Not just stop them running, but actually stop them being saved out to disk. That's going to really impress the user who receives the Kerberos document in EXE form :-)
Cheers,
Toby Haynes
Anything I post is strictly my own thoughts and doesn't necessarily have anything to do with the opinions of IBM.
MS OUTLOOK:
An external application is trying to access e-mail addresses you have stored in Outlook. Do you want to allow this?
Allow access for: 1min, 2min, 5min, 10 min
This is so dumb! I am sure that this time restriction is a potential security problem.
You either allow the executing appliation to read the addresses until the app. is terminated, or you disallow it, but you don't allow some app. to do something for 1 or 2 or 5 or 10 minutes. This makes no sense, if I wrote a virus, would I make this virus wait for 10 minutes before it did some damage or spread around? No. The virus would do its business in the very beginning and it usually does not take a minute for the virus to execute.
Micro soft must be some kind of a brain disorder
You can't handle the truth.
damn, you seem to have spotted the flaw in my logic.. ;)
//rdj
No one can understand the truth until he drinks of coffee's frothy goodness.
--Sheikh Abd-Al-Kadir, 1587
Instead of actually increasing the security of thier mailer and stopping the ease of access to the address book, the various gaping holes allowing access to the O/S and the general probelms of macro scripts, they block access to certain filetypes.
.BAT containing "Deltree /y c:\"
This won't actually stop the problems that Outlook has or causes, but it will slow it down a little. Now people will save them off to thier disks and run the programs from there allowing more access to Back Orifice, and a
This is typical of what happens when a corporation becomes stale.
Good riddance I say. The more more people are scared away from Microsoft the better.
...and what happens if they decide that Wordperfect is a security risk, and ban its file types. Or how about html mail with scripting languages that doesn't conform to Microsoft's standards...
Oh this could be good!
My understanding is that certain versions of outlook with certain confiiguations will run the vb script when viewing the email text (either in a sperate window or in the preview pane).
4 7&aid=56
Note that no one is saying that this happens with all versions and all configuations, so it isn't sufficient to provide one counter-example (i.e. "it didn't auto exceute on my system - so there!").
Russ published a chart showing outlooks behavior when you open or preview email. Note that in Outlook 98 and Outlook Express, when previewing email, active content is executed if the secutity zone allows.
http://www.ntbugtraq.com/default.asp?sid=1&pid=
So Outlook will auto execute scripts iff active scripting is allowed by whatever zone Outlook is using.
Outlook defaults to using the internet zone and I doubt(hope) that active scripting is enabled by default for that zone, but is is likely that many IE users would enable active scripting at some point, since may sites, incluiding MS's IE update, require it.
- bridgette
An NT box *IS* C2 in a disconnected configuration. And would probably be considered B2 or better in a configuration where it's powered off, unplugged and locked in a safe...
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
As part of its effort to standardize the user interface and functionality of all Microsoft programs, Windows producer Microsoft has proposed the following guidelines. They will make your development strategy consistent with the development strategy at Microsoft.
1. Start by having your R&D staff search the net and other sources for popular applications until they find one that would look good in a box with the art division's latest logo.
2. The R&D staff must now completely replicate that product, changing the interface slightly and adding no less than 20,000 extra "features," at least 100 of which must really be bugs that they didn't feel like fixing.
3. Do NOT, under any circumstances, test the product. This is a waste of time and money. Ship the first beta that arrives on your desk. In fact, don't bother even getting it on your desk. Just ship every build that comes along. Users like upgrades. Besides, you can charge people for bug-fixes cleverly disguised as "service packages". Users love service packages.
4. Hopefully someone's written a user's manual. In fact, it's probably readable by a normal human being. This is unacceptable; perform a find and replace operation on random English words, replacing them with technical terms and acronyms. Users like acronyms; they add mystery to a product. Never tell what an acronym means; this is unprofessional. You may even wish to make up your own acronyms; again, don't tell what they mean. For every sensible sentence, you lose at least three calls to your $200-per-incident tech support line. Users love calling tech support, especially when there are fifty touch tone menus that all lead to the same two people.
5. Prepare for shipping. Have your team of 57 lawyers create a prefabricated license agreement. If you do not have 57 lawyers, hire or fire as necessary so that you do have 57 lawyers. Be sure that the license agreement includes a "by opening the box, you agree to this" statement. Then put it inside the box. Users will perceive this as a joke and laugh. Users love involuntarily binding themselves to legal agreements.
6. Before shipping, invest in shrink wrap. Shrink wrap the manual. Shrink wrap the CD. Shrink wrap each and every floppy disk separately. Shrink wrap the "getting started" card. Shrink wrap the registration card. Shrink wrap the card from your grandmother. Then dump the whole mess in a box and shrink wrap it. Pack several boxes inside a larger brown box with 5,637 non-decomposable foam peanuts (each one shrink wrapped individually, of course). Be sure the foam peanut count is exactly 5,637. Remove or add shrink-wrapped foam peanuts as necessary. Throw in a roll of bubble wrap because of its entertainment value.
7. Ship the product and move your entire R&D and art staff to the $200-per-incident tech support lines.
-- What you do today will cost you a day of your life.
Simple re-encode your macro viruses into Word, or Excel or Access or whatever macros, then send that document (with the viruses attached) around...
If I wasn't in trouble with Microsoft before, I sure am now!
Kudos to MS for taking the first steps in securing one of their most notorious products, but I think the method that they're using isn't an ideal solution.
There are plenty of legitimate uses for most of those extensions, and restricting them too severely may push many users away from applying this patch.
I think a better solution may be to implement a "Save to Disk"-only option. This way, executables (and scripts, etc) could still be attached to emails - and read by the client, but not executed automatically.
Is the real issue people getting programs and scripts through email? I don't think that it is. Disabling the automatic execution of potentially rogue programs/scripts is the answer - not disabling access to the attachment altogether.
-Jeff
.doc & .xls were how most viruses used to get passed -- *cough* back in the 'old' days.
It took new and improved MS Outlook to allow more fun ways of nuking computer systems.
The solution isnt to back track, but to figure out how to go forward while sandboxing the current problem so that any code executed in Outlook stays within Outlook.
Check out Magic Firesheep!
it is hilarious. To paraphrase M$, "We're removing a popular part of our program that only 1% of our customers use in order to provide a security enhancements, not fix a security hole that has allowed email viruses to flourish."
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
Object Model Guard prompts customers with a dialog box when an external program attempts to access their Outlook address book or send e-mail on their behalf, which is how insidious viruses such as I Love You spread.
'Cuz we know you READ all those dialog boxes. "Spell check cancelled. Continue anyway?" "Mouse device moved. Move on-screen pointer?" The problem is not programmitic sending of email--after all, a virus could just call MAPI.DLL itself.
They're really only addressing accessing the address book through easy VB extensions. A virus can also open address books raw and search for text strings that look like email addresses i.e. (whitespace)*@*.[com|net|org|uk|ch|de etc...].
--
I would agree that the underlying architecture of Outlook is the fundamental problem. Disabling the scripting host will only prevent a very certain class of Outlook-related viruses/worms, but won't cause the whole system to be safe. Your suggestions about allowing the admins to control the API at that level would be a much better approach to solving this problem, but I somehow doubt that Microsoft will ever really bite the bullet and do the right thing with this.
Okay, folks, stop saying "Hey, they took attachments out of Outlook!" Here's what actually happened:
The MS patch revolves around defining various types of security levels for attachments. At present, they only define two levels. At level 1 (.exe, .com, .vbs, et cetera), the attachment is deleted. Poof. Gone.
At level two (just .zip files), opening the attachment shows a warning to the effect of, "Hey, this file, it could be really really bad, so be careful before you open it, okay?"
Obvious weaknesses:
What the release gets right:
IE does have a pretty nifty security model in that it offers multiple layers of trust for various sites/domains (trusted, "Internet", restricted, custom). Anything sent by e-mail is now assumed to be from the "restricted" zone, unless manually reset. I'd prefer to see a per-user trust level for e-mail, but that can only come with the widespread adoption of an authentication model (like PGP, for example), which I don't see happening yet.
Actually, ZIP files are addressed: Outlook now pops open a message warning the user that the file may contain evil Blue Meanies (or words to that effect). It's really more of a deterrent than anything else, but it's a better deterrent than was there before.
Except, of course, CAB, ARJ, TAR, and GZIP files don't carry an equivalent warning. Such is life when you're inside the box, so to speak.
A virus can also open address books raw ...
By this I meant, even in VBS you can open files raw.
--
Well, it's certainly about time.
--
--
Mod up a post Rob doesn't like and you'll never mod again
NO -- disabling the Scripting Host is an idiotic response dreamed up by dunderheaded MCSEs. It's like disabling Bash or Perl on a Linux box -- it prevents one or two specific things from going wrong, but it also axes a big bunch of functionality.
The ILOVEYOU worm just happened to be a VB Script. It could have also been recompiled into an EXE with trivial changes. It could have been coded in Perl, Delphi, C++, and so on. There's nothing special about things running in the scripting host.
The *real* problem is Outlook's automation object model. By providing an API where Exchange data can be scanned and mail can be sent without user interaction, they are setting themselves up for all sorts of worms (or worse, targeted industrial espionage).
What Microsoft should really include is a dialog box -- "Warning -- a program is trying to automatically send a mail message to xxx@yz.com! Proceed? Yes/[No]/See Message". This would stop mail worms pretty quickly. Better yet, give the Exchange admins control over whether things like this are even possible on their systems.
Forcing users to change how they handle executables is a start, but doesn't solve the real problem -- a poorly implemented COM API.
--
Business. Numbers. Money. People. Computer World.
GNOME's VB-compatible scripting host is sandboxed; scripts can't touch anything outside their sandbox.
Can anyone explain why GNOME would need VB compatiable scripting?
--
What Microsoft should really include is a dialog box -- "Warning -- a program is trying to automatically send a mail message to xxx@yz.com! Proceed? Yes/[No]/See Message".
As I understand it from this article there will be a message if a script attempts to access the windows address book (The ease with which virii and trojans can access the address book would seem to be the core of the problem.)
The problem is not programmitic sending of email--after all, a virus could just call MAPI.DLL itself.
No, in the case of ILOVEYOU, this would have stopped the spread of the virus pretty quickly. Imagine if a user had to push "Yes" for each of the several hundred mail messages he/she was sending out. And MAPI.DLL should have similiar protection.
In fact, this approach is exactly how Lotus Notes handles it. Notes has a larger installed base than Exchange, and has had programmatic e-mail sending for 10 years, but yet somehow manages to avoid these mail worms.
So, Fascdot, I'm curious how you would design a solution? It's too easy just to condemn Windows as sucky and let it be -- there's the real possibility that lots of stupid users will be running lots of stupid programs on Linux in a couple years. "Object Model Guard" might not be a full sandbox, but for Microsoft, it's a gigantic step forward in their thought process about application automation.
--
Business. Numbers. Money. People. Computer World.
What gives? Isn't Word(tm) the vehicle of choice for these macro 'viruses'? Why is it not on their blacklist?
This is lame. Melissa would still work after the update, though not ILOVEYOU, I suppose, but I really don't get their thinking.
They need to separate Outlook from IE - I mean, pictures in email are not bad, per se, but I really don't want my email setting cookies, running scripts or downloading files without my knowledge.
These are not features that the casual user is going to put into an email, so I don't want them. These are things used to track 'Customers' and generate demographics statistics.
It seems that MS has been positioning Outlook to be a vehicle for marketing, not person-to-person communication. Now it's biting them on the ass.
In the meantime, I downloaded Eudora for Windows 3.11 - It does everything I need and nothing I don't.
Jim In Tokyo
-- My Weblog.
To reply to myself -- apparently Microsoft has actually implemented something like this with their "Object Model Guard":
Object Model Guard prompts customers with a dialog box when an external program attempts to access their Outlook address book or send e-mail on their behalf, which is how insidious viruses such as I Love You spread.
I have to say that I am actually shocked that they would actually implement something that puts the reigns on the automation environment that they have been building for the last 10 years. Not a complete solution, but for them, a pretty big step forward.
--
Business. Numbers. Money. People. Computer World.