Slashdot Mirror
Microsoft Develops Security-Path for Outlook
Reemi writes "On Microsoft's Office update-site they write:
The Outlook® E-mail Security Update is in development... Since access to certain file attachments in Outlook is restricted by the update, users will need an alternate method for distributing files... For a list of file types impacted by this update, read File Types Impacted by the Outlook 98/2000 E-mail Security Update.
It seems Microsoft is setting a new standard: Emails without attachments. "
And it only took an estimated 10 billion dollars worth of damage worldwide before they did something about the security problems... whoo! :)
---
I am a Microsoft Lawyer. Sorry for the AC I couldn't figure out how to log in.
We suggest you take this story down as you quote words directly off our web page.
If not we will crush you.
Thank you.
Micro$oft Lawyer.
Quick! The second horse has gone!
Close and lock the barn doors, and shoot all the other horses!
PigPog.
"I explained how just making the switch would yield very little benefit while misleading folks into thinking they were more secure"
I guess we're really getting into the twilight zone now - actually, making ppl feel secure and confident in a product is a great marketing strategy - they used to teach us that at one big old-iron firm I worked for, that "consumer confidence" is key. A customers 'mental image' of a company/product is much more important than the actual quality/security of the product, which is often beyond their ken anyway, the sales is there to keep the 'warm fuzzy's' going and the payments coming. Msft can get away with all this as long as they have the public trust and someone else to blame it on (hackers, inept McSE's, etc etc etc). It's amazing how much all of this is a smoke&mirrors, Wizard of OZ, managed media public relations image projection game.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Write an educational virus. It wouldn't have a destructive payload ('cept for worming itself through address book). But it sure would *pretend* to be doing nasty things. Scare the bejeezus outta the idiots who doubleclick it. Bright lights, beeps, shit like that.
And then pop up a message saying it *COULD* have nuked their system, but didn't, and that maybe they should finally learn their lesson: don't open attachments!
(Yes, literally: "DON'T OPEN ATTACHMENTS!" Those sorts of dolts are better off never opening them than having to choose which ones to open...)
--
--
Don't like it? Respond with words, not karma.
E-mail without attachments? I don't think so. It said *certain* file types. If somebody wrote a program for linux that allowed shell scripts to run when you double-click 'em, do you really think it would be any more secure?
MS e-mail has been insecure because it has been customary to allow users to easily open attachments of any type. Period. Not because MS mail programs are poorly written or anything of that nature.
Now some people have abused that privelege, and users have not understood it. So the only real solution is to place some restrictions on it. I use MS mail programs and have never had any security problems. I never open attachments from strangers either!
Also, this is really not a bad turn-around time for a patch. Admitedly, it is longer than the turn-arounds for most open source bugfixes, but not by a ridiculous ammount of time, especially when you consider that the security hole is entirely fixable via user education anyway.
For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
Not when dealing with the teeming masses, it's all emotional appeal, using the proper buzzwords, etc. The 'logic' is this: ppl don't want viri, Msft doesn't want to be broken up, therefore the 'party line' is: breaking up Msft with bring you a plague of viri! No technical linkage required at all, Msft users wouldn't understand it anyway, just simple 'association'. Retroactive damage control. And yes, the EULA *does* exempt them from liability for damages caused by defects in the code - that's why it's such a great biz, you can sell not ready for prime time products out the yin/yang but as long as you can hold a monopoly position and positive market image, your in fat city.
What is it, something like 80% of people polled think Msft is 'doing a great job' as it is? Who wants to be a billionaire? Nothing succeeds like success.
try { do() || do_not(); } catch (JediException err) { yoda(err); }
I've also heard that in the next update they are recommending that we remove any cables connecting our computers to the internet.
Their final security update will be a patch which automatically powers the computer down before you can boot into Windows... this would be the ultimate in security except that we won't be able to download it because we've already removed all cables connecting us to the internet.
------
IanO
------
Objects in Mirror are Losing!
Microsoft can't get too draconian with the patch, lest people refrain from applying it, in which case they are back to where they started.
Ahh well. Virus writers will have to get mildly creative again.
Date: Mon, 15 May 2000 21:07:41 -0400
Reply-To: Russ
Sender: Windows NTBugtraq Mailing List
From: Russ
Subject: Outlook Email Security Update
Comments: To: "NTSecurity (E-mail)"
Content-Type: text/plain; charset="iso-8859-1"
Today Microsoft announced the "Outlook Email Security Update", scheduled for
availability from;
http://officeupdate.microsoft.com
on May 22nd, 2000.
I was briefed on this update last week, and during this discussion I
presented several recommendations. Microsoft have chosen not to implement
any of them, despite the nearly 10 days available prior to its availability.
Presumably they still haven't resolved the issues they have getting content
onto their update sites in a timely fashion.
Before I go into what is in this update, there are several critical
incorrect assertions in it. Quoting from the official press release;
"Heightened Outlook default security settings increase the default Internet
security zone setting within Outlook from "trusted" to "restricted." The
restricted zone disables most automatic scripting and ActiveX=AE Controls
from opening without the user's permission. Users who prefer less security
can easily change their Outlook settings to trusted zone."
I guess the Microsoft Office Product Group has never bothered to read my
page on how Outlook works and what needs to be done to the Restricted Sites
Trust Zone for it to be truly safer;
(http://ntbugtraq.ntadvice.com/outlookviews.asp)
Of course without the modifications to the default settings of the
Restricted Sites Trust Zone, Outlook happily runs any Active Scripting, and
will happily invoke any ActiveX control marked safe for scripting and
present on your system (ActiveX downloads are disabled.)
I more than pointed this fact out to the Briefer, one Lisa Gurry from the
Microsoft Office product group when she presented the functionality to me. I
told her to either not make the switch to the Restricted Sites Trust Zone,
or, make the switch and alter the defaults. I explained how just making the
switch would yield very little benefit while misleading folks into thinking
they were more secure, especially against scripting worms.
The fact that ILV was relatively stupid as worms go seems to have been
missed by many people. A slightly modified version sent as HTML that doesn't
bother with the address book (who needs it, most people have lots of mail in
their folders from all sorts of interesting folks to reply to) will likely
get by these new features since scripting can still be done. The fact that
"attachments" won't invoke any more isn't likely going "to thwart the spread
and impact of many computer viruses."
This presumes, of course, that some 45 million people already realize just
how stupid they were to click on that attachment in the first place...and
maybe have told a few friends...;-]
MS seem incapable of doing what some coder at;
http://www.slipstick.com/dev/code/zaphtml.htm
has done with relatively few lines...namely convert inbound HTML-based
emails to something else (Rich Text) which completely eliminates the
vulnerabilities of scripting emails.
Of course they further show their ignorance of the realities of corporate
email systems by providing this quote;
"Given the global impact of the I Love You virus and the growing threat of
malicious hackers, we strongly believe we must take the unprecedented step
of limiting certain popular functionality in Outlook to provide a
significant, additional security option for our customers,"
scanners to throw the message back as containing a worm...duh!
Granted, its unprecedented to remove functionality in favor of
security...after a product's been released. This usually occurs during
development...;-]
Anyway, to the features in this update;
1. "Email Attachment Security":
Attachments won't be put through to users email. That's right, they'll go
into never-never land. I haven't received an answer to my question as to
just where they will go. I've been told that a user will somehow,
miraculously know that there was some sort of attachment on a given piece of
mail but that it's been stripped in the interest of their security...
We'll have to tune in next week to find out where those objects get tossed
to. ISPs may end up with thousands of little (or not-so-little) fragments of
messages left behind by Outlook POP3 users who's mail simply says "Nope, I
don't want that thanks"...with no ability for the user to delete it cause
they can't see it...
A full list of extensions being excluded is below (which will make even more
dumb email gateways break as they can't figure out whether the presence of
the text string "vbs" is a script or not)
2. "Object Model Guard":
Well, to be more precise is the "Address Book Guard" really. If Outlook
detects lookups in your address book (that are somehow distinguishable to an
invocation of the "Find" command", it, um, pops up a dialog. Not sure what
the dialog says, but presumably it will be sufficiently verbose to explain
what might be happening. Haven't seen what the dialog box options are, say,
for someone trying to script a newsletter or a marketing document. Guess
lots of folks are going to learn how to use distribution lists (making
scripting worms easier in future as they just look for distribution lists
instead of lots of addresses.)
I should say, however, that this was one of the features I was looking for.
Would have been nice to know how they're doing that, but...
3. "Heightened Outlook default security settings":
I covered this. They ignored my advice, don't know how their products work,
and then told the world they were doing a good thing(tm)...NOT!
I *have* to believe we'll see different wording in the final web page...I
don't think they'd continue to lie so blatantly about their product.
Get the feeling I'm not going to get briefed again in the future...;-]
Conclusion:
MS dropped the ball. I told them to make this thing appear as an interim
step. It's not a patch, its Outlook on Training Wheels. I thought it was
going to be a complete product (i.e. you download it and that's how that
version works, get the full version to do more harm to yourself). As such,
it made a lot of sense to have a version that was severely restricted. Put
users on that till you're satisfied they aren't going to shoot themselves in
the foot.
Nope, they gotta tout it as more than that.
So, bottom line, unless they change the thing before it gets released next
week, make sure anyone you suggest it to also gets this URL;
http://ntbugtraq.ntadvice.com/outlookviews.asp
and turns off scripting and scripting of activeX components marked safe for
scripting.
I'm not even going into the fact that Outlook Express isn't being updated.
Let's get real Microsoft, its the only email package included in every
shipping OS you make! Oh, and let's not forget the "It can't be removed on
Windows 2000!~!@!$!%" Someone on Bugtraq made a funny post about it being a
virus...come on, we all know it can't replicate itself to another
machine...that's done automatically at installation of the OS...
In case you can't tell, I'm not pleased with the press release, or the
completeness of the update.
That said, I made another suggestion today that hopefully will get
implemented. One of the biggest problems that exist with all of this is the
fact that most people never update their systems with any patches, security
or otherwise. I've suggested that they put a download counter on the site so
we'll be able to see just how many people actually get the thing. Doesn't
say much other than show the realities. MS could put a lot more effort into
a better update, and it probably still wouldn't be applied by most folks
(even if they did something so the patch could apply to more of the millions
of folks the patch isn't intended for, i.e. those that use Outlook Express
only.)
For those interested, here's the list of extensions to be blocked by the
update;
ADE Microsoft Access Project Extension
ADP Microsoft Access Project
ASX Streaming Audio/Video Shortcut
BAS Visual Basic Class Module
BAT Batch Files
CHM Compiled HTML Help File
CMD Windows NT Command Script
COM MS-DOS Application
CPL Control Panel Extension
CRT Security Certificate
EXE Application
HLP Help File
HTA HTML Applications
INF Setup Information
INS Internet Communication Settings
ISP Internet Communication Settings
JS Jscript File
JSE Jscript Encoded Script File
Ink Shortcut
MDB Microsoft Access Application
MDE Microsoft Access MDE Database
MSC Microsoft Common Console Document
MSI Windows Installer Package
MSP Windows Installer Patch
MST Visual Test Source Files
PCD Photo CD Image
PIF Shortcut to MS-DOS Program
REG Registration Entries
SCR Screen Saver
SCT Windows Script Component
SHS Shell Scrap Object
URL Internet Shortcut
VB VBScript File
VBE VBScript Encoded Script File
VBS VBScript Script File
WSC Windows Script Component
WSF Windows Script File
WSH Windows Scripting Host Settings File
Cheers,
Russ - NTBugtraq Editor
"dot-age" (as in "we're in the dot-age") = senility (source Webster's)
Tell your friends about xenu.net
Wow! Thanks, Redmond! Word has it that Windows 2000 Service Pack 8 will also have built in invulnerability to the Morris Worm!
We're going down, in a spiral to the ground
It is a blatant overreaction, and limiting the attachments doesn't address the underlying security flaws; it only hides them. Prevent executables from running directly from within Outlook, or if they are ran, greatly limit their functionality if they are ran from within Outlook. For instance, if a script is ran externally from Outlook, assume that the user ran it him/herself, and give it access to the Outlook Address book (there are legitimate times when this is useful). If the script is ran from within Outlook, then it should be assumed to be insecure and not be given access to the Outlook Address book, and should not be able to modify other files on the system.
There will be a loud scream of protest from users who download this patch. They will want to be able to send many of these file types via e-mail. MS will, of course, provide an uninstall for their patch, say "I told you so, you really do want the full level of functionality", and then go on happily ignoring security issues, always refering back to this failed attempt as the reason (ie: "we tried implementing greater security, users hated it, so we removed it").
*thud*
Outlook does not run embedded programs automatically.
*thud*
Outlook does not run embedded programs automatically.
*thud*
I know I take this too personally, but the rampant ignorance about this issue, among such otherwise intelligent folks, is really depressing.
To clarify: The ILOVEYOU trojan exists as an inert attachment. It will not run when you read the email; it will only run if you then launch the executable attachment. Yes, there are ways to run safe code automatically in Outlook, and yes, there have been bugs that allow you to run unsafe code automatically in Outlook, but none of that is involved here.
MSK
Amazing. MS chooses to remove all access to the attachments. Not just stop them running, but actually stop them being saved out to disk. That's going to really impress the user who receives the Kerberos document in EXE form :-)
Cheers,
Toby Haynes
Anything I post is strictly my own thoughts and doesn't necessarily have anything to do with the opinions of IBM.
As part of its effort to standardize the user interface and functionality of all Microsoft programs, Windows producer Microsoft has proposed the following guidelines. They will make your development strategy consistent with the development strategy at Microsoft.
1. Start by having your R&D staff search the net and other sources for popular applications until they find one that would look good in a box with the art division's latest logo.
2. The R&D staff must now completely replicate that product, changing the interface slightly and adding no less than 20,000 extra "features," at least 100 of which must really be bugs that they didn't feel like fixing.
3. Do NOT, under any circumstances, test the product. This is a waste of time and money. Ship the first beta that arrives on your desk. In fact, don't bother even getting it on your desk. Just ship every build that comes along. Users like upgrades. Besides, you can charge people for bug-fixes cleverly disguised as "service packages". Users love service packages.
4. Hopefully someone's written a user's manual. In fact, it's probably readable by a normal human being. This is unacceptable; perform a find and replace operation on random English words, replacing them with technical terms and acronyms. Users like acronyms; they add mystery to a product. Never tell what an acronym means; this is unprofessional. You may even wish to make up your own acronyms; again, don't tell what they mean. For every sensible sentence, you lose at least three calls to your $200-per-incident tech support line. Users love calling tech support, especially when there are fifty touch tone menus that all lead to the same two people.
5. Prepare for shipping. Have your team of 57 lawyers create a prefabricated license agreement. If you do not have 57 lawyers, hire or fire as necessary so that you do have 57 lawyers. Be sure that the license agreement includes a "by opening the box, you agree to this" statement. Then put it inside the box. Users will perceive this as a joke and laugh. Users love involuntarily binding themselves to legal agreements.
6. Before shipping, invest in shrink wrap. Shrink wrap the manual. Shrink wrap the CD. Shrink wrap each and every floppy disk separately. Shrink wrap the "getting started" card. Shrink wrap the registration card. Shrink wrap the card from your grandmother. Then dump the whole mess in a box and shrink wrap it. Pack several boxes inside a larger brown box with 5,637 non-decomposable foam peanuts (each one shrink wrapped individually, of course). Be sure the foam peanut count is exactly 5,637. Remove or add shrink-wrapped foam peanuts as necessary. Throw in a roll of bubble wrap because of its entertainment value.
7. Ship the product and move your entire R&D and art staff to the $200-per-incident tech support lines.
-- What you do today will cost you a day of your life.
Simple re-encode your macro viruses into Word, or Excel or Access or whatever macros, then send that document (with the viruses attached) around...
If I wasn't in trouble with Microsoft before, I sure am now!
.doc & .xls were how most viruses used to get passed -- *cough* back in the 'old' days.
It took new and improved MS Outlook to allow more fun ways of nuking computer systems.
The solution isnt to back track, but to figure out how to go forward while sandboxing the current problem so that any code executed in Outlook stays within Outlook.
Check out Magic Firesheep!
Okay, folks, stop saying "Hey, they took attachments out of Outlook!" Here's what actually happened:
The MS patch revolves around defining various types of security levels for attachments. At present, they only define two levels. At level 1 (.exe, .com, .vbs, et cetera), the attachment is deleted. Poof. Gone.
At level two (just .zip files), opening the attachment shows a warning to the effect of, "Hey, this file, it could be really really bad, so be careful before you open it, okay?"
Obvious weaknesses:
What the release gets right:
IE does have a pretty nifty security model in that it offers multiple layers of trust for various sites/domains (trusted, "Internet", restricted, custom). Anything sent by e-mail is now assumed to be from the "restricted" zone, unless manually reset. I'd prefer to see a per-user trust level for e-mail, but that can only come with the widespread adoption of an authentication model (like PGP, for example), which I don't see happening yet.
NO -- disabling the Scripting Host is an idiotic response dreamed up by dunderheaded MCSEs. It's like disabling Bash or Perl on a Linux box -- it prevents one or two specific things from going wrong, but it also axes a big bunch of functionality.
The ILOVEYOU worm just happened to be a VB Script. It could have also been recompiled into an EXE with trivial changes. It could have been coded in Perl, Delphi, C++, and so on. There's nothing special about things running in the scripting host.
The *real* problem is Outlook's automation object model. By providing an API where Exchange data can be scanned and mail can be sent without user interaction, they are setting themselves up for all sorts of worms (or worse, targeted industrial espionage).
What Microsoft should really include is a dialog box -- "Warning -- a program is trying to automatically send a mail message to xxx@yz.com! Proceed? Yes/[No]/See Message". This would stop mail worms pretty quickly. Better yet, give the Exchange admins control over whether things like this are even possible on their systems.
Forcing users to change how they handle executables is a start, but doesn't solve the real problem -- a poorly implemented COM API.
--
Business. Numbers. Money. People. Computer World.