Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Outlook Bug Doesn't Require Users To Interact With Emails To Be Compromised (softpedia.com)

Posted by timothy on from the just-positioned dept.

An anonymous reader writes: A new bug in Outlook allows attackers only to send you an email, and without clicking or downloading attachments, a user's computer can be compromised. The bug [PDF] is because Outlook allows Flash objects to be previewed without a sandbox. Flash files are demon spawns and attackers can put exploits in malicious files, which when previewed or viewed inside an Outlook application will automatically execute their payload.

102 comments

  1. Dreaming of an alternate universe. by Anonymous Coward · · Score: 2, Insightful

    How much better would the world be without Microcrap and Flash?
    Pity, they are like a plague. Like Zombies. We don't seem to able to get rid of them.

    1. Re:Dreaming of an alternate universe. by gweihir · · Score: 1

      More like AIDS...

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re:Dreaming of an alternate universe. by eric_harris_76 · · Score: 1

      Apparently, it wouldn't be.

      People chose -- and keeping choosing -- Microsoft products often enough to keep the company in business and doing fine, instead buying,well, whatever else is next-best in their minds.

      And what might those products be, anyway? OS/2 and Lotus Notes, perhaps? And the the other software they might want would be what, exactly?

      Sucky though MS products often are, they work pretty well at meeting customers' needs. Well enough, anyway.

      --
      There's no time like the present. Well, the past used to be.
  2. Ok. by Anonymous Coward · · Score: 0

    So, business as usual than.

    1. Re:Ok. by NoNonAlphaCharsHere · · Score: 4, Informative

      I really don't understand why TFS starts with "A new bug in Outlook..." - after all, it's the SAME bug in Outlook -- since about 1997. Looks like the marketing department at Microsoft, in their endless desire for yet more whizzo shit has (potentially/inevitably) won yet another Pwnie Award. Whenever I see someone with a palm-shaped bruise on their forehead, I know they're a Windows sysadmin. This one reminds me of that Windows Explorer bug that executed arbitrary code from inside image (picture) files when you opened the directory they were stored in.

      "As if millions of voices cried out 'DUH!!!' and were suddenly silenced."

    2. Re: Ok. by Anonymous Coward · · Score: 3, Funny

      Not really. The proposed new name is LookOut!

    3. Re:Ok. by penguinoid · · Score: 4, Funny

      Well, the fortune cookie did say "Outlook not so good".

      --
      Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
    4. Re:Ok. by allo · · Score: 2

      did you mean the magic 8ball?

    5. Re: Ok. by Mike+Van+Pelt · · Score: 1

      Not really. The proposed new name is LookOut!

      I've always called it OutBreak.

    6. Re:Ok. by countach · · Score: 1

      This is new by outlook standards. Most outlook bugs have a 30 year livespan.

  3. I'm really excited by Anonymous Coward · · Score: 0

    I'm going to come back tomorrow just to read about how miserable Outlook is. So excited!

    Thank you, /., this is why I endure.

  4. Worth it by Anonymous Coward · · Score: 0

    "I got to see a tiny version of all the ads for V1agra every morning, so it was worth 100 hours of loss for the company. My pager went off when I was on the beach, but that feature is important" said the imaginary IT manager that lives in the brains of people who implement shit like this.

  5. Seems like Microsoft don't learn from mistakes by Z00L00K · · Score: 4, Informative

    The Melissa mail worm seems to be forgotten, but there's a new generation of coders now that weren't even in school when that occurred.

    --
    If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    1. Re:Seems like Microsoft don't learn from mistakes by Zontar+The+Mindless · · Score: 4, Funny

      This is what happens when companies require their workers to delete mails that are over 6 months old.

      --
      Il n'y a pas de Planet B.
    2. Re:Seems like Microsoft don't learn from mistakes by Anonymous Coward · · Score: 0

      Does anyone actually do that? I thought most workers would just copy their mail to a secret backup location, like a USB drive.

    3. Re:Seems like Microsoft don't learn from mistakes by Dr_Barnowl · · Score: 4, Insightful

      They install software that stops you writing to USB drives these days, to prevent corporate secrets being stolen.

    4. Re:Seems like Microsoft don't learn from mistakes by Anonymous Coward · · Score: 0

      it is very importanta

    5. Re:Seems like Microsoft don't learn from mistakes by jbengt · · Score: 4, Funny

      I ran into that a decade ago when my client needed to get me some data. But fortunately the company let their corporate secrets be written to a CD, instead.

    6. Re:Seems like Microsoft don't learn from mistakes by thegarbz · · Score: 1

      Yeah my company did that, so I backed up all my stuff via an SMB share and then copied it to USB.

    7. Re:Seems like Microsoft don't learn from mistakes by Anonymous Coward · · Score: 0

      In the USA, e-mails older than 6 months can be obtained by the government without a warrant. That might be why some companies require e-mail be deleted after 6 months. See also http://www.mcclatchydc.com/news/politics-government/congress/article24779989.html

      Stop using e-mail and switch back to using postal mail.

  6. Doesn't seem like anything new by JaredOfEuropa · · Score: 5, Informative

    Years ago we were warned to turn off Outlook previews, for exactly this reason. Also, my copy of Outlook doesn't download or render attachments (or even images) unless told to, for every individual email. As far as I know, that is the default behaviour. The danger is that you can whitelist senders so that their attachments are downloaded without confirmation, and spammers often use commonly used email addresses as the originator.

    The summary is incorrect as well. FTA: "The only condition is that the user views or previews the email in which the attacker has embedded a malicious Flash file." So you still need to click. The only exception is if your Outlook is set to always download attachments, show a preview, and if the malicious email is the last one to arrive, since the mail will then be shown in the preview window upon opening Outlook.

    Lastly, Flash needs to die

    --
    If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    1. Re:Doesn't seem like anything new by lucm · · Score: 4, Funny

      my copy of Outlook doesn't download or render attachments (or even images) unless told to

      That's why Lotus Notes is so amazing. Even when you tell it to, it doesn't download or render things. Security by mediocrity.

      --
      lucm, indeed.
    2. Re:Doesn't seem like anything new by Anonymous Coward · · Score: 1

      Lastly, Flash needs to die

      I think the summary already covered that adequately with

      Flash files are demon spawns

    3. Re:Doesn't seem like anything new by cbhacking · · Score: 2

      Removing or renaming the Flash binary, making it non-executable (yes, Windows has Execute permissions, just like *nix), or de-registering it from HKCR (ActiveX is just COM, and registers by GUIDs under HKCR\Classes, or using regsvr) are all valid options here, too.

      But yes, it's pretty goddamn stupid that Outlook should execute Flash. It doesn't allow scripts in HTML email, but it allows something that is a superset of what JavaScript can do? Moronic.

      --
      There's no place I could be, since I've found Serenity...
    4. Re:Doesn't seem like anything new by Anonymous Coward · · Score: 0

      It is deja vu over and over and over and over and over and over again...

    5. Re:Doesn't seem like anything new by KGIII · · Score: 1

      Heh... We used Lotus back in the day. I must admit, I don't recall ever liking it. At the time, I wasn't really able to find anything better that could be rolled out as quickly and I had other things to do and no real IT staff as of yet. I made those poor bastards put up with it for years. I am sorry. But, in my defense, it did *kind of* work, most of the time, and for some definition of work.

      --
      "So long and thanks for all the fish."
    6. Re:Doesn't seem like anything new by gweihir · · Score: 1

      Well, yes, and anybody with a clue has de-installed Flash long ago anyways, but Windows is the OS that is supposedly "easier" and aimed at non-experts. This means a lot of people will get hit by this.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    7. Re:Doesn't seem like anything new by chipschap · · Score: 1

      That's why Gnus is so amazing...

    8. Re:Doesn't seem like anything new by mlts · · Score: 1

      The sad thing, I seem to be seeing a resurgence in Flash because some website designers think that if they put all their content in a huge Flash file, that nobody can steal their pictures or content. I thought all Flash sites were left in the ashbin history, but I've stumbled upon several recently.

    9. Re:Doesn't seem like anything new by Anonymous Coward · · Score: 0

      The funny thing is that Lotus Notes was one of the first NoSQL stores. Everything was a document. Which made it great for weakly-structured data, but horrid at RDBMS type work.

    10. Re:Doesn't seem like anything new by Anonymous Coward · · Score: 0

      Don't forget - Sametime has animated GIFs as well!

      We are migrating away from Lotus right now - and this is the biggest disappointment in the migration. No more animated GIF wars!

  7. Outlook and Flash by Anonymous Coward · · Score: 1

    Providing access to people's computers and ensuring miserable but steady cleanup work for admins, relatives and acquaintances who "know computers" since time immemorial. Thank you, Microsoft and Adobe, for keeping the computer people fed over the holidays.

  8. Already fixed by Anonymous Coward · · Score: 4, Informative

    Why doesn't the summary mention that this was fixed by an update released on patch tuesday dec 8?

    1. Re: Already fixed by Anonymous Coward · · Score: 0

      Your new here... Selective summaries that put a + spin on open OSS n - spin on all else.

    2. Re:Already fixed by Vlad_the_Inhaler · · Score: 1

      That is only relevant up to a point.
      My home PC has no Flash, I only use Outlook for my work emails (vpn) and it is fully patched.
      The PC provided by the company has Flash - and I do not have the rights to uninstall it - and the latest set of updates have not propagated down to us yet. Microsoft Update is specifically disabled. Maybe the Flash version we have is new enough, maybe the company's mail scanner can keep this thing out. Maybe not.

      --
      Mielipiteet omiani - Opinions personal, facts suspect.
    3. Re:Already fixed by jrumney · · Score: 2

      The editors were too busy chuckling over the irony of releasing a story about an Outlook exploit involving a Flash infection vector, with a link to the details in a PDF doc.

    4. Re:Already fixed by Anonymous Coward · · Score: 0

      I had a chuckle at that as well. :)

    5. Re:Already fixed by Junta · · Score: 1

      I agree (and my work system is woefully not up to date and I have no privilege to fix it, and tear my hair out over a number of known bugs that have been fixed, but my company has not seen fit to push updates for them). However the link would be helpful if some person who is in charge of managing deployment of updates is aware there is a fix to be had. So the story is valid to show (it's not like it's a non-story because update is available), but it should have indication of fix for those empowered to do so.

      --
      XML is like violence. If it doesn't solve the problem, use more.
    6. Re:Already fixed by Anonymous Coward · · Score: 0

      You clearly need to find an exploit or bug that will let you execute those updates as an administrator ;)

    7. Re:Already fixed by Simulant · · Score: 1

      Hopefully not the same patch that broke about a dozen other things to the point where most people uninstalled it.

    8. Re: Already fixed by Anonymous Coward · · Score: 0

      I use flash esr v18. Adobe is effectively fazing the esr version out starting in january. I DO NOT use adobe reader nor will I ever.

    9. Re:Already fixed by Anonymous Coward · · Score: 0

      Because here at Slashdot amongst our weaponry are such diverse elements as: fear, uncertainty, doubt, an almost fanatical devotion to Saint IGNUcius, and nice red uniforms.

      What else do you want to know?

    10. Re:Already fixed by Zero__Kelvin · · Score: 1

      You forgot idiots who don't know how to create an account and log in!

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    11. Re:Already fixed by Anonymous Coward · · Score: 0

      Nah, I forgot about idiots that forgot that you don't have to login to make comments here.

  9. Flash files are demon spawns by Anonymous Coward · · Score: 0

    Sounds about right.

    1. Re: Flash files are demon spawns by Anonymous Coward · · Score: 0

      This.

  10. I'm am surprised about Outlook by Anonymous Coward · · Score: 0

    Given the scale of stuff being exploited in email. I am surprised at how Outlook handles Flash in emails.

  11. Another case... by Anonymous Coward · · Score: 0

    ... for using webmail.

    I ditched PC-based email clients years ago and never looked back.

    Plenty of good, reliable web-based options out there...

    1. Re:Another case... by Zontar+The+Mindless · · Score: 1

      As long as you've got an Internet connection, you can read mails you received 5 minutes before your Internet connection went down. Sounds good to me.

      --
      Il n'y a pas de Planet B.
    2. Re: Another case... by Anonymous Coward · · Score: 0

      Which has what to do with this? The issue isn't a Flash exploitable bug in Outlook. The issue is Outlook letting Flash run. Kinda like, you know, web email does all too often.

      If you use script blockers and such, great. Too many people don't.

    3. Re: Another case... by Zero__Kelvin · · Score: 1

      "The issue isn't a Flash exploitable bug in Outlook. The issue is Outlook letting Flash run."

      Are you trying to give us whiplash? You seem to think that the domain of bugs is limited to code that is intended to do one thing that does another. Another perfectly valid class of bugs is one where the code does exactly what is intended and that's the actual problem. This bug is the kind described by your second sentence. By definition, any code that allows an exploit is a bug, even when that code works as designed.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    4. Re: Another case... by Sigma+7 · · Score: 1

      By definition, any code that allows an exploit is a bug, even when that code works as designed.

      A major security flaw with older computers is that they automatically execute a boot sector virus from a floppy drive. The automatic execution bug has since been fixed in modern BIOS, complete with a keypress that allows you to manually boot from floppies if necessary.

      Outlook automatically executing code is no different, with the exception that it should never automatically execute in the first place. Note that Outlook was the first to implement the Goodtimes virus, while all other email clients were practically immune.

  12. So to summarise TFA... by ray-auch · · Score: 1

    * It's yet another flash bug, Outlook is just the host instead of IE or whatever. If you still have Flash on your system you should just assume you are pwned already and post your bank account, credit card details and nude photos straight to 4chan to shorten the painful process
    * It is not even zero-day, like many Flash bugs are, because it's already patched/fixed (by MS on the Outlook side by the looks of it)
    * It only affects you if you have preview window on, _and_ the malicious email happens to be the first one in the mailbox when Outlook is started
    * If you still remember when internet connection speeds were measured in baud and you had to whistle for your email, you will use email in the way $deity intended and get the headers first so (at least some of) the crap never even hits your system, making this even less likely

    Still, the real patch MS should issue is the one that kills Flash, at least as an embedded object, forever, it is just a serial security hole that Adobe are incapable of maintaining properly.

    1. Re:So to summarise TFA... by climb_no_fear · · Score: 3, Informative

      * It's yet another flash bug,

      It is not just Flash. If you read the article more carefully, you would have seen this (from the article):

      We use Flash OLE object as an example since Flash (zero-day) exploits are easy to obtain by attackers, but please note that there are other OLE objects may be abused by attacker, as not only Flash but also a number of other OLE objects can be loaded in Outlook.

    2. Re:So to summarise TFA... by penix1 · · Score: 2

      I am going to hit on a few of your points...

      * It's yet another flash bug, Outlook is just the host instead of IE or whatever. If you still have Flash on your system you should just assume you are pwned already and post your bank account, credit card details and nude photos straight to 4chan to shorten the painful process.

      The problem is two pronged. Yes, having flash installed is a huge risk but the other part of the prong that keeps flash alive is the multitude of sites out there that require it for whatever reason. Until those sites stop requiring flash to operate correctly, you will see flash hanging in there.

      * It only affects you if you have preview window on, _and_ the malicious email happens to be the first one in the mailbox when Outlook is started.

      You forgot to add in "and you view email in HTML." I have Outlook (at work) set to only use plain text for both receiving and sending. Allowing HTML in email is the stupidest thing ever implemented. That is what truly needs to die!

      * If you still remember when internet connection speeds were measured in baud and you had to whistle for your email, you will use email in the way $deity intended and get the headers first so (at least some of) the crap never even hits your system, making this even less likely.

      The headers won't tell you shit about embedded flash. So when 80 year old Aunt Marge gets pwned and used as a relay for this bug you still get it.

      --
      This is a sig. This is only a sig. Had this been an actual sig you would have been informed where to tune for more sigs.
    3. Re:So to summarise TFA... by Anonymous Coward · · Score: 1

      You forgot to add in "and you view email in HTML." I have Outlook (at work) set to only use plain text for both receiving and sending. Allowing HTML in email is the stupidest thing ever implemented. That is what truly needs to die!
      ----

      Amen. Though I thought everyone with 1/2 a clue new to turned that off 10 years, along with the preview crap.

    4. Re:So to summarise TFA... by Anonymous Coward · · Score: 0

      > Allowing HTML in email is the stupidest thing ever implemented. That is what truly needs to die!

      Why, exactly? Is is any stupider than viewing HTML in web pages? They're both just data you retrieve over a network and render on the desktop/mobile screen.

      Perhaps the real problem is blindly executing someone else's code off the net. HTML is just markup, and by itself should be completely benign.

    5. Re: So to summarise TFA... by Billly+Gates · · Score: 1

      Websites are notorious for phb wanting to maximize viewers and being conservative. A 180 from 1999. These same owners just a few years ago demanded IE 6 compatibility too. If Chrome and IE stopped including flash the problem will fix itself.

      --
      http://saveie6.com/
    6. Re:So to summarise TFA... by Zero__Kelvin · · Score: 1

      Great list of all the reasons it isn't really a problem, even though it is. You seem to have provided a pretty one sided list though. Are you sure you can't come up with any line items that don't sound like your work for Microsoft PR?

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    7. Re:So to summarise TFA... by dbIII · · Score: 1

      Or kills Outlook. This is just the latest of a long list so it's probably best for a new mail client instead of a house of cards stacked on the original piece of utter shit Outlook Express flaws. It's been going on for so long and is so sprawling that it's a safe bet that there is code in MS Outlook that no current MS employee has taken the time to understand.

  13. and yet Thunderbird is end of life? by Anonymous Coward · · Score: 0

    and yet Thunderbird is end of life?

    What idiot posted that story yesterday? HAHAHAH

  14. Flash must be evil because HTML5 is so good? by TheRealHocusLocus · · Score: 4, Insightful

    Lastly, Flash needs to die

    Just curious... why are people on a coding site declaring "Flash needs to die" instead of something like, Flash needs to be completely deconstructed and rewritten by the open source community using the most conservative style of programming, a system that forces a multi-person review of commits, hit with the best enumeration tools we have, so that arbitrary code execution is not possible? Which might be possible because processor speed has improved since it was first designed and the assembly level hacks that made it possible areno longer necessary? And when we are done, the worst thing that could ever happen is that someone might display goatse.cx inside a Flash window?

    Instead of busting into the kitchen, grabbing pans off the wall and showing the chef how steak should be done, we sit at the table banging our forks and knives, shouting, "Down with meat!"

    It's easy to make fun of Outlook, where with maliciously crafted embedded binary OLE blobs you can trigger exploits in many versions of Microsoft products. The faults lie in the products themselves not the Blob. But Flash self contained and lives inside a little rectangle. It is cross platform, amply documented and widely used today. Why must it die? So that generations of beloved Internet content can be 'destroyed' overnight? It almost smells like book-burning.

    --
    <blink>down the rabbit hole</blink>
    1. Re:Flash must be evil because HTML5 is so good? by Junta · · Score: 1

      processor speed has improved since it was first designed

      Note that even as it is today, I have observed such flash heavy sites that a web browser can bring a pretty modern system to its knees. If you are implying that even slower flash would be acceptable because systems are faster, that would be a bad call. The issue is that for the most part, the role flash served can now be served with HTML, Javascript, and CSS, which do have open implementations. Rather than re-implementing the flash runtime, making every effort to port web content away from flash would go further toward sanity.

      To the extent flash needs to be a thing for sake of preservation (btw, same theoretically applies to Java applets, which don't work in most modern browsers), it should be some guarded thing limited to browsers, not some ubiquitous thing that can spring up in embedded html like email clients and help systems.

      --
      XML is like violence. If it doesn't solve the problem, use more.
    2. Re: Flash must be evil because HTML5 is so good? by Anonymous Coward · · Score: 0

      Flash gives you heat only for running it

    3. Re:Flash must be evil because HTML5 is so good? by Ol+Olsoc · · Score: 1

      Lastly, Flash needs to die

      Just curious... why are people on a coding site declaring "Flash needs to die" instead of something like, Flash needs to be

      Not that I disagree with your assessment, but Slashdot is "News for Nerds", and has all manner of different categories.

      And you'll note that the GP her managed to blame everything on everything else, like the user not setting the right settings, and flash. That's why Microsoft Stuff is so good - everything is the user's fault for allowing it to do what it does.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    4. Re: Flash must be evil because HTML5 is so good? by Billly+Gates · · Score: 1

      Because flash is a binary executable. Executables run code. Running code is bad from a freaking mail client or browser security wise and unnecessary. Worse you can't edit it and need to use proprietary products to create them against spirit of the web.

      Flash took off to get around IE 6 and codec war incompatibility problems early last decade. It is 2015 now. More than time to move on

      --
      http://saveie6.com/
    5. Re:Flash must be evil because HTML5 is so good? by matbury · · Score: 1

      In broad terms, any argument Flash-haters can level at Flash can also be made against JavaScript (JS is just as likely to annoy you in as many ways as Flash). I remember when it was JS that was derided and Flash the way forward. Fashions in software platforms come and go. What we need is a decent, mature, fully-featured, free and open source scripting language for apps that run in web browsers (which JS isn't). I don't care what it is, whether it's ActionScript, Java, Python, or something else. However, that would be direct competition to all app stores and destroy their walled-garden business models and stop all the malware attacks resulting from people having to install apps on their desktops in order to run them. See: https://xkcd.com/1367/

    6. Re:Flash must be evil because HTML5 is so good? by Anonymous Coward · · Score: 0

      But Flash self contained and lives inside a little rectangle. It is cross platform, amply documented and widely used today. Why must it die? So that generations of beloved Internet content can be 'destroyed' overnight? It almost smells like book-burning.

      What beloved content would that be?
      I surf with noscript. No flash - not even javascript. Mostly a nice experience. A few half-borken sites needs javascript turned back on. Cannot remember needing flash though.

    7. Re:Flash must be evil because HTML5 is so good? by Dutch+Gun · · Score: 1

      Flash is a fully-functioning content system with a built-in programming language, written in a day when no thought was given to security, and it shows. It's a massive, massive attack surface that's been horribly exploited for over a decade, and it shows no sign of running out of flaws to exploit. It's not open source, so no one can proactively search for exploits or flaws, which means we must rely on Adobe's good graces to fix issues (which to their credit, they have so far).

      Flash is demonstrably dangerous, and with HTML5 now broadly supported everywhere, it's also largely irrelevant. There's very little need for it to exist in today's world - at least, not connected to a network where it can be easily exploited. Adobe's own tools can output either Flash OR HTML5 content equally well, and only one of those technologies is open and supported by all browsers without a dangerous, third-party, closed source plugin.

      There are good, technical, reasoned arguments for Flash to disappear. Comparing it to book burning is ludicrous. Also... "generations of beloved Internet content"? You're kidding me, right? Hyperbole much? My mother didn't grow up with Flash. Whatever content we lose, I'm sorry to say, will be sacrificed on the alter of public internet safety. Any time someone's machine gets pwned, it hurts them much more than whatever value the content had, and what's more, each infected machine is likely to turn around and harm the greater internet as well.

      HTML5/Javascript is, to be honest, just as potentially dangerous, but has the advantage of being both open and a broadly implemented standard, and thus has received much more security-related scrutiny from the wider community. Notice how there are much fewer system-compromising exploits that use only Javascript/HTML5 these days - aside from using Javascript to invoke Flash or Java, naturally. So, since we've already got one dangerous system and have been hardening it against attacks for many years now, it's probably best to keep content limited to that domain. Why keep a second, more dangerous target on our system as well?

      --
      Irony: Agile development has too much intertia to be abandoned now.
    8. Re:Flash must be evil because HTML5 is so good? by Anonymous Coward · · Score: 0

      Yup, that's a huge Red Flag.
      "So that generations of beloved Internet content can be 'destroyed' overnight?"
      Flash, in terms of "Generations", is barely one "Generation" old. Macromedia rebranded FutureSplash Animator as Macromedia Flash in 1996. Flash is not even old enough to drink, although it's driven many to do so since.
      Now, let's get specific about "beloved Internet content". Just what is that? Tired old Homestar Runner and... and...

      " It almost smells like book-burning." Books were burned because of their contents, not because of the way that they were delivered. If books were responsible for the spreading of the Black Death in the Fourteenth Century, then they _should_ have been burned.
      The _only_ People who support Flash these days are makers of lazy Games For Morons, Advertisers, and spreaders of Malware. It ceased being a Medium for truly creative endeavors a long time ago.

      Lastly, the biggest problem with Flash is people like TheRealHocusLocus. The Flash Community is incredibly blind to the fact that the problems with Flash are _their_ problems, not ours. They have no sense of Professionalism, no code of Ethics, and no means to root out the bad actors and exterminate them.
      They just say "I'm a _Good_ Flash Developer. It's not my problem."
      Assholes.

    9. Re:Flash must be evil because HTML5 is so good? by Zero__Kelvin · · Score: 1

      " any argument Flash-haters can level at Flash can also be made against JavaScript "

      Really. Javascript is a proprietary tool from Adobe? I did not know that!

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    10. Re:Flash must be evil because HTML5 is so good? by allo · · Score: 1

      But flash is content and scripting.
      You can turn off js and read slashdot. But you cannot turn off flash and see a flash movie. Even when the movie itself would not need user interaction (scripting).

    11. Re:Flash must be evil because HTML5 is so good? by Anonymous Coward · · Score: 0

      Lastly, Flash needs to die

      ...

      tl;dr "Better to light one candle than to curse the darkness."

    12. Re:Flash must be evil because HTML5 is so good? by Nemyst · · Score: 1

      Largely because it's a big binary blob (even open source, it still would be) that at this point doesn't do a whole lot that Javascript + CSS3 + HTML5 can't do, and it can be argued that the things it can do that those standards cannot shouldn't be present in a web page anyway. Flash has been abused to provide the most annoying and obtrusive ads, the least standard and most awkward "web apps", a bunch of shitty Newgrounds games and so on. That's before you talk about the insecurity of a binary blob getting executed in the web page with the browser having very limited knowledge of what's actually going on.

    13. Re:Flash must be evil because HTML5 is so good? by Anonymous Coward · · Score: 0

      Exactly this. It is still the users fault even when Microsoft takes the choice away and makes it on behalf of the user.

    14. Re:Flash must be evil because HTML5 is so good? by Anonymous Coward · · Score: 0

      All i can find is this quarter-stick of dynamite... will that work? I've found it makes a lot of my problems just go away.

    15. Re:Flash must be evil because HTML5 is so good? by J.+J.+Ramsey · · Score: 1

      Bear in mind that there already have already been several open-source attempts at rewriting the Flash Player -- namely Gnash, Lightspark, and Mozilla's Shumway -- and all of them are still relatively immature. In short, the plan of attack that you suggest has already been tried.

    16. Re:Flash must be evil because HTML5 is so good? by Anonymous Coward · · Score: 0

      But Flash self contained and lives inside a little rectangle. It is cross platform, amply documented and widely used today. Why must it die? So that generations of beloved Internet content can be 'destroyed' overnight? It almost smells like book-burning.

      What beloved content would that be?
      I surf with noscript. No flash - not even javascript. Mostly a nice experience. A few half-borken sites needs javascript turned back on. Cannot remember needing flash though.

      Bank of America has a feature for its credit cards that allows you to generate a new credit card number with whatever expiration date and credit limit you want on the fly. It gets tied to a single vendor that you choose upon first use.
      You use it for online shopping or to pay for things on sites that you suspect will do automatic renewals.
      And it requires flash.
      I don't have Adobe flash installed, so I have to use Google Chrome to get my "SafeShop" card, which means I'm using flash, but not That Flash..

      So, here is an example of a useful flash thing. And it is beloved.

    17. Re:Flash must be evil because HTML5 is so good? by Anonymous Coward · · Score: 0

      I once also thought flash must die. But now i see how html5 is developed and html5 must die. Native applications are always better, why should we move everything to a browser?

      HTML5 has some APIs which have security-related bugs, some APIs which are simply useless, but it doesn't have Crypto API or something like this. Only U2F seems to be great. HTML5 has WebRTC (why? we already have SIP), 3D canvas and WebGL (i always thought the web is for text and games must be client-side, less lags and more stable), HTML5 web-applications (again, why? HTML is a HYPER-TEXT markup language. Just text! Why should we use thathmm strange javascript to create applications? And that DOM model?)

      It's a cult of browser.

    18. Re:Flash must be evil because HTML5 is so good? by Anonymous Coward · · Score: 0

      written in a day when no thought was given to security

      No thought by the Adobe people, but at exactly the same time others were securing web browsers to enable internet banking.

    19. Re:Flash must be evil because HTML5 is so good? by matbury · · Score: 1

      You clearly don't understand English very well. I wrote, "In broad terms,..." I'm struggling to imagine how your point could be made more narrow.

    20. Re:Flash must be evil because HTML5 is so good? by matbury · · Score: 1

      But flash is content and scripting.
      You can turn off js and read slashdot. But you cannot turn off flash and see a flash movie. Even when the movie itself would not need user interaction (scripting).

      You could try comparing like with like: If you turn of JS in your browser, you can't see an HTML5 animation. HTML5+CSS3+JS is content and scripting. In fact, most of the JS animation utility libraries were ported from Actionscript (Flash).

    21. Re: Flash must be evil because HTML5 is so good? by Anonymous Coward · · Score: 0

      Been a lot of open source software with vulnerabilities found this past year alone.

    22. Re:Flash must be evil because HTML5 is so good? by allo · · Score: 1

      Yeah, and that's the pro- and cons.

      Pro HTML5: You can see content without the rest
      Con HTML5: No way to save a full game / animation like with an .swf file.

  15. Why isn't flash rewritten to be good by Anonymous Coward · · Score: 0

    because adobe

  16. Use Thunderbird by Anonymous Coward · · Score: 0

    It doesn't allow external objects, like Flash, to be run by default, so you'd still be safe.

  17. All versions of flash uninstalled... what then? by LewekLeonek · · Score: 1

    Stating the obvious here, but if I uninstalled all versions/instances of Flash from my Win 7 x64 system I should be pretty safe from at least this one, or should I? Note at the bottom: Now the only flash player that I have right now is the pepper flash version installed by/with Chrome. Oh, and just in case, this is my workstation - hence running Windows... mandated by company. I have couple of VMs to work in Linux/FreeBSD etc. but the main business desktop needs to be Windows.

    1. Re:All versions of flash uninstalled... what then? by Zero__Kelvin · · Score: 1

      That would certainly protect you from Flash exploits. You would still be vulnerable to other OLE based attacks but those are admittedly much less likely.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  18. People are still using outlook? by allo · · Score: 1

    Isn't it known to be insecure like since 2000?

  19. Disable flash on the OS level by WD · · Score: 1

    Yet another example of why Flash should be uninstalled at the OS level. For example, on Windows this means removing the Flash ActiveX control. If you ever encounter a web page that needs Flash (they're becoming less and less common), just open it in Chrome, which you have configured to use Flash as click-to play.

  20. wish fulfilled by frovingslosh · · Score: 1, Funny

    The only reason that I use Outlook is that I want to be compromised.

    --
    I'm an American. I love this country and the freedoms that we used to have.
  21. ILOVEU by Anonymous Coward · · Score: 0

    There's a scary thought. The developers working on Outlook today have never even heard of Anna Kournikova, much less had the pleasure of receiving thousands of emails about her from Outlook users.

  22. important point, actually. Mail doesn't need code by raymorris · · Score: 3, Insightful

    That's actually a valid and important point. Flash files are executable code. How many dozens of significant vulnerabilities have been caused Outlook running macros, Flash, Javascript, and other types of executables embedded in emails? Outlook has at least three or four programming languages it can run from emails.

      That's entirely unnecessary. Many people, including myself, have always used email clients that just read email - they don't, and can't, execute anything. If security is important to you, it makes sense to consider whether your email reader really needs to be able run code found within emails, whether your web browser needs to also be your desktop shell, as "a fundamental part of the Windows operating system", etc. There many are huge classes of vulnerabilities that can't happen if you choose software that simply does it's job, without hundreds of tangential features bolted on unnecessarily.

  23. Email preview is evil by Anonymous Coward · · Score: 0

    n/t

  24. Does this affect outlook.com/hotmail.com? apk by Anonymous Coward · · Score: 0

    See subject: Heck w/ Outlook the program (part of MS-Office) or even outlook express - I'm concerned w/ the online model!

    * I'd be willing to bet it probably does - stupid IE plays video MINUS EVEN ASKING YOU - which is WHY I like Opera (it has a by site or global preference you can setup to play ONLY ON DEMAND (i.e. when YOU click on video to activate it only)).

    APK

    P.S.=> Thanks for the answer - I didn't get to read the article well & am "tied up" doing plumbing + insulation and sheetrock/mud/tape work... apk

  25. No problem! by rrohbeck · · Score: 1

    My Outlook 2003 isn't affected, yay!

    --
    thegodmovie.com - watch it
    1. Re:No problem! by Anonymous Coward · · Score: 0

      Same here. 2003 was the last good version of MS Office.

  26. Microsoft drives customers toward open preview by Anonymous Coward · · Score: 0

    Outlook drives behavior toward that stupid preview pane, because Microsoft got cocky and assumed they had fixed the sandbox. You can't even configure the UI to not open the preview pane on new folders. You have to go into the folder, let the preview pane open, then go over to the tab where you can turn it off for just that one folder. As you are doing so, Outlook tells you that you're perfectly safe and should leave it open.

    Idiots.

  27. The actual bug seems to be different by Casandro · · Score: 1

    Apparently Outlook renders HTML-mail. That's unfortunately a common bug found in mail clients today. That's nearly as bad as some mail clients incorrectly encoding your mail as HTML.

  28. train wreck by Anonymous Coward · · Score: 0

    Wow, that lead sentence is a train wreck, even by Slashdot standards:
    "A new bug in Outlook allows attackers only to send you an email, and without clicking or downloading attachments, a user's computer can be compromised."

    There's so much wrong that it's hard to know where to start, but as an example, are we claiming that the attackers had no choice but to send the attack email? (Would that be a defense in court?)

    I'm pretty sure that what was meant is something like this:
    "A newly-discovered bug in Outlook allows attackers to compromise a computer by merely sending an email, even if the victim doesn't click a link or download an attachment."