[ISN] Microsoft Outlook's so-so security

From: InfoSec News (isnat_private)
Date: Fri Mar 22 2002 - 00:03:12 PST

  • Next message: InfoSec News: "Re: [ISN] Security Bug Disclosure Standard Dead In The Water"

    By Robert Lemos 
    Staff Writer, CNET News.com
    March 21, 2002, 3:40 PM PT
    Internet privacy researcher Richard Smith released on Thursday a list
    of four issues that continue to undermine the security of Microsoft's
    Outlook 2002 and could leave the major mail program open to attack by
    virus writers.
    Although Smith called only one of the issues "critical," he said he
    released the list to bring the potential security hazards out into the
    "I just wanted to get it off my table," he said. "I would like to see
    these issues addressed."
    The critique comes two months after Microsoft called for a
    "Trustworthy Computing" initiative. Kicked off by a memo from Chairman
    Bill Gates to every employee, the strategy aims to further secure the
    company's Windows operating system and other products.
    For the most part, Microsoft has done a decent job securing its mail
    program, Smith said, pointing to the latest security patch for Outlook
    2002 that eliminates most of the popular vectors for computer viruses.  
    Microsoft representatives were not immediately available for comment.
    But Smith said the company needs to do more to fully secure the
    program, especially around e-mail that includes HTML (Hypertext Markup
    Language), a collection of formatting commands used to create Web
    pages. He pointed to a drop-off in the prevalence of macro viruses
    following a security fix to Word 2000 that required macros to have a
    valid digital signature before running them.
    "So you can see, technical fixes do help," Smith said.
    Among the issues Smith called critical is the ability for an e-mail
    that includes a special HTML tag, known as an IFRAME, to run an
    attached program. That weakness could be used by a virus to spread to
    computers through Outlook.
    Other HTML problems included the ability to run JavaScript--a
    programming script that can be used to create interactive
    documents--in e-mails and the ability to read and set cookies via such
    e-mail. Cookies are small data files written to your hard drive by
    some messages when you view them.
    Smith's final beef, however, is that Microsoft sometimes goes too far
    in warning users of potential security hazards in fairly benign
    situations. When someone attempts to send a link to a friend through
    Outlook, the program will warn that the file could potentially be
    "It is sort of like crying wolf," Smith said. "It's hard enough to
    understand all this...without adding confusing alerts."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Mar 22 2002 - 03:39:54 PST