http://www.wired.com/news/infostructure/0,1377,60781,00.html By Michelle Delio Oct. 14, 2003 A new version of Microsoft Outlook makes it harder for spammers and scammers to invade users' computers through their e-mail. The software, available at the end of October with the release of Microsoft Office 2003, boasts more-aggressive security features, more options to disable malicious or snoopy code embedded in e-mails and attachments, and additional ways to block spam and other unwanted e-mail. Security experts are giving mixed reviews to the updated version of the popular e-mail program. Some say little is innovative in Outlook 2003 -- many of the new features are already included in other e-mail programs like Eudora. Others say the changes are a step in the right direction for Microsoft. "I'm glad to see that Microsoft is taking some initiative in engineering their applications for security, rather than relying solely on patching vulnerabilities as they're discovered," said security researcher Robert Ferrell. Ferrell said one of his main concerns about Microsoft in the past is that "they seem to expect the rest of the world to do their application testing for them gratis, and they ship most of their products with virtually all of what few security features they do have turned off by default." In previous versions of Outlook, users had to manually reset Outlook security options to achieve the highest level of protection. However, security options in the new version are set by default at the highest level. Outlook 2003 also allows users to disable all macros -- programming code that can be concealed within a document or e-mail and can contain a virus. All unsigned (essentially unidentified) macros will not run automatically, no matter whether a user has opted to block macros or not. If Office 2003 is running on Microsoft Windows XP, users or system administrators can also set up a "safe publisher" list. Executable files or macros originating from any sources not on the safe list will be automatically disabled. "Hopefully the Trustworthy Computing initiative, painfully slow to actual implementation though it's been, is finally beginning to bear some fruit," said Ferrell. "Default rejection of unsigned macros is a positive step forward, as is the ability to designate certain sites as trusted publishers." Microsoft launched its Trustworthy Computing initiative in January 2002, in an effort to reduce the number of security problems that affected its software. The move included special training and "security boot camps" for Microsoft programmers, but some experts have said the results may not be seen until future products are released. Enhanced privacy protections are woven into all of Office 2003's applications, particularly in its Web bug-barricading abilities and other antispam features. Outlook 2003 allows users to block receipt of all e-mailed HTML content, which puts an end to nonsensical animated junk mail featuring frantically flashing titles, dancing products, juggling animals and other images. Blocking HTML also squashes Web bugs -- tiny graphics containing code that can be inserted into e-mail allowing advertisers to collect personal data when recipients read bugged messages. "I think the new Web bug-blocking feature will be helpful for making spam less successful," said security researcher Richard Smith. "But apart from that there's not much else here (in Outlook 2003) that's new, as far as security goes." Microsoft Office product manager Simon Marks said the enhanced security in Outlook 2003, and other Office 2003 applications, doesn't necessarily come from new features. "The Office development teams devoted tens of thousands of hours to reviewing every line of code in the Microsoft Office system," said Marks. "This effort wasn't about developing new features.... It was to identify and eliminate vulnerabilities and learn about better ways to design code and deliver more secure products to our customers." The success of the new security features in Outlook 2003 will only be proven once independent researchers and malicious hackers have a chance to examine the application in depth. But the antispam features appear to have been noticeably upgraded. The new junk-mail filter uses a neural decision engine, a simple form of artificial intelligence, to train itself to recognize spam. It considers such factors as the time the message was sent and the content and structure of the message. The filter also learns to screen out spam based upon what users identify as junk mail in their inbox and what messages they mark as legitimate e-mail that ended up in their junk-mail folder by mistake. In a weeklong test of the new filter, set to a moderate level of aggressiveness (Outlook ships with the filter set to low) Outlook 2003's ability to identify and block junk mail was noticeably improved compared with Outlook 2002. Outlook 2003 accurately blocked roughly 85 percent of an average day's spam, while 2002 topped out at about 65 percent, an increase of 20 percent more junk e-mail filtered. That said, free open-source filters like SpamBayes can block about 98 percent of spam. Outlook 2003, and all of the applications included in Office 2003, will also include Information Rights Management abilities that allow users to: * prevent or limit other people's access to a file * restrict the number of times a document can be copied or printed * prevent sending a file as an attachment and prevent forwarding e-mail to unauthorized users However, Information Rights Management features are only supported in Office 2003 applications. As a result, no matter what controls are set, a protected file will probably only be readable by other Office 2003 users. That means users will likely opt to avoid applying rights management on any documents they intend to share with anyone who might not have upgraded to Office 2003. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Oct 15 2003 - 04:22:14 PDT