Severe(?) Outlook/Outlook Express Security Problem

SecurityTracker Monday Morning Vulnerability Summary - Jul 22 2002 ^ | 22 July 2002 | SecurityTracker

[MikeJ]

Several vulnerabilities were reported in Outlook Express (OE). A remote user can send malicious e-mail with an attachment that will bypass OE's malicious file type filter and misrepresent the name and size of the file.

http://securitytracker.com/alerts/2002/Jul/1004805.html

[MikeJ]

This looks pretty severe to me. Comments?

[E. Pluribus Unum]

99% of the viruses on the Internet target Outlook. Outlook is a virus in and of itself. No other email client has a powerful, non-secure scripting language built right in for easy hacker access.

[shadowman99]

Just another reason to not use MS LookOut!

[sweetliberty]

Thought you might want to take a look at this. Isn't microsoft wonderful?

[Voltage]

I would guess this will be patched by MS shortly...however the fundamental isssue is why do users open unsolicited attachments?

I have been on the net for 5 years, received hundreds of viruii and deleted every one of them.

This does require some common sense of course...in short supply apparently.

[Astronaut]

Yet another reason to buy a Macintosh. Running a user friendly UNIX based system doesn't leave you vulnerable to every virus on the planet. The Macintosh is clearly superior, yet people have been brainwashed into buying whatever crap Microsoft puts into the marketplace.

[MikeJ]

Even users smart enough to avoid opening .exe or .bat files may be fooled into opening a .mov or a .gif. Almost everyone will open a 'safe' file type that appears to come from a trusted source.

[poindexters brother]

I stopped using Outlook in favor of Eurora several months ago. Outlook has no way to prevent rendering of HTML in the preview pane. This allows spammers to encode your email address in their HTML in such a way that any application that renders the HTML will contact their website and let them know they've hit a live address - all without your action or knowledge.

Eudora gives an option to not render the non-textual parts of an HTML message, thus preventing such tricks.

[Mo1]

Thanks Libby

[Voltage]

MikeJ says "Even users smart enough to avoid opening .exe or .bat files may be fooled into opening a .mov or a .gif. Almost everyone will open a 'safe' file type that appears to come from a trusted source"

I take this as a complement...I delete irrespective of the type when the attachement is unsolicited.

[Apple Pan Dowdy]

In the past several weeks I have had multiple emails infected with the KLEZ virus come through my Outlook mailbox. But in each case the Norton Virus Protection caught it and isolated the infected files.
Perhaps more "virus protection" education is in order. People think they can operate a computer (on the cutting edge of technology, perhaps made simple to use through the modern operating systems, but never-the-less a very intricate and complex machine) with little or no regard to safety warnings. Time after time I had clients tell me that they "already have virus protection. It came on my system". What they have is a free trial version that is never updated. They just do not understand.
Just as a little test, when the ATT&T technician came to install the Internet Cable connection to my office a couple years ago, I asked him in the most naive voice I could muster, "Now do I need some sort of virus protection with this cable thing?" His answer was, "nawww, don't worry about it. All those virus scare reports are just to sell more products. Very few people ever really need them and especially with the cable". Needless to say I had to suppress the urge to strangle him with my printer cable.
Viruses will always be with us, we need to concentrate more on educating people on how to control them and defend against them. When fewer people can be intimidated by a virus it will begin to take all the fun out of creating them. The problem is that so many "techies" want to keep these matters way too technical. They may fear that when the masses learn how to really control viruses then there will not be a need to call on the paid technician. They may want the masses to use computers, but not to learn enough about them to avoid the need to hire a technician. Are we afraid to educate them?

[Buckwheats]

In Outlook 2000 I delete all unsolicited/unknown emails without opening them and, leave 'Preview Pane' and 'AutoPreview' turned off. Won't this method work pretty well for safety?

[steve-b]

Outlook/Outlook Express Security Problem

This is news? It's like posting a thread "Clinton Lies".

[poindexters brother]

In Outlook 2000 I delete all unsolicited/unknown emails without opening them and, leave 'Preview Pane' and 'AutoPreview' turned off. Won't this method work pretty well for safety?

It'll work if you don't mind not being able to preview your email and not being able to receive unexpected email from old friends.

[HairOfTheDog]

There is no security MS should create that will prevent receipt of viruses... viruses are sent to you, and the job of your email program is to recieve mail. If it recieves mail, it is doing its job. Outlook's job is not to scan mail for content.

The reason people write viruses for Outlook is not Outlook's weakness, but its popularity. The same reason terrorists hit places where lots of people are, not lone cabins in the woods. They want to get the most hits, so they write the code for that program. If you choose to use software that no one else uses, you are safe because you are obscure, not because the product is. If your product became the popular choice, then you would become the popular target.

I use Outlook, and an always-updated virus software (PC-Cillan now). I use my email address extensively for work and pleasure, so I am in a thousand address books... I recieve occasional viruses that PC-Cillan detects and cleans.

If you do receive a virus, trust me, it will be from a "trusted source". That is how they work... People think they can avoid a virus by not opening mail from strangers... ummm... viruses use the address books of those that get infected. If your mom gets the virus, she will be the one sending you the email.

That said, I recieve and send a lot of attachments, both for work and pleasure. I can identify legit messages and file types from non-legit ones. An Excel spreadsheet sent from our bookkeeper with a question about the figures, is not a virus... A "sexy screensaver" or a "nude picture of Anna Kournekova" from our bookkeeper, who is a married godly woman, probably is a virus.

The preview pane in Outlook is a bad idea, because it effectively "opens" the text or html part of the message before you can make a judgment.

Just trying to stop some of the myths....

< /rant >

[womanvet]

So, which email pgms do you all suggest, and where to find them?

[Keith in Iowa]

This does require some common sense of course...in short supply apparently.

Haven't you heard? Common sense is an oxymoron. :)

[Keith in Iowa]

If you're into news groups, go to:

http://www.forteinc.com/main/homepage.php

And get the full version of Agent. It has by far the best filter-scripting language I have found in an e-mail client. I have several generic filters that catch the majority of the spam and kill it before I even have to look at it - and I have some filters that kill by domain.