LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LWN.net Weekly Edition for November 20, 2008

MinGW and why Linux users should care

LWN.net Weekly Edition for November 13, 2008

NLUUG/ELCE: Embedded devices and free software

The sad story of the em28xx driver

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

"Security hole"?

"Security hole"?

Posted Oct 12, 2003 14:44 UTC (Sun) by TwoTimeGrime (guest, #11688)
In reply to: "Security hole"? by Jilks
Parent article: E-mail filters not fooled by signed spam (News.com)

I wish people would stop posting this FUD about Outlook. Outlook is very secure once you install the patches. You do install the patches on *your* computer don't you? Or do you just install your software off a CD and hope that everything is secure forever?

(Log in to post comments)

"Security hole"?

Posted Oct 12, 2003 16:29 UTC (Sun) by dsime (guest, #5764) [Link]


Guess again.
Outlook will execute arbitrary commands, arbitrary to me but not to the sender, when the only action I take is to open the note.

In point-of-fact I don't even have to do that as the default configuration for Outlook is to display the inbox in such a way that it opens notes so you can see the "first few lines", just by having them highlighted on the list.
And the first one is always highlighted.

So in order for Lookout to execute arbitrary code all I have to do is start it.

THAT I would not think would classify as secure in anybody's book.

"Security hole"?

Posted Oct 12, 2003 16:43 UTC (Sun) by TwoTimeGrime (guest, #11688) [Link]

Care to tell us what these arbitrary commands are? I've had no problems with Outlook wanting to execute attachments or run code since I've installed the available patches.

"Security hole"?

Posted Oct 13, 2003 7:45 UTC (Mon) by diegor (guest, #1967) [Link]

It's a old Outlook express bugs. I don't know exactly where is fixed. BTW:
the trick is that outlook was configured in highly insecure way, so the autopreview open any attachment that looks like a image.

So if you made an attachment that is a executable, named pippo.gif.exe (to fool the user) and mime type 'image/gif', outlook open it using run32.dll.

But run32dll it recognizes that it is an executable, and run it. Be happy, the nice autopreview feature have installed a new virus, even if you haven't clicked on the image....

The problem with outlook (and many other office program) is that until now they are not designed with security in mind.

Regards,
Diego.

"Security hole"?

Posted Oct 12, 2003 22:49 UTC (Sun) by Ross (subscriber, #4065) [Link]

FUD?! First of all I don't use Outlook so I don't think it need to patch
it.

Second of all it is full of problems. I remember when the only email
"viruses" were fake warnings and (remember GOODTIMES?). I told users not
to worry because viruses only spread by infecting executable code and only
got a chance to run when you ran executable code which might be infected,
text like their email was certainly not a problem. The funny thing being
that users didn't realize it but _they_ were the ones spreading the "virus"
(the fake warning), not their email programs.

Then along came Microsoft with the great idea of making everything into
code. Macros for every file! Their idea was that reading email should
be the same as executing it. Random instructions from a stranger should
be executed by clicking to read a message. Kinda like their idea that
opening a spreadsheet or a word processing document should mean that you
exectute it. Great idea guys. My overflowing mailbox does not thank you.

Users don't have to click an attachment to run it. Outlook will do it
for them _automatically_ just to "help out". Unless recent patches
finally disable that (that feature has been there for years so I'd be
surprised is MS suddenly changed their mind) I don't think you are correct.

"Security hole"?

Posted Oct 13, 2003 2:38 UTC (Mon) by TwoTimeGrime (guest, #11688) [Link]

> First of all I don't use Outlook so I don't think it need to patch
> it.

Then you're probably not qualified to talk about it. I do use Outlook. All of the issues that you cited in your post have been addressed in the security patches that Microsoft has released for it. If you install them then you don't have those problems with marco execution or being able to run executable files from within Outlook unless you specifically disable the security checks.

> Users don't have to click an attachment to run it. Outlook will do it
> for them _automatically_ just to "help out". Unless recent patches
> finally disable that

Recent as of September 2000, yes.

I know Microsoft is an easy target and drags their feet on patches until someone embarasses them into releasing them, but get your facts straight before you reply. What you should be doing is encouraging users of older copies of Outlook to install the latest patches on their system. Newer versions have the patches incorporated. If the security checks have been disabled then it's been done by the system administrator.

We could make the same arguments about people running older vulnerable versions of Apache or Sendmail or SSH but you'd tell those people that they should patch their systems. Yet when it comes to Outlook you'd rather point and hiss at it and Microsoft rather than the user who isn't patching their system or is administrating it poorly.

RE: I.E. "Security hole"?

Posted Oct 13, 2003 17:04 UTC (Mon) by scripter (subscriber, #2654) [Link]

I advise my relatives not use use outlook, period. I tell them to use Mozilla Mail instead. Why? Basic risk assessment:

1. Outlook is one of the most common email clients, thus it is a better target for exploits. Running a lesser known, or lesser used email client generally translates to less risk.
2. Outlook has a track record of serious security problems. I'm sure more will be found. Other email cleints have had problems, but not as high-profile, and not as damaging (partly due to #1).
3. Relatives like the pretty look of Mozilla Mail.
4. Mozilla keeps its email in a standard format, not a proprietary format.
5. Mozilla imports outlook email and the outlook address book, so switching is easy.
6. Mozilla isn't just an email client, it is also a web browser. Why not replace their web browser with something far more secure than I.E.? (I.E. continues to have a horrible track record for security)

Despite all of the above, most relatives prefer to keep using Outlook and Internet Explorer. Why?

1. It's what they know.
2. It's fast.
3. It's what their friends use.
4. They don't have to install something new.

So, I tell them how to install patches. Do they do it? No. Why?

1. They can't remember how to do it.
2. They don't want to tie up the phone while downloading updates. (Fortunately, most of them have dial-up instead of always-on connections, which limits their vulnerability to some degree).
3. They forget to do it.
4. They are lazy. It works, doesn't it?

RE: I.E. "Security hole"?

Posted Oct 13, 2003 17:46 UTC (Mon) by TwoTimeGrime (guest, #11688) [Link]

> Despite all of the above, most relatives prefer to keep using Outlook and
> Internet Explorer. Why?

Do you mena Outlook Express? Outlook is a completly different product than Outlook Express for which there is currently no open-source equivilent on Windows.

Outlook vs Outloook Express

Posted Oct 13, 2003 20:43 UTC (Mon) by pflugstad (subscriber, #224) [Link]

Please correct me if I'm wrong, but Outlook is the product that comes with Office, correct? It costs $$$$.

And Outlook *Express* is the free one. And the one that has all the bug, holes, exploit of the week.

You can praise Outlook all you want, but Outlook *Express* is what the vast majority if users use, and it's a pile of crap. And Outlook itself, while it may be "safe" with all the patches applied - how many people got nailed by viruses even when the patch has been available for months. Fact is, people don't patch, so even if Outlook is safe, it's not for the vast majority of people who actually use it instead of Outlook Express.

So, either pay $$$ for Outlook, or since Outlook itself has had a large number of security holes, use something like Mozilla Mail. As a side benefit, use Mozilla instead of IE and stop all the spyware from being automagically downloaded onto your computer via ActiveX, DCOM and all the other idiocies M$ has foisted off on us as "useful".

Outlook vs Outloook Express

Posted Oct 13, 2003 21:44 UTC (Mon) by dlang (subscriber, #313) [Link]

Outlook (the full version) has had another hole found in it within the last month (Ok, technicly it was a hole in IE as used by outlook to process mail, but since you have no other choice it made users of Outlook vunerable), so it may be safe if fully patched, but you had better keep checking becouse next week it may have another hole discovered with no patch for it yet.

"Security hole"?

Posted Oct 13, 2003 2:46 UTC (Mon) by proski (subscriber, #104) [Link]

Please, don't take so seriously comments ending with a smile. It was a joke, maybe not a good joke, but let's not make it a discussion about Outlook.

Passing a message is not a security hole in the usual sense, but spamming everybody in a large company with a "signed" message can be just as costly as defacing the webserver.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds