LWN.net Logo

Advertisement

TrustCommerce

E-Commerce & credit card processing - the Open Source way!

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LWN.net Weekly Edition for November 20, 2008

MinGW and why Linux users should care

LWN.net Weekly Edition for November 13, 2008

NLUUG/ELCE: Embedded devices and free software

The sad story of the em28xx driver

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

"Security hole"?

"Security hole"?

Posted Oct 13, 2003 2:38 UTC (Mon) by TwoTimeGrime (guest, #11688)
In reply to: "Security hole"? by Ross
Parent article: E-mail filters not fooled by signed spam (News.com)

> First of all I don't use Outlook so I don't think it need to patch
> it.

Then you're probably not qualified to talk about it. I do use Outlook. All of the issues that you cited in your post have been addressed in the security patches that Microsoft has released for it. If you install them then you don't have those problems with marco execution or being able to run executable files from within Outlook unless you specifically disable the security checks.

> Users don't have to click an attachment to run it. Outlook will do it
> for them _automatically_ just to "help out". Unless recent patches
> finally disable that

Recent as of September 2000, yes.

I know Microsoft is an easy target and drags their feet on patches until someone embarasses them into releasing them, but get your facts straight before you reply. What you should be doing is encouraging users of older copies of Outlook to install the latest patches on their system. Newer versions have the patches incorporated. If the security checks have been disabled then it's been done by the system administrator.

We could make the same arguments about people running older vulnerable versions of Apache or Sendmail or SSH but you'd tell those people that they should patch their systems. Yet when it comes to Outlook you'd rather point and hiss at it and Microsoft rather than the user who isn't patching their system or is administrating it poorly.

(Log in to post comments)

RE: I.E. "Security hole"?

Posted Oct 13, 2003 17:04 UTC (Mon) by scripter (subscriber, #2654) [Link]

I advise my relatives not use use outlook, period. I tell them to use Mozilla Mail instead. Why? Basic risk assessment:

1. Outlook is one of the most common email clients, thus it is a better target for exploits. Running a lesser known, or lesser used email client generally translates to less risk.
2. Outlook has a track record of serious security problems. I'm sure more will be found. Other email cleints have had problems, but not as high-profile, and not as damaging (partly due to #1).
3. Relatives like the pretty look of Mozilla Mail.
4. Mozilla keeps its email in a standard format, not a proprietary format.
5. Mozilla imports outlook email and the outlook address book, so switching is easy.
6. Mozilla isn't just an email client, it is also a web browser. Why not replace their web browser with something far more secure than I.E.? (I.E. continues to have a horrible track record for security)

Despite all of the above, most relatives prefer to keep using Outlook and Internet Explorer. Why?

1. It's what they know.
2. It's fast.
3. It's what their friends use.
4. They don't have to install something new.

So, I tell them how to install patches. Do they do it? No. Why?

1. They can't remember how to do it.
2. They don't want to tie up the phone while downloading updates. (Fortunately, most of them have dial-up instead of always-on connections, which limits their vulnerability to some degree).
3. They forget to do it.
4. They are lazy. It works, doesn't it?

RE: I.E. "Security hole"?

Posted Oct 13, 2003 17:46 UTC (Mon) by TwoTimeGrime (guest, #11688) [Link]

> Despite all of the above, most relatives prefer to keep using Outlook and
> Internet Explorer. Why?

Do you mena Outlook Express? Outlook is a completly different product than Outlook Express for which there is currently no open-source equivilent on Windows.

Outlook vs Outloook Express

Posted Oct 13, 2003 20:43 UTC (Mon) by pflugstad (subscriber, #224) [Link]

Please correct me if I'm wrong, but Outlook is the product that comes with Office, correct? It costs $$$$.

And Outlook *Express* is the free one. And the one that has all the bug, holes, exploit of the week.

You can praise Outlook all you want, but Outlook *Express* is what the vast majority if users use, and it's a pile of crap. And Outlook itself, while it may be "safe" with all the patches applied - how many people got nailed by viruses even when the patch has been available for months. Fact is, people don't patch, so even if Outlook is safe, it's not for the vast majority of people who actually use it instead of Outlook Express.

So, either pay $$$ for Outlook, or since Outlook itself has had a large number of security holes, use something like Mozilla Mail. As a side benefit, use Mozilla instead of IE and stop all the spyware from being automagically downloaded onto your computer via ActiveX, DCOM and all the other idiocies M$ has foisted off on us as "useful".

Outlook vs Outloook Express

Posted Oct 13, 2003 21:44 UTC (Mon) by dlang (subscriber, #313) [Link]

Outlook (the full version) has had another hole found in it within the last month (Ok, technicly it was a hole in IE as used by outlook to process mail, but since you have no other choice it made users of Outlook vunerable), so it may be safe if fully patched, but you had better keep checking becouse next week it may have another hole discovered with no patch for it yet.

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds