RE: Outlook 2007: one step forward, two steps back?

[Nick FitzGerald <nick () virus-l demon co uk>]

Richard M. Smith to me:

> Actually, as email readers go, Outlook has been relatively secure since
> about 2000 when JavaScript was turned off by default and executable
> attachments were blocked.  Outlook 2003 added an image blocker and spam
> filter.  ...

I disagree.

They took the bunch of crappy code that was Outlook and already glued 
to the beheamoth of crappy IE code and rather than _simplifying it_ -- 
which is what thinking folk you do to fix excessively bloated, already 
known to be hugely bug-ridden yet sadly security-critical code -- they 
added more code to "tighten up" the security.  Given that bugs tend to 
track lines of code more closely than anything else, they did NOT make 
Outlook more secure in doing this.  They may have got rid of enough of 
the obviously egregious stupidity to make it practically more secure 
because the bad guys found it easier to concentrate on other attack 
vectors, but that is far from making it more secure because the code 
actually implements a well-defined and specified, and carefully and 
competently reviewed software component...  

> ...  Outlook 2007 was also immune to the recent ANI problem.  

Whoo-hoo -- immune to one-of-one (and are you sure the bad guys, or the 
clever "security researchers" actually looked that hard to find out how 
to trip up OL2k7?).

OL2k7 is almost certainly MUCH more insecure than its predecessor.

Crappy as the IE 6.x and earlier codebase was, and "patched up" as they 
made it and OL's interaction with it, OL2k7 is now lumbered with the 
probably larger (??) WinWord 2k7 codebase, and what do we know about 
that codebase?  Well, look back the last year or two and guess which MS 
product has had the most zero-days _first found in the wild_?

Gluing OL onto Word doesn't look very "security smart" now, does it?

Oh, and haven't they completely changed the file formats in Office 2k7, 
introducing scads and scads of completely new, untested-under-fire, 
code which will be rife with new bugs?  In fact, didn't someone make a 
post touching on just this to Full-Disclosure just yesterday?

OL2k7 is looking decidedly more and more uncertain the more we think 
about its likely security surface...

Aside from being a bloated, non-standards conforming PoS as an Internet 
MUA, it is a security nightmare just waiting to happen.

Enjoy using it!

> PS.  Does PINE automatically block executable attachments in incoming email
> messages?

No idea -- don't use it and haven't for years (more than a decade aside 
from very short periods of software testing).

Oh -- and as for that "security feature" of OL...  You know they do 
that by blocking access to the message components in the message store, 
when the UI tries to make the access via certain code chains, right?  
So all it takes to bypass that "restriction" is a bug in some or other 
of the millions of lines of code in OL or possibly one of its myriad 
supporting components (which now includes that doyen of security, Word) 
for that "protection" to slip.

Enjoy using Outlook...


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.