IP: Outlook 2000 -- we aren't told and cannot peek

[David Farber <dave () farber net>]

> From: "Rob Raisch" <info () raisch com>
> To: <farber () cis upenn edu>
>
> Dave,
>
> I'll admit it's easy to bash Microsoft for security issues like this, but in
> light of this most recent Windows Virus, there are two aspects of
> Microsoft's Outlook 2000 that are very troubling to me and I'd like to raise
> in a larger forum should you find it valuable.
>
> First, Outlook 2000 does not identify an infected message as being anything
> other than simple readable text.  And secondly, it provides no way of
> viewing the "source" of a message.
>
> As I am sure many of your readers know, all email crosses the Internet as a
> stream of simple text characters, no matter its actual content.  All file
> attachments, i.e., sound files, executables, pictures, or videos, are first
> converted into a collection of simple, human-readable characters for
> inclusion in an email message and transport through the Internet.  These
> converted file attachments are reconstituted into their original formats
> upon reception and viewing.
>
> Usually, the recipient has the option of opening or storing one of these
> attachments, but in Outlook Express and 2000, many kinds of file attachment
> are converted and executed immediately upon opening the message, without any
> acceptance or approval by the user.
>
> The fact that an email message received by Outlook 2000 can contain a virus
> (which can be executed without oversight) and not inform the user that the
> message contains anything but a readable message would be (partially)
> ameliorated by the user's ability to peek at the actual content of a
> suspicious message before opening it in the mail reader.  Sadly, while this
> feature was available in Outlook Express, Microsoft decided to remove it in
> Outlook 2000.
>
> So the problem becomes: if we do not know what the message contains until we
> open it and thus launch its attack on our computers, nor have we any
> possibility of seeing the message in its true form, to decide if we wish to
> open it, what email is safe?
>
> /rr


For archives see:
http://www.interesting-people.org/archives/interesting-people/