Interesting People mailing list archives
IP: Outlook 2000 -- we aren't told and cannot peek
From: David Farber <dave () farber net>
Date: Wed, 31 Oct 2001 00:20:07 -0500
From: "Rob Raisch" <info () raisch com> To: <farber () cis upenn edu> Dave, I'll admit it's easy to bash Microsoft for security issues like this, but in light of this most recent Windows Virus, there are two aspects of Microsoft's Outlook 2000 that are very troubling to me and I'd like to raise in a larger forum should you find it valuable. First, Outlook 2000 does not identify an infected message as being anything other than simple readable text. And secondly, it provides no way of viewing the "source" of a message. As I am sure many of your readers know, all email crosses the Internet as a stream of simple text characters, no matter its actual content. All file attachments, i.e., sound files, executables, pictures, or videos, are first converted into a collection of simple, human-readable characters for inclusion in an email message and transport through the Internet. These converted file attachments are reconstituted into their original formats upon reception and viewing. Usually, the recipient has the option of opening or storing one of these attachments, but in Outlook Express and 2000, many kinds of file attachment are converted and executed immediately upon opening the message, without any acceptance or approval by the user. The fact that an email message received by Outlook 2000 can contain a virus (which can be executed without oversight) and not inform the user that the message contains anything but a readable message would be (partially) ameliorated by the user's ability to peek at the actual content of a suspicious message before opening it in the mail reader. Sadly, while this feature was available in Outlook Express, Microsoft decided to remove it in Outlook 2000. So the problem becomes: if we do not know what the message contains until we open it and thus launch its attack on our computers, nor have we any possibility of seeing the message in its true form, to decide if we wish to open it, what email is safe? /rr
For archives see: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- IP: Outlook 2000 -- we aren't told and cannot peek David Farber (Oct 30)