Microsoft Outlook's so-so security

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1023-866307.html

By Robert Lemos 
Staff Writer, CNET News.com
March 21, 2002, 3:40 PM PT

Internet privacy researcher Richard Smith released on Thursday a list
of four issues that continue to undermine the security of Microsoft's
Outlook 2002 and could leave the major mail program open to attack by
virus writers.

Although Smith called only one of the issues "critical," he said he
released the list to bring the potential security hazards out into the
open.

"I just wanted to get it off my table," he said. "I would like to see
these issues addressed."

The critique comes two months after Microsoft called for a
"Trustworthy Computing" initiative. Kicked off by a memo from Chairman
Bill Gates to every employee, the strategy aims to further secure the
company's Windows operating system and other products.

For the most part, Microsoft has done a decent job securing its mail
program, Smith said, pointing to the latest security patch for Outlook
2002 that eliminates most of the popular vectors for computer viruses.  
Microsoft representatives were not immediately available for comment.

But Smith said the company needs to do more to fully secure the
program, especially around e-mail that includes HTML (Hypertext Markup
Language), a collection of formatting commands used to create Web
pages. He pointed to a drop-off in the prevalence of macro viruses
following a security fix to Word 2000 that required macros to have a
valid digital signature before running them.

"So you can see, technical fixes do help," Smith said.

Among the issues Smith called critical is the ability for an e-mail
that includes a special HTML tag, known as an IFRAME, to run an
attached program. That weakness could be used by a virus to spread to
computers through Outlook.

Other HTML problems included the ability to run JavaScript--a
programming script that can be used to create interactive
documents--in e-mails and the ability to read and set cookies via such
e-mail. Cookies are small data files written to your hard drive by
some messages when you view them.

Smith's final beef, however, is that Microsoft sometimes goes too far
in warning users of potential security hazards in fairly benign
situations. When someone attempts to send a link to a friend through
Outlook, the program will warn that the file could potentially be
dangerous.

"It is sort of like crying wolf," Smith said. "It's hard enough to
understand all this...without adding confusing alerts."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.