Microsoft Toughens Up Outlook

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/infostructure/0,1377,60781,00.html

By Michelle Delio 
Oct. 14, 2003

A new version of Microsoft Outlook makes it harder for spammers and 
scammers to invade users' computers through their e-mail. 

The software, available at the end of October with the release of 
Microsoft Office 2003, boasts more-aggressive security features, more 
options to disable malicious or snoopy code embedded in e-mails and 
attachments, and additional ways to block spam and other unwanted 
e-mail. 

Security experts are giving mixed reviews to the updated version of 
the popular e-mail program. Some say little is innovative in Outlook 
2003 -- many of the new features are already included in other e-mail 
programs like Eudora. Others say the changes are a step in the right 
direction for Microsoft. 

"I'm glad to see that Microsoft is taking some initiative in 
engineering their applications for security, rather than relying 
solely on patching vulnerabilities as they're discovered," said 
security researcher Robert Ferrell. 

Ferrell said one of his main concerns about Microsoft in the past is 
that "they seem to expect the rest of the world to do their 
application testing for them gratis, and they ship most of their 
products with virtually all of what few security features they do have 
turned off by default." 

In previous versions of Outlook, users had to manually reset Outlook 
security options to achieve the highest level of protection. However, 
security options in the new version are set by default at the highest 
level. 

Outlook 2003 also allows users to disable all macros -- programming 
code that can be concealed within a document or e-mail and can contain 
a virus. All unsigned (essentially unidentified) macros will not run 
automatically, no matter whether a user has opted to block macros or 
not. 

If Office 2003 is running on Microsoft Windows XP, users or system 
administrators can also set up a "safe publisher" list. Executable 
files or macros originating from any sources not on the safe list will 
be automatically disabled. 

"Hopefully the Trustworthy Computing initiative, painfully slow to 
actual implementation though it's been, is finally beginning to bear 
some fruit," said Ferrell. "Default rejection of unsigned macros is a 
positive step forward, as is the ability to designate certain sites as 
trusted publishers." 

Microsoft launched its Trustworthy Computing initiative in January 
2002, in an effort to reduce the number of security problems that 
affected its software. The move included special training and 
"security boot camps" for Microsoft programmers, but some experts have 
said the results may not be seen until future products are released. 

Enhanced privacy protections are woven into all of Office 2003's 
applications, particularly in its Web bug-barricading abilities and 
other antispam features. 

Outlook 2003 allows users to block receipt of all e-mailed HTML 
content, which puts an end to nonsensical animated junk mail featuring 
frantically flashing titles, dancing products, juggling animals and 
other images. 

Blocking HTML also squashes Web bugs -- tiny graphics containing code 
that can be inserted into e-mail allowing advertisers to collect 
personal data when recipients read bugged messages. 

"I think the new Web bug-blocking feature will be helpful for making 
spam less successful," said security researcher Richard Smith. "But 
apart from that there's not much else here (in Outlook 2003) that's 
new, as far as security goes." 

Microsoft Office product manager Simon Marks said the enhanced 
security in Outlook 2003, and other Office 2003 applications, doesn't 
necessarily come from new features. 

"The Office development teams devoted tens of thousands of hours to 
reviewing every line of code in the Microsoft Office system," said 
Marks. "This effort wasn't about developing new features.... It was to 
identify and eliminate vulnerabilities and learn about better ways to 
design code and deliver more secure products to our customers." 

The success of the new security features in Outlook 2003 will only be 
proven once independent researchers and malicious hackers have a 
chance to examine the application in depth. But the antispam features 
appear to have been noticeably upgraded. 

The new junk-mail filter uses a neural decision engine, a simple form 
of artificial intelligence, to train itself to recognize spam. It 
considers such factors as the time the message was sent and the 
content and structure of the message. 

The filter also learns to screen out spam based upon what users 
identify as junk mail in their inbox and what messages they mark as 
legitimate e-mail that ended up in their junk-mail folder by mistake. 

In a weeklong test of the new filter, set to a moderate level of 
aggressiveness (Outlook ships with the filter set to low) Outlook 
2003's ability to identify and block junk mail was noticeably improved 
compared with Outlook 2002. 

Outlook 2003 accurately blocked roughly 85 percent of an average day's 
spam, while 2002 topped out at about 65 percent, an increase of 20 
percent more junk e-mail filtered. That said, free open-source filters 
like SpamBayes can block about 98 percent of spam. 

Outlook 2003, and all of the applications included in Office 2003, 
will also include Information Rights Management abilities that allow 
users to:

* prevent or limit other people's access to a file 

* restrict the number of times a document can be copied or printed 

* prevent sending a file as an attachment and prevent forwarding 
  e-mail to unauthorized users 

However, Information Rights Management features are only supported in 
Office 2003 applications. As a result, no matter what controls are 
set, a protected file will probably only be readable by other Office 
2003 users. That means users will likely opt to avoid applying rights 
management on any documents they intend to share with anyone who might 
not have upgraded to Office 2003. 




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.