Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
Microsoft (finally) plugging a few Outlook holes

By Anonymous Zero in News
Mon May 15, 2000 at 08:49:50 PM EST
Tags: Security (all tags)
Security

Although I don't see it posted on Microsoft's web site yet, this article at Internetnews.com says that Microsoft announced today that they are releasing a newer Outlook patch that will make two security improvements: Outlook will totally refuse to run attached applications or scripts (Outlook users can save the attachment and run it outside of Outlook), and (more importantly) applications other than Outlook will now need permission from the user to access Outlook's address book (which is the key loophole that allowed Melissa and ILOVEYOU to spread so effectively) ...and both of these new "features" can not be turned off. (The current patch on MS's web site only throws up a warning dialog when user's click on attachments -- I gather this patch supercedes the current patch.) I don't use Windows but if I did I would say this patch would be a Good Thing(tm).


Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o this article
o Also by Anonymous Zero


Display: Sort:
Microsoft (finally) plugging a few Outlook holes | 27 comments (27 topical, editorial, 0 hidden)
For once, good for Microsoft. Here... (none / 0) (#15)
by ardran on Mon May 15, 2000 at 03:01:49 PM EST

ardran voted 1 on this story.

For once, good for Microsoft. Here's another article on the topic at securityfocus. The changes are somewhat crude, but at least broad enough to hopefully slow the next wave of copycats.

well...kudos.. I'm pleaseed and sur... (none / 0) (#2)
by Emacs on Mon May 15, 2000 at 03:31:30 PM EST

Emacs voted 0 on this story.

well...kudos.. I'm pleaseed and surprised. This doen't change the fact that they are more than a little late, why didn't they address these issues after the Mellisa virus?

This is as close as MS will ever get to taking some of the blame for the email virus's/worms/script kiddie attacks.

Re: well...kudos.. I'm pleaseed and sur... (none / 0) (#24)
by Anonymous Hero on Tue May 16, 2000 at 02:08:15 AM EST

Personally, I think the reason Microsoft didn't act when Melissa came out, but did when ILOVEYOU struck, is that Microsoft itself was affected so much more by the latter.

I never got any Melissa emails in my inbox. I got forty copies of ILOVEYOU. I expect something similar was the case across the company. Thus, the Outlook team was under a lot more pressure to deliver results this time. Sigh. One of these days my sense of dignity will overcome my love of stability.

Posted anonymously for obvious reasons.

[ Parent ]

I agree this patch will be "A Good ... (none / 0) (#10)
by Rasputin on Mon May 15, 2000 at 03:43:16 PM EST

Rasputin voted -1 on this story.

I agree this patch will be "A Good Thing" if it actually appears and performs as advertised. Unfortunately, I've seen way to many M$ press releases turn out to be "random atmospheric noise". The -1 is only temporary, resubmit when the patch appears.
Even if you win the rat race, you're still a rat.

Day late and a dollar short. Always... (none / 0) (#12)
by bladerunner on Mon May 15, 2000 at 03:53:43 PM EST

bladerunner voted 1 on this story.

Day late and a dollar short. Always a bridesmaid never a bride. They should have done something like this back when Melissa struck.
-Ex-slashdotter. I love cats, but hate Katz.

I don't find this in and of itself ... (none / 0) (#9)
by DemiGodez on Mon May 15, 2000 at 04:08:37 PM EST

DemiGodez voted -1 on this story.

I don't find this in and of itself very interesting. It wasn't really a bug - it worked as designed - they just didn't think of something. So something bad happened and they fix it. Not really news is it?

If accurate, this is a Good Thing&#... (none / 0) (#3)
by Skippy on Mon May 15, 2000 at 04:48:03 PM EST

Skippy voted 1 on this story.

If accurate, this is a Good Thing™. I'll vote for this because I might not see it somewhere else.
# I am now finished talking out my ass about things that I am not qualified to discuss. #

Something to add to the list of ans... (none / 0) (#8)
by adric on Mon May 15, 2000 at 04:50:04 PM EST

adric voted 0 on this story.

Something to add to the list of answers to 'how do I avoid these darned email viruses?'

About Dang Time. Maybe someone tho... (none / 0) (#13)
by Saint Zero on Mon May 15, 2000 at 05:04:09 PM EST

Saint Zero voted 1 on this story.

About Dang Time. Maybe someone thought of suing them, under the DCMA? ;)
---------- Patron Saint of Nothing, really.

Now if Microsoft APOLOGISED... That... (none / 0) (#4)
by TomG on Mon May 15, 2000 at 05:23:21 PM EST

TomG voted -1 on this story.

Now if Microsoft APOLOGISED... That would be news. Grudgingly fixing bugs that should never have been released is not news.

Interesting... I don't like "featur... (none / 0) (#16)
by Qtmstr on Mon May 15, 2000 at 05:27:11 PM EST

Qtmstr voted 1 on this story.

Interesting... I don't like "features" that I cannot turn off, howeve.r Yes, make the defaults idoit-proof, but not the applicaiton itself.


Kuro5hin delenda est!

Re: Interesting... I don't like (none / 0) (#22)
by Skyshadow on Tue May 16, 2000 at 12:13:11 AM EST

Actually, this is the perfect example of idiot-proofing an application. Take the app only an idiot would use and rig it so they can't dick it up too badly. The rest of us are capable of downloading another mail app.

Think of this like the cartoon where Dilbert gave his boss the etch-a-sketch and convinced him it was his laptop, thus preventing him from harming anything with his cluelessness.

[ Parent ]

PINE FOREVER!!! :)... (none / 0) (#14)
by feline on Mon May 15, 2000 at 05:57:19 PM EST

feline voted 1 on this story.

PINE FOREVER!!! :) <take off obnoxious l33t h4x0r hat>
------------------------------------------

'Hello sir, you don't look like someone who satisfies his wife.'

Re: PINE FOREVER!!! :)... (none / 0) (#27)
by shepd on Tue May 16, 2000 at 03:56:53 PM EST

I love pine too. I just don't understand why people need to put applications and other crap in their emails, and why anyone would want an email client to directly execute code sent in an email.

The only snail mail I've ever gotten that required me to run an "application" (do work) is the junk mail that asks you to "scratch and lose this", or "match this key with a real car and win", etc. You can keep that crap out of my mailbox.

I'll stick to text only when possible, although it would be nice to be able to view HTML (no Javascript/other extensions) in Pine directly. But that's only because the HTML doesn't require executing.

[ Parent ]
Leaving total control in the hands ... (3.00 / 1) (#6)
by StatGrape on Mon May 15, 2000 at 06:17:03 PM EST

StatGrape voted 1 on this story.

Leaving total control in the hands of Sally Housecoat and Larry Lunchpail is just begging for grief, so the fact that these patched 'features' cannot be disabled is a good call. Anyone who has ever administered a LAN-full of uneducated users knows that enough screwing around can eventually disable damn near any block we put in their path... it's the old infinite monkies axiom at work in real life.

NerdPerfect

I bet they're 'grudgingly' releasin... (none / 0) (#11)
by Marcin on Mon May 15, 2000 at 07:22:20 PM EST

Marcin voted 1 on this story.

I bet they're 'grudgingly' releasing this patch too.

Ah well, I may as well shelve my plans for that badass Internet worm I was going to write which was dependent on Outlook using people that will click on anything :)
M.

Better late than never.... (none / 0) (#5)
by renaud on Mon May 15, 2000 at 07:33:15 PM EST

renaud voted 1 on this story.

Better late than never.

Honestly, I feel that it is too lat... (3.00 / 1) (#7)
by tidepool on Mon May 15, 2000 at 08:34:08 PM EST

tidepool voted 1 on this story.

Honestly, I feel that it is too late for Microsoft to 'redeam themselves' from all of the holes in the past. What if (and this has happened) they throw a loophole into this 'super patch'? A loophole, that says, "allow things sent from microsoft to run without confirmation". We've seen this occur in technologies such as ActiveX (ActiveX a technology? That can be debatable), and other scripting deals.

Honestly, I'm getting to the point where if it's Microsoft it really has no 'clout' in my eyes. All I have to says is, when are these patches not going to be patches, and implemented into a Microsoft application from the get-go? When this happens, then Microsoft will begin to earn any respect from Me.

Re: Honestly, I feel that it is too lat... (none / 0) (#17)
by warpeightbot on Mon May 15, 2000 at 09:14:37 PM EST

Hey, it's a start. Finally they're patching the Mac Truck sized holes instead of whining about it. Finally they're being forced to come up to the standards of things like Elm and Pine and Mutt... Hell, next thing you know, they'll ship a decent browser that isn't full of holes.

I'm not pissed off that Microsoft is a multi-billion dollar corporate giant. I'm pissed off that Microsoft ships crappy product and plays dirty pool to get market share. If between the foo-faw-raw with the DOJ and the advent of Linux, *BSD, Be, and Mach-based MacOS, we can get the boys from Redmond to ship quality product and play fair, all the blood, sweat, and tears will have been worth it.

Me, I'm not holding my breath; I'm running Linux.

[ Parent ]

Re: Honestly, I feel that it is too lat... (none / 0) (#20)
by Marcin on Mon May 15, 2000 at 09:30:19 PM EST

Hell, next thing you know, they'll ship a decent browser that isn't full of holes.

Dude! Don't you watch The Simpsons?? Those things are Speed Holes! :)

I like the fact that I can't install IE 5.01 over the corrporate LAN because our proxy fudges the IE5 installer, and I don't think you can get it as normal archives. Goddamn internet based installers suck.
M.
[ Parent ]

Re: Honestly, I feel that it is too lat... (none / 0) (#21)
by Skyshadow on Tue May 16, 2000 at 12:09:34 AM EST

Oh, come on. I don't think that's very fair.

Sure, there have been a lot of holes in MS software, but this one really doesn't count. Essentially, the program designers just put too much faith in the users in this case, trusting that they could handle the responsibility of running (or, more specifically, not running) programs sent to them without some degree of caution. It's the same as if I sent you a shell script that "rm -rf ~"'ed you -- you run it, your files go bye-bye and it's your own dumb fault.

Besides, there have been (and continue to be) gaping holes in even the best Linux distros -- there will always be holes in evolving software. I think it's unfair to sit around and piss about MS specifically when the OSS movement has a lot of the same problems.

Above all, remember: We don't want MS to go away, or even be discredited. Competition is the key. The OSS paradigm probably is superior, but even we need someone breathing down our necks to keep us honest.

[ Parent ]

Re: Honestly, I feel that it is too lat... (none / 0) (#23)
by puppet10 on Tue May 16, 2000 at 12:22:30 AM EST

No problem with the hole (possibly over-estimating users) but they knew about this security flaw from the Melissa incident and instead of doing anything AT ALL they still blamed the users INSTEAD of fixing a gaping security hole.

If they had been working on a fix instead of calling the users stupid and the security model flaw a feature I would have more sympathy for them. As it is this is just another illustration of Microsoft arrogance.

[ Parent ]
Wow, you mean refusing to run thing... (5.00 / 1) (#1)
by Inoshiro on Mon May 15, 2000 at 08:49:50 PM EST

Inoshiro voted 1 on this story.

Wow, you mean refusing to run things sent from possibly untrusted clients, or if running, doing so in a sandbox?

Wow, I'm going to be out of a job talking about security soon >;-)



--
[ イノシロ ]
Re: Wow, you mean refusing to run thing... (none / 0) (#18)
by Marcin on Mon May 15, 2000 at 09:27:37 PM EST

Wow, I'm going to be out of a job talking about security soon >;-)

As long as there are Microsoft products in the world, as long as AOL brings Hillbillies to the Internet, as long as there are script kiddies, you WILL have plenty to talk about. ;)

Wow, you mean refusing to run things sent from possibly untrusted clients, or if running, doing so in a sandbox?

Basically it just means (as far as I can tell) that cluebies need one extra step to screw themselves. Basically they'll need to save the .vbs to disk and then run it from Explorer. (file explorer, not Internet Explorer).

On the other hand now ILOVEYOU would force a dialog to pop up saying "This script is attempting to access your Outlook address book, would you like to allow this?", and i'm sure a bunch of mindless drones would click "Yes" anyway :)

So trojan writers will just need to become a bit more sophisticated and disguise their trojans as something nicer than VBS, and work out the Outlook address book format so that they don't need to use MAPI to get it. Although that'd only work for local address books, not global ones that are stored on the server.. but i'm sure there are ways around that.

Not that i've been thinking about it ;)
M.
[ Parent ]

Re: Wow, you mean refusing to run thing... (none / 0) (#19)
by bmetzler on Mon May 15, 2000 at 09:29:26 PM EST

Wow, you mean refusing to run things sent from possibly untrusted clients, or if running, doing so in a sandbox?

I guess you'd be the best to comment on this, but it didn't look like either of those at all.

First, it refused to run or open any attachments at all, even from "trusted" clients. Actually, there are no "trusted" clients, everyone's the enemy. This is a good thing though since these macros propogate by sending to known recipients.

Second, there's no sandbox, after you save the attachment, you can run it to freely experience all the damage in all it's glory. With one exception. It can't propagate because there's no longer access to the Outlook address book. Oh, but you can allow access through a prompt. What this means is that all syncronisation of the address book can no longer be done unattended. Sweet, eh?

Maybe Microsoft felt they needed to release something RSN to boost their PR. I don't know. Hopefully they'll redo it later with a proper sandbox so that unattended syncronisations can occur like they should when that's what you want. But I'm not holding my breath...

-Brent
www.bmetzler.org - it's not just a personal weblog, it's so much more.
[ Parent ]
Security? (3.00 / 1) (#25)
by tzanger on Tue May 16, 2000 at 08:51:37 AM EST

What's stopping the script from running some kind of ActiveX control to automatically press the "OK" button to access the list? I'm sure there are backdoors which were openned by this patch to allow Microsoft-approved apps to gain access to the address book without that prompt.

C:\WINDOWS\ADDRBOOK.EXE /NOPOPUP :-)

The solution, as others have pointed out, is to run attachments in a sandbox and remove any kind of ActiveX/Java/WSH control which could affect the sandbox. In short, a hermetically-sealed sandbox.



Might not be quite as rosy as it looks... (5.00 / 1) (#26)
by Noel on Tue May 16, 2000 at 09:51:06 AM EST

Russ Cooper (the editor of the ntbugtraq site and mailing list) isn't quite so happy with the updates. He sent out this email yesterday, detailing his concerns about the update. Here's his conclusion:

Conclusion:

MS dropped the ball. I told them to make this thing appear as an interim step. It's not a patch, its Outlook on Training Wheels. I thought it was going to be a complete product (i.e. you download it and that's how that version works, get the full version to do more harm to yourself). As such, it made a lot of sense to have a version that was severely restricted. Put users on that till you're satisfied they aren't going to shoot themselves in the foot.

Nope, they gotta tout it as more than that.

So, bottom line, unless they change the thing before it gets released next week, make sure anyone you suggest it to also gets this URL;

http://ntbugtraq.ntadvice.com/outlookviews.asp

and turns off scripting and scripting of activeX components marked safe for scripting.



Microsoft (finally) plugging a few Outlook holes | 27 comments (27 topical, 0 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!