Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Microsoft's Outlook Express 6 "E-mail attachment security" Flawed

From: "Arie Slob" <arie () infinisource com>
Date: Wed, 5 Dec 2001 00:46:00 +0100
Hi,

I was contacted by David McSpadden, a Network Administrator from the Indiana Members Credit Union who pointed out the 
following:

---------------------------
 
I was wondering if you could replicate something I have found.
I set up attachment blocking as per (Q291387) on my Windows 2000 Professional Sp2 workstation for testing.  Thinking we 
might implement this as policy on all of our workstations with Outlook Express 6.0.  It did correctly block the 
attachments of the extensions I specified.  However, if I simply try and forward the email the 'blocked' item appears 
and I can then save or open the attachment.  This creates a dilema.  Why should I even try and stop the attachments if 
I can get to them anyway.
  
Please let me know if I am crazy or if I have found another hole in Outlook Express.
---------------------------

Well, I think he's right. I tested it on XP, set OE to block attachments.... that works... until you press FORWARD.... 
then you have full access...........

I contacted Microsoft (secure () microsoft com) who wrote back with the attached email.

I have published and article on our Web site about this:

http://www.windows-help.net/microsoft/oe6-attach.html


Regards,

Arie Slob,
VP Information Systems
InfiniSource, Inc.
<arie () infinisource com>
--- Begin Message --- From: "Microsoft Security Response Center" <secure () microsoft com>
Date: Tue, 4 Dec 2001 14:00:20 -0800
Dear Arie
 
Thank you for taking the time to email us.  The capability to forward an
email with an attachment is a feature in Outlook Express that is
by-design. As you mention, Outlook Express does allow the blocking of
unsafe attachments.
 
It looks like Outlook Express successfully blocked the attachment in the
Inbox for David McSpadden.
 
It is important for users to recognize that greyed-out attachments are
not safe to be opened and, users should be deleting, not forwarding an
email with a greyed-out attachment.
 
Many thanks again for taking the time to email us.
 
secure () microsoft com
 
 
 
-----Original Message-----
From: Arie Slob [mailto:arie () infinisource com] 
Sent: Tuesday, December 04, 2001 12:46 PM
To: Microsoft Security Response Center
Subject: Microsoft's Outlook Express 6 "E-mail attachment security"
Flawed 
 
Hi,
 
Although this isn't anything fancy, I thought you'd like to know.
 
OE6 allows for a setting on the Security tab (Tools > Options) Do not
allow attachments to be saved or opened that could potentially be a
virus.
 
I have always argued that Microsoft should have this setting enabled as
default, to reduce the number of worms spreading, due to the nature that
most people just seem to open any and all attachments they receive,
without giving it a second thought. 
 
But today I was contacted by David McSpadden, a Network Administrator
from the Indiana Members Credit Union, who asked me for some advise on a
problem he seemed to be having: When he tried to forward an e-mail with
a "blocked" attachment, the attachment becomes available to be run or
saved!
 
I tried the same on my install of Windows XP / OE6, and sure enough.....
 
 
Please note that I'm planning to release an article on our Web site, the
concept can be found at
http://www.windows-help.net/microsoft/oe6-attach.html
 
 
Regards,
 
Arie Slob,
VP Information Systems
InfiniSource, Inc.
<arie () infinisource com>

--- End Message ---
Previous By Date Next
Previous By Thread Next

Current thread: