Bugtraq mailing list archives
Microsoft's Outlook Express 6 "E-mail attachment security" Flawed
From: "Arie Slob" <arie () infinisource com>
Date: Wed, 5 Dec 2001 00:46:00 +0100
Hi, I was contacted by David McSpadden, a Network Administrator from the Indiana Members Credit Union who pointed out the following: --------------------------- I was wondering if you could replicate something I have found. I set up attachment blocking as per (Q291387) on my Windows 2000 Professional Sp2 workstation for testing. Thinking we might implement this as policy on all of our workstations with Outlook Express 6.0. It did correctly block the attachments of the extensions I specified. However, if I simply try and forward the email the 'blocked' item appears and I can then save or open the attachment. This creates a dilema. Why should I even try and stop the attachments if I can get to them anyway. Please let me know if I am crazy or if I have found another hole in Outlook Express. --------------------------- Well, I think he's right. I tested it on XP, set OE to block attachments.... that works... until you press FORWARD.... then you have full access........... I contacted Microsoft (secure () microsoft com) who wrote back with the attached email. I have published and article on our Web site about this: http://www.windows-help.net/microsoft/oe6-attach.html Regards, Arie Slob, VP Information Systems InfiniSource, Inc. <arie () infinisource com>
--- Begin Message --- From: "Microsoft Security Response Center" <secure () microsoft com>
Date: Tue, 4 Dec 2001 14:00:20 -0800
Dear Arie Thank you for taking the time to email us. The capability to forward an email with an attachment is a feature in Outlook Express that is by-design. As you mention, Outlook Express does allow the blocking of unsafe attachments. It looks like Outlook Express successfully blocked the attachment in the Inbox for David McSpadden. It is important for users to recognize that greyed-out attachments are not safe to be opened and, users should be deleting, not forwarding an email with a greyed-out attachment. Many thanks again for taking the time to email us. secure () microsoft com -----Original Message----- From: Arie Slob [mailto:arie () infinisource com] Sent: Tuesday, December 04, 2001 12:46 PM To: Microsoft Security Response Center Subject: Microsoft's Outlook Express 6 "E-mail attachment security" Flawed Hi, Although this isn't anything fancy, I thought you'd like to know. OE6 allows for a setting on the Security tab (Tools > Options) Do not allow attachments to be saved or opened that could potentially be a virus. I have always argued that Microsoft should have this setting enabled as default, to reduce the number of worms spreading, due to the nature that most people just seem to open any and all attachments they receive, without giving it a second thought. But today I was contacted by David McSpadden, a Network Administrator from the Indiana Members Credit Union, who asked me for some advise on a problem he seemed to be having: When he tried to forward an e-mail with a "blocked" attachment, the attachment becomes available to be run or saved! I tried the same on my install of Windows XP / OE6, and sure enough..... Please note that I'm planning to release an article on our Web site, the concept can be found at http://www.windows-help.net/microsoft/oe6-attach.html Regards, Arie Slob, VP Information Systems InfiniSource, Inc. <arie () infinisource com>
--- End Message ---
Current thread:
- Microsoft's Outlook Express 6 "E-mail attachment security" Flawed Arie Slob (Dec 05)