funsec mailing list archives
RE: Outlook 2007: one step forward, two steps back?
From: "Richard M. Smith" <rms () computerbytesman com>
Date: Tue, 10 Apr 2007 08:13:59 -0400
How does Pegasus Mail for Windows handle attached executable files? Does it probably block them so they can't be run? I'm asking because attached executable files have been historically the number one method for transmitting email worms from one user to the next. Richard -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Nick FitzGerald Sent: Monday, April 09, 2007 11:23 PM To: 'FunSec [List]' Subject: RE: [funsec] Outlook 2007: one step forward, two steps back? Richard M. Smith to me:
Actually, as email readers go, Outlook has been relatively secure since about 2000 when JavaScript was turned off by default and executable attachments were blocked. Outlook 2003 added an image blocker and spam filter. ...
I disagree. They took the bunch of crappy code that was Outlook and already glued to the beheamoth of crappy IE code and rather than _simplifying it_ -- which is what thinking folk you do to fix excessively bloated, already known to be hugely bug-ridden yet sadly security-critical code -- they added more code to "tighten up" the security. Given that bugs tend to track lines of code more closely than anything else, they did NOT make Outlook more secure in doing this. They may have got rid of enough of the obviously egregious stupidity to make it practically more secure because the bad guys found it easier to concentrate on other attack vectors, but that is far from making it more secure because the code actually implements a well-defined and specified, and carefully and competently reviewed software component...
... Outlook 2007 was also immune to the recent ANI problem.
Whoo-hoo -- immune to one-of-one (and are you sure the bad guys, or the clever "security researchers" actually looked that hard to find out how to trip up OL2k7?). OL2k7 is almost certainly MUCH more insecure than its predecessor. Crappy as the IE 6.x and earlier codebase was, and "patched up" as they made it and OL's interaction with it, OL2k7 is now lumbered with the probably larger (??) WinWord 2k7 codebase, and what do we know about that codebase? Well, look back the last year or two and guess which MS product has had the most zero-days _first found in the wild_? Gluing OL onto Word doesn't look very "security smart" now, does it? Oh, and haven't they completely changed the file formats in Office 2k7, introducing scads and scads of completely new, untested-under-fire, code which will be rife with new bugs? In fact, didn't someone make a post touching on just this to Full-Disclosure just yesterday? OL2k7 is looking decidedly more and more uncertain the more we think about its likely security surface... Aside from being a bloated, non-standards conforming PoS as an Internet MUA, it is a security nightmare just waiting to happen. Enjoy using it!
PS. Does PINE automatically block executable attachments in incoming email messages?
No idea -- don't use it and haven't for years (more than a decade aside from very short periods of software testing). Oh -- and as for that "security feature" of OL... You know they do that by blocking access to the message components in the message store, when the UI tries to make the access via certain code chains, right? So all it takes to bypass that "restriction" is a bug in some or other of the millions of lines of code in OL or possibly one of its myriad supporting components (which now includes that doyen of security, Word) for that "protection" to slip. Enjoy using Outlook... Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Outlook 2007: one step forward, two steps back? rms (Apr 09)
- RE: Outlook 2007: one step forward, two steps back? Larry Seltzer (Apr 09)
- Re: Outlook 2007: one step forward, two steps back? Nick FitzGerald (Apr 09)
- RE: Outlook 2007: one step forward, two steps back? Richard M. Smith (Apr 09)
- RE: Outlook 2007: one step forward, two steps back? Nick FitzGerald (Apr 09)
- RE: Outlook 2007: one step forward, two steps back? Richard M. Smith (Apr 10)
- RE: Outlook 2007: one step forward, two steps back? David Harley (Apr 10)
- RE: Outlook 2007: one step forward, two steps back? Nick FitzGerald (Apr 10)
- RE: Outlook 2007: one step forward, two steps back? Richard M. Smith (Apr 09)
- Message not available
- Re: Outlook 2007: one step forward, two steps back? Nick FitzGerald (Apr 10)