RE: Outlook 2007: one step forward, two steps back?

["Richard M. Smith" <rms () computerbytesman com>]

How does Pegasus Mail for Windows handle attached executable files?  Does it
probably block them so they can't be run?  I'm asking because attached
executable files have been historically the number one method for
transmitting email worms from one user to the next.

Richard 

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On
Behalf Of Nick FitzGerald
Sent: Monday, April 09, 2007 11:23 PM
To: 'FunSec [List]'
Subject: RE: [funsec] Outlook 2007: one step forward, two steps back?

Richard M. Smith to me:

> Actually, as email readers go, Outlook has been relatively secure 
> since about 2000 when JavaScript was turned off by default and 
> executable attachments were blocked.  Outlook 2003 added an image 
> blocker and spam filter.  ...

I disagree.

They took the bunch of crappy code that was Outlook and already glued to the
beheamoth of crappy IE code and rather than _simplifying it_ -- which is
what thinking folk you do to fix excessively bloated, already known to be
hugely bug-ridden yet sadly security-critical code -- they added more code
to "tighten up" the security.  Given that bugs tend to track lines of code
more closely than anything else, they did NOT make Outlook more secure in
doing this.  They may have got rid of enough of the obviously egregious
stupidity to make it practically more secure because the bad guys found it
easier to concentrate on other attack vectors, but that is far from making
it more secure because the code actually implements a well-defined and
specified, and carefully and competently reviewed software component...  

> ...  Outlook 2007 was also immune to the recent ANI problem.  

Whoo-hoo -- immune to one-of-one (and are you sure the bad guys, or the
clever "security researchers" actually looked that hard to find out how to
trip up OL2k7?).

OL2k7 is almost certainly MUCH more insecure than its predecessor.

Crappy as the IE 6.x and earlier codebase was, and "patched up" as they made
it and OL's interaction with it, OL2k7 is now lumbered with the probably
larger (??) WinWord 2k7 codebase, and what do we know about that codebase?
Well, look back the last year or two and guess which MS product has had the
most zero-days _first found in the wild_?

Gluing OL onto Word doesn't look very "security smart" now, does it?

Oh, and haven't they completely changed the file formats in Office 2k7,
introducing scads and scads of completely new, untested-under-fire, code
which will be rife with new bugs?  In fact, didn't someone make a post
touching on just this to Full-Disclosure just yesterday?

OL2k7 is looking decidedly more and more uncertain the more we think about
its likely security surface...

Aside from being a bloated, non-standards conforming PoS as an Internet MUA,
it is a security nightmare just waiting to happen.

Enjoy using it!

> PS.  Does PINE automatically block executable attachments in incoming 
> email messages?

No idea -- don't use it and haven't for years (more than a decade aside from
very short periods of software testing).

Oh -- and as for that "security feature" of OL...  You know they do that by
blocking access to the message components in the message store, when the UI
tries to make the access via certain code chains, right?  
So all it takes to bypass that "restriction" is a bug in some or other of
the millions of lines of code in OL or possibly one of its myriad supporting
components (which now includes that doyen of security, Word) for that
"protection" to slip.

Enjoy using Outlook...


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.