OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Alert: Outlook 98/2000 Email Security Update now available
From: Russ (Russ.CooperRC.ON.CA)
Date: Fri Jun 09 2000 - 11:52:41 CDT

Yesterday Microsoft released the binaries for their Email Security Update. I
have to say that I'm pleased to see that my recommendations to Microsoft
happen to coincide, almost exactly, with all that feedback they got from
everyone else after their initial announcement of the Update a few weeks
ago. Shame they didn't believe me when I said it during the briefings
pre-release, but at least they've taken the time to address most of the
issues.

I think that anyone running Outlook 98/2000 in a Microsoft Exchange Server
environment should favorably consider applying the update. Unfortunately,
uninstalling the update is a matter of de-installing all of Office, so going
back after an upgrade is not an easy option. That said, the administrative
flexibility offered in an Exchange Server environment makes going back
unnecessary, IMO. More details about this can be found below.

Available now is a version for Outlook 98;

http://www.officeupdate.com/downloadDetails/Out98sec.htm

and Outlook 2000 SR-1.

http://www.officeupdate.com/2000/downloaddetails/Out2ksec.htm

I'll try and summarize the salient points;

Not for Outlook Express
-----------------------
Nothing is currently available to alter the way Outlook Express works. These
updates are strictly for Outlook 98/2000 SR-1. While one might argue that
Outlook Express is more likely deployed on more desktops (I don't have any
figures, but one might suspect it), fact is that worms tend to spread faster
and broader via corporate desktops than home users. If anyone has a
comprehensive survey of such information, I'd be happy to correct this
assumption if it shows otherwise.

Incorporates previous Attachment Security Update
------------------------------------------------
In November last year Microsoft released an Email Attachment Security Update
which provided restrictions on executables such as .exe, .cmd, .bat. This
update appears to have been incorporated into this latest one. All
indications are that if you have the latest update, you don't need the
earlier one as well.

Fundamental Components of the Update
------------------------------------

a) Attachments are now classified as one of three types. Level 1 attachments
include things such as .vbs, .js, and other automatic scripting or easily
invoked attachments. Level 1 attachments are "hidden" from the user, and
most of the time a warning will be presented at the top of the message
window indicating that filename was hidden (so the user knows an attachment
was presented). Users cannot access these attachments at all.

A complete list of these file types can be found at;

http://www.officeupdate.com/2000/articles/Out2ksecFAQ.htm

Level 2 attachments, of which there are none defined by default, would
prompt a user to save them to disk. No option would be available to invoke
the attachment directly from the mail message.

Other attachments, such as .doc and .htm, are unaffected by the update. They
will be presented to the user and the user can invoke the associated
application directly from email.

b) Object Model Guard is intended to prevent the automation of messaging
technologies, in particular access or use of the address book. Worms have
been most virulent when they propagated via automation of the address book,
so Microsoft have attempted to make such automation more difficult to do
surreptitiously. It is still possible, via CDO, to do this although a future
version of this update is supposed to address this. On Windows '98 boxes,
CDO availability is removed by default, on other platforms MS recommends
that it be removed manually.

Automation is still possible, the user will be prompted whenever an object
attempts to programmatically access the address book and can, if they wish,
give it the ability to do this for a limited amount of time. This is there
to permit things like Mail Merge or other existing non-malicious tools.
Note, this has nothing to do with removing scripting.

c) Outlook now defaults all messages to the Restricted Sites Zone. Further,
the Restricted Sites Zone will be modified to ensure that Active Scripting
is disabled. When coupled with the fact that the Restricted Sites Zone
already disables the ability to invoke ActiveX controls, all scripting is
disabled in this zone.

It should be noted that this applies only to messages which embed scripting,
not attachments which contain scripting. Attachments, when invoked, run in
the Internet Zone, not the zone of the parent. So an HTML-based email
message with scripting in it will be treated as being run in the Restricted
Sites Zone. The same HTML, supplied as an attachment to a normal email
message, will run in the Internet Zone if double-clicked from within
Outlook. This is an important distinction.

d) In environments where Outlook 98/2000 SR-1 are installed in "Corporate or
Workgroup" mode connecting to an Exchange Server, Administrators can
customize the behavior of the update on a per user/group basis.
Customization includes the ability to alter the list of file types in each
of the two Levels, as well as what the user will be permitted to do
(automatically invoke, prompt, or deny). Such flexibility provides a way to
address the issue where several individuals in the company need to be able
to work with specific attachment types, yet the entire company needs to be
protected.

The choice of implementing this on Exchange Server, rather than through some
user Profile mechanism (which could be portable to other mail server
environments) is questionable. Personally I see how this was easier to
implement in a short period of time, however I would hope that Microsoft is
working with other mail server Vendors to find a similar mechanism for
non-Exchange Server environments (or working with the MS Server folks to
find a way to do this in User Profiles or System Policies.) It should be
remembered that this fix is being done as quickly as possible to avoid the
next threat.

Full details about the Administrative options can be found at;

http://www.microsoft.com/office/ork/2000/journ/outsecupdate.htm

After downloading the Admpack.exe, run it as "admpack /C" to extract the
components and read the README.TXT file.

Summary
-------

From a corporate perspective, I think the limitations on customization in a
non-Exchange Server environment coupled with the difficulty in rolling back
the update will make this update a tough sell in non-Exchange Server
companies. While it would likely be very good for the vast majority of
clients in such an environment, Administrators might be less willing to deal
with the potential complaints about its restrictions.

In Exchange Server environments the ability to customize the update, to the
point where it doesn't affect anything, should make it widely adopted. The
added protection for a majority of users, if not all, must be seen as a
proactive step to ensuring that the next threat from scripting worms is
mitigated.

Granted, it does not prevent worms, viruses or trojans, but it can eliminate
the most effective vector (propagation through address book access).
Further, the automatic shift from Internet Zone to Restricted Sites Zone,
plus the strengthening of the Restricted Sites Zone, should be seen as a
fairly large bonus.

From a home user perspective, its effects will be limited. Since Outlook
proper is not typically installed, the number of potential update sites is
limited. That said, anyone who is running Outlook could do worse than to
have the restrictions placed on their email that this update provides.
Everyone can still, easily, receive any attachment type they desire by
simply requesting that the sender put it inside a .zip file. This
discussion, between recipient and sender, is one of my basic premises when
it comes to mail. Nobody should be sending you a file without telling you
its coming first, and of course, what it is.

I hope we will see this Update become a basic functional feature of
Microsoft products. I have long called for the Trust Zone mechanism to be
extended beyond IE to the entire OS and all applications running there-in.
Of course this flies in the face of the extremely stupid and clueless folks
like Judge Pennfield Jackson and his pet dog Joel Klien. Having a model such
as the Trust Zone mechanisms extended to any application would allow
Administrators and Users alike the ability to minimize the threats they face
every day. Extending it to include things like Macros, Shells, Automation
categories (OLE), and network components would go a long way to achieving a
higher level of security on desktops.

Maybe Microsoft will consider publishing an API that allows for the Trust
Zones to be extended...?? Of course such a thing would then have to be
considered by applications. Might allow me to eventually publish a list of
software that is "NTBugtraq Ready!"...;-]

Meanwhile, I highly suggest you apply the fix. Worse case, you reduce your
bandwidth consumption because you have to ask everyone to send you .zip
files in the future.

Cheers,
Russ - NTBugtraq Editor