|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Is there a bug in the Outlook patch
From: Alan Ralph (alan.ralph
4BMARTINVEST.CO.UK)Date: Thu Jun 15 2000 - 04:39:11 CDT
- Next message: dstevenson: "Re: Is there a bug in the Outlook patch"
- Previous message: Jeffry J. Bilder: "MS Exchange"
- In reply to: Bruno Garattoni- Folha de S. Paulo: "Is there a bug in the Outlook patch"
- Next in thread: dstevenson: "Re: Is there a bug in the Outlook patch"
- Reply: Alan Ralph: "Re: Is there a bug in the Outlook patch"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 14 Jun 2000, at 16:57, Bruno Garattoni- Folha de S. wrote:
> Dear all,
> Microsoft has told me they didn't release a patch for Outlook Express
> 5 because it 'doesn't need it'. According to their PR dept., OE5 has fewer
> scripting functions that Outlook 2000, which would make it impossible for a
> worm such as the love bug to spread itself using OE5's address book.
> I doubt it. I've seen it happen. Am I right?
> What's your opinion? I'm reviewing the patch, and I am planning to do
> some testing with OE5. I would like to hear your experiences with the patch.
They are sort-of-right when they say that there are fewer scripting
functions available to the virus creator who wishes to target Outlook
Express. Whilst the Windows Address Book is (if memory serves
me right) accessible via COM, Outlook Express does not have a
documented COM interface. Whether that means that Outlook
Express cannot be subverted AT ALL is another matter.
More generally, Outlook Express suffers from the same
vulnerability that affects Outlook, namely the security applied when
viewing HTML messages. As well as changing the Security
Options to make it use the Restricted Zone, you should consider
changing the Restricted Zone settings themselves, via IE's
Options, to disable Active Scripting (enabled even in High
Security), and perhaps disable Java as well whilst you're at it.
My biggest problem with the Outlook Security Patch is that it
requires the SR-1(a) Update for Office 2000, and I am still waiting
for the Upgrade CD from Microsoft. Trying to download it from the
Web site takes hours, and each time I've tried it stops the
installation saying one of the files is wrong! Grrr! It's at times like
these that I start to regret giving my free copy of Works 99 Suite to
my parents....
Alan Ralph
4B Martinvest Ltd
alan.ralph4bmartinvest.co.uk
http://www.4bmartinvest.co.uk/
- Next message: dstevenson: "Re: Is there a bug in the Outlook patch"
- Previous message: Jeffry J. Bilder: "MS Exchange"
- In reply to: Bruno Garattoni- Folha de S. Paulo: "Is there a bug in the Outlook patch"
- Next in thread: dstevenson: "Re: Is there a bug in the Outlook patch"
- Reply: Alan Ralph: "Re: Is there a bug in the Outlook patch"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]