Microsoft Outlook, other new e-mail clients could open door to viruses
But Microsoft officials say users would have to lower security settings to fall victim.
|
|||
 | |||
|
Advertisement: |
|
|
|||
| |||
|
Advertisement: |
Remember the rumors about the so-called Good Times virus, which could purportedly be acquired by simply reading the text of an e-mail? The virus gurus calmed us all down when they claimed such a thing could never happen.
They were wrong.
Such virus problems are possible now that software companies have begun adding Web features to e-mail clients.
By giving e-mail messages the potential for rich Web-like content, nasty elements may be able to find their way onto your machine. And you may not have to physically open a mail message for this to happen.
A particularly insidious example was brought to the attention of Network World at a recent gathering of the Java Security Alliance, in Napa, Calif.
A. Padgett Peterson, a security expert at Lockheed Martin Corp., noted that he had created an HTML message containing a Visual Basic script in the body of the message (not attached as a file), which in turn triggered an ActiveX control. This blend of elements made it possible for the sender of the e-mail to write a file to the reader's hard drive.
Conceivably, the file could be an executable file with the ability to introduce a virus or other malicious code into the user's system.
Peterson, using a beta version of Microsoft Corp.'s Outlook 98, found that Outlook's "preview pane" actually opens a message that's highlighted in a queue - without the user double-clicking on it.
If a user gets a message containing this dangerous code at the top of his mail queue when launching Outlook 98, the users computer will execute the code. Microsoft said that while this scenario could happen, it would not be likely, and that a user would have to adjust the machine's security settings to accept this type of code without validation.
Microsoft said the only other way the code would execute is if the user OKd the code from a warning dialog box that Outlook 98 produces after it realizes the message contains such code.
George Meng, a group product manager for Outlook 98, said the program uses Internet Explorer 4.0 components to render HTML messages, and Internet Explorer 4.0 defaults to a setting that brings up such a dialog box. Meng and Rob Bennett, a group product manager for Internet Explorer, both said this is enough to protect end users from outside hazards.
"We make it super-easy for the user to see when active content is being pushed down to them. If the code interacted with the file system, it would bring up an alert that says the content might not be safe," Bennett said.
Bennett explained that identical damage could be caused by visiting a Web page that contains the same code (and faces the same security blocks), because Internet Explorer 4.0's rendering engine drives both applications.
When asked if damage was possible if the user manually lowered the computer's security settings, Bennett admitted that it was. But he also noted that a systems administrator using the Internet Explorer Administration Kit could lock security settings for all users within an enterprise, making such a situation less likely.
This doesn't do away with the chance of harm. It just makes it more difficult for a third party to mess up a companys computer systems.
Christopher Klaus, founder and chief technology officer for Atlanta-based Internet Security Systems, Inc., likened harmful code on a Web page to a venus fly trap, in that such code has to lure people to the site before the code can be introduced. E-mail, meanwhile, is more active.
"That e-mail doesn't require the same principle as a Web page is a big concern. [Spammers] can specifically target who they want to target through e-mail and can hide their tracks better," Klaus said.
There's also concern over Outlook 98 and Internet Explorer 4.0 sharing the same security settings.
Paul Hoffman, director of the Internet Mail Consortium, said he believes users approach Web sites and e-mail quite differently.
"You might have your settings in the Web client very low when you go to a site that you know very well. Because e-mail inherently can be received from anyone, these programs need different settings from a Web client," Hoffman said.
More than Microsoft
Hoffman noted that Microsoft isn't the only company adding Web features to mail clients, and any mail client that renders HTML might open the user to similar security risks.
"I am very much against automatically launching anything in e-mail given that you didn't ask someone to send it to you. You open an e-mail with little information," Hoffman added.
The best advice is to doubt everything that comes into your e-mail box and, as Klaus cautioned, take every precaution to ensure the messages you receive are authenticated. However, Klaus also noted that a majority of attacks on enterprise networks come from insiders.
"It comes down to awareness. How much do you trust the peple who e-mail you? How quickly can we educate people about running these scripts? It's just a matter of time before someone devises a script that becomes a terrible thing on the Internet," Klaus said.
RELATED LINKS
Padgett's AntiVirus Page
Explains why he fights viruses as a hobby.
Secure Internet Computing
Princeton University effort to find and explain security holes in Java, ActiveX, etc. Includes a comparison of Java and ActiveX security.
Apply for your free subscription to Network World. Click here. Or get Network World delivered in PDF each week.
Request a reprint or permission to use this article.
