-mapi:-

Post Love Bug, Microsoft Trades Flexibility for Security
It's going to make its Outlook e-mail program a lot safer -- at the expense
of some convenience

The vulnerability of Microsoft products to hacker attacks has long caused
about as much consternation among computer-security experts as the company's
business practices have among antitrust lawyers. But in the wake of the
"Love Bug" assault, which used well-known weaknesses in Windows and Office
to paralyze computers and e-mail systems around the world, Microsoft finally
seems to be sitting up and taking notice.

On May 15, Microsoft will announce that it's making some fundamental changes
in Outlook -- an e-mail, contact management, and calendar program widely
used in business. The repair patch for Outlook 98 and Outlook 2000, which
will require a download of about 1 megabyte, will be made available on
Microsoft's Web site the week of May 22.

Once the patch is applied, Outlook will become a program that is somewhat
less convenient to use but a lot safer. Microsoft's long-time philosophy was
that if people choose to do risky things with their computers, it's their
own business and not Microsoft's role to stop them. But I have over 1,000
names in my Outlook address book, and if I had foolishly opened a Love Bug
attachment, I would potentially have put all of them at risk.

BASIC CHANGES. "In the past, we've always sided with users' desire for power
and flexibility," says Steven Sinofsky, senior vice-president in Microsoft's
Office group. "Now we are saying that because of the pervasiveness of
networking, there are some things you cannot do because of the risk they
pose to other peoples' systems."

The changes, which were under consideration before Love Bug but accelerated
after the attack, take two basic forms. First, Outlook will refuse even to
look at certain types of message attachments, such as the so-called VB
Script attachment that carried the Love Bug payload, and users cannot
override this. Essentially, all program attachments will be blocked.

A second set of changes, which most Outlook users will be more likely to
notice, severely restricts how other programs get access to the Outlook
address book. The Love Bug spread so quickly because it sent a copy of
itself to everyone listed in the address book, something which Outlook's
design made very easy. A program other than Outlook itself will need
permission from the user every time it needs access to the address book.
This feature, too, cannot be turned off.

NOT-SO-EASY SYNCING. The most obvious effect is that a Palm or Windows CE
handheld will have to ask permission each time it syncs with Outlook. No
longer will it be possible to sync remotely over a network. Mail merges from
Word or other Office programs will also be affected, as will a number of
business applications, such as Siebel's customer-relationship-management
applications and SAP's enterprise resource-planning software. Antivirus
programs are also likely to trigger an alert during scans. Microsoft is
working with the third-party software companies to minimize these impacts.

The new approach does not affect the free Outlook Express mail program,
which, despite its name, has almost nothing in common with Outlook. It
doesn't even use the same address book. And while Outlook Express is
somewhat harder to attack than Outlook 98 or 2000, vulnerability exists
there also, Sinofsky admits. Microsoft is working on changes to Outlook
Express that will make it, too, more secure.

These changes represent an important philosophical shift by Microsoft. "From
this point forward," says Sinofsky, "security is the top design point for
Office, even if it means less flexibility."

These e-mail/news programs improperly handle filenames of files attached in
e-mails. Too long filename can result in a buffer overflow condition when
the program processes the attachment and tries to save the temporary file.

As the reader generally processes the attachments when the user reads the
message, the buffer overflow condition can be initiated.

In Outlook if filename got graphic file extension then the buffer overflow
condition can be initiated when trying to view the message if not then
overflow will occur if user will try to save/open attached file.

In Eudora Pro e-mail is processed while downloading mail from server so
buffer overflow occurs when message is processed from spool directory. This
can even lock e-mail account for the Eudora Pro users. As i know same
problem is in Microsoft Outlook 98 version.

alles wird gut:

* markus
* my opinions may have changed, but not the fact that i am right.

(p-tv) (p-tv)