Just how safe is Outlook 2002?
Published: 22 Mar 2002 10:22 GMT
Internet privacy researcher Richard Smith released on Thursday a list of four issues that continue to undermine the security of Microsoft's Outlook 2002 and could leave the major mail program open to attack by virus writers.
Although Smith called only one of the issues "critical," he said he released the list to bring the potential security hazards out into the open. "I just wanted to get it off my table," he said. "I would like to see these issues addressed."
The critique comes two months after Microsoft called for a "Trustworthy Computing" initiative. Kicked off by a memo from Chairman Bill Gates to every employee, the strategy aims to further secure the company's Windows operating system and other products.
For the most part, Microsoft has done a decent job securing its mail program, Smith said, pointing to the latest security patch for Outlook 2002 that eliminates most of the popular vectors for computer viruses. Microsoft representatives were not immediately available for comment.
But Smith said the company needs to do more to fully secure the program, especially around email that includes HTML (Hypertext Markup Language), a collection of formatting commands used to create Web pages. He pointed to a drop-off in the prevalence of macro viruses following a security fix to Word 2000 that required macros to have a valid digital signature before running them.
"So you can see, technical fixes do help," Smith said.
Among the issues Smith called critical is the ability for an email that includes a special HTML tag, known as an IFRAME, to run an attached program. That weakness could be used by a virus to spread to computers through Outlook.
Other HTML problems included the ability to run JavaScript -- a programming script that can be used to create interactive documents -- in emails and the ability to read and set cookies via such email. Cookies are small data files written to your hard drive by some messages when you view them.
Smith's final beef, however, is that Microsoft sometimes goes too far in warning users of potential security hazards in fairly benign situations. When someone attempts to send a link to a friend through Outlook, the program will warn that the file could potentially be dangerous.
"It is sort of like crying wolf," Smith said. "It's hard enough to understand all this... without adding confusing alerts."
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
Did you find this article useful?
19 out of 79 people found this useful
- Share this article:
