From: Aron Roberts (aron_at_socrates.berkeley.edu)
Date: Fri Sep 19 2003 - 16:28:42 PDT
At 12:29 -0700 2003-09-19, Eric Chamberlain wrote:
>*Outlook for the Mac can run scripts, but new versions of Outlook regardless
>of OS platform have scripting disabled.
Just as a clarification: the three e-mail programs that Microsoft
has released for the Mac OS are:
- Outlook, a free e-mail program for Mac OS 8.1 to 9.x.
This program requires a Microsoft Exchange server; it does not
work with Internet mail protocols.
- Outlook Express, a free e-mail program for Mac OS 8.1 to 9.x.
- Entourage, a commercial e-mail program bundled with Microsoft Office
for both Mac OS 8.6 to 9.x and Mac OS X.
When comparing the security risks posed by e-mail client programs
on both the Macintosh and Windows platforms, some key questions I'd
suggest asking are:
- Are there any vulnerabilities in the e-mail program which would
allow certain message bodies or attachments to cause code to be run?
In other words, "can the act of simply rendering a maliciously
crafted HTML e-mail message body or receiving a specific type of
attachment permit code to be executed, even if the user doesn't
explicitly perform any action other than checking for new mail?"
My understanding is that some older versions of Outlook and
Outlook Express for Windows were subject to these vulnerabilities,
and that patches, configuration tweaks, and/or version upgrades
rectify these. Perhaps someone who has investigated this further
might wish to comment?
- Is the e-mail client itself scriptable? If so, how extensive is
its scriptability? Can it be induced by a worm or trojan to create
a custom message, for instance? To attach a file to that message?
To send it to the addresses in a local and/or remote address book?
Are there any special authorizations required to perform these actions
(other than any standard SMTP authorization, if any)?
Outlook Express and Entourage for the Macintosh, at least,
are scriptable via Apple's system scripting language, AppleScript,
and presumably via any scripting or programming language capable
of sending AppleEvents. Other e-mail clients, like Eudora, also
are similarly scriptable. Most or all of the actions listed above
can be performed by a script without specific authorization bein
required.
- Can the user cause code to be executed by choosing to open
a message attachment within their e-mail program?
- And a corollary -- are there ways for an evildoer to disguise
an attachment that executes code as a text file, picture, movie,
or something else -- whether the method(s) of disguise is/are
facilitated by the e-mail program or the underlying OS?
Just as an aside, buttressing Eric's point, above, the following
document describes the security model in Outlook 2002 for Windows:
Aron Roberts
Workstation Software Support Group
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
This archive was generated by hypermail 2.1.5 : Fri Sep 19 2003 - 16:30:39 PDT