[ale] FW: [ISN] Microsoft Outlook patch delayed again

[Joe Steele]

"Pete Hardie" wrote:
>
> "Christopher S. Adams" wrote:
> > 
> > it's not outlook that's at fault anyway
> > i say the people who actually ran the vbs script, their companies deserved
> > it for hiring people of limited mental capacity
> 
> I say that it *is* Outlook at fault, for *RUNNING UNTRUSTED EXECUTABLES* from
> the mail area.  I mean, Java pointed out the need for a sandbox over 3 years
> ago, and Outlook still allowed *FULL ACCESS TO ALL PARTS OF THE MACHINE*

I agree -- Outlook (or Microsoft) is much more at fault than the people 
using it.  It now appears the LoveBug worm could have been written so that 
*NO ACTION* was required on the part of the user beyond viewing (or 
previewing) the message.  If I understand it correctly, the user wouldn't 
even have to be at the computer, just so long as the incoming message was 
displayed in a preview window when it arrived. The key part of the exploit 
(through the use of .chm files) was made public 3/1/00 (long before lovebug).  
Since then, the exploit has been further refined:

(watch out for line wrap)
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-05-15&msg=20401721.958441051714.JavaMail.imail@tiptoe

Microsoft finally issued a patch 6/2/00, *three months* after the problem was 
first discovered.  Of course their patch only fixes one small problem and 
doesn't fix the REAL security problem mentioned above: the ability for outlook 
to RUN UNTRUSTED EXECUTABLES from the mail area.

Someone computed a time ratio of 4 hours for Linux to respond to a security 
issue vs. 5 weeks for M$.  It seems you could up that to 3 months, making it 
roughly 550:1.

-Joe

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.