March 21, 2002 3:40 PM PST

Microsoft Outlook's so-so security

Related Stories

Seeking signs of Microsoft security push

March 4, 2002

Microsoft developers feel Windows pain

February 7, 2002

Gates: Security is top priority

January 17, 2002

Year of the Worm

March 15, 2001
Internet privacy researcher Richard Smith released on Thursday a list of four issues that continue to undermine the security of Microsoft's Outlook 2002 and could leave the major mail program open to attack by virus writers.

Although Smith called only one of the issues "critical," he said he released the list to bring the potential security hazards out into the open.

"I just wanted to get it off my table," he said. "I would like to see these issues addressed."

The critique comes two months after Microsoft called for a "Trustworthy Computing" initiative. Kicked off by a memo from Chairman Bill Gates to every employee, the strategy aims to further secure the company's Windows operating system and other products.

For the most part, Microsoft has done a decent job securing its mail program, Smith said, pointing to the latest security patch for Outlook 2002 that eliminates most of the popular vectors for computer viruses. Microsoft representatives were not immediately available for comment.

But Smith said the company needs to do more to fully secure the program, especially around e-mail that includes HTML (Hypertext Markup Language), a collection of formatting commands used to create Web pages. He pointed to a drop-off in the prevalence of macro viruses following a security fix to Word 2000 that required macros to have a valid digital signature before running them.

"So you can see, technical fixes do help," Smith said.

Among the issues Smith called critical is the ability for an e-mail that includes a special HTML tag, known as an IFRAME, to run an attached program. That weakness could be used by a virus to spread to computers through Outlook.

Other HTML problems included the ability to run JavaScript--a programming script that can be used to create interactive documents--in e-mails and the ability to read and set cookies via such e-mail. Cookies are small data files written to your hard drive by some messages when you view them.

Smith's final beef, however, is that Microsoft sometimes goes too far in warning users of potential security hazards in fairly benign situations. When someone attempts to send a link to a friend through Outlook, the program will warn that the file could potentially be dangerous.

"It is sort of like crying wolf," Smith said. "It's hard enough to understand all this...without adding confusing alerts."

 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.