The Latest Trumors
How Good is Your Outlook?
Does your version of Microsoft Outlook or Outlook Express protect your computer from attack or the spread of viruses?
Unpatched or early versions of Microsoft's e-mail programs can allow the execution of malicious code, or allow viruses to transmit themselves to others. Only a year ago Microsoft issued patches for Internet Explorer to repair four major glitches in versions 5.01 through 6 that could let an attacker completely take over your PC or wipe your hard drive clean. With two of these holes, simply being connected to a malicious web site could initiate the attack; you wouldn't even have to click anything.
Unpatched versions of Outlook Express 5.5 and 6 contain a vulnerability that could allow a cracker to cause just as much harm. Merely receiving an e-mail -- without even opening it -- could automatically trigger the attack. But there's a twist: Even though the hole is in OE, you're also in danger if you use Outlook 98 through 2002 without updates. This risk exists because Outlook uses OE to provide some important features. If you run Outlook Express 6 or Outlook 2002 under the default Medium security setting, or Outlook 98 or 2000 with the Outlook Security Update loaded, you can block an automated e-mail attack but you're still vulnerable to clicking a tarnished link either in an e-mail or on a bad guy's web site.
Microsoft also discovered a security threat in its Java Virtual Machine, a component that has shipped with Windows since Windows 95, as well as with many versions of IE. The VM enables IE, Outlook, and Outlook Express to run Java applets. However, the key feature of the VM is broken: the part that ensures Java applets are not malicious.
Preventive medicine is the best kind. So get an updated version of Microsoft's VM, or (better yet) use Sun's version instead. Only last month Microsoft issued yet another Security Bulletin (MS04-009) describing a vulnerability in Microsoft Outlook that could allow code execution (828040). It was updated from "serious" to "critical."
What's the Difference?
For those of you who may be confused about these overlapping programs, here's a little more detail about them. Remember that, while you can read e-mail using both Outlook and Outlook Express on the same computer, you need to consider exactly how you're going to use each program. At work, you might choose to use Outlook for both your personal account and your corporate account. Or, you may want to use Outlook for your work e-mail and Outlook Express exclusively for your private e-mail. But whatever you decide, you shouldn't access the same e-mail account on the same computer using both programs, to avoid dividing the messages on that account between the two.
Outlook Express is the free e-mail client that was included with Microsoft Internet Explorer 4.x / 5.x / 6.x, Microsoft Windows operating systems 98 / Me / 2000 / XP, and Microsoft Office 98 / 2001 for the Macintosh (version 5.1 for OS 9.x). [Note: Macintosh users are not affected by these issues.] Outlook Express is designed for home users who gain access to their e-mail messages by dialing in to an Internet service provider (ISP). It's designed for use with any Internet standard system, including Simple Mail Transfer Protocol (SMTP), Post Office Protocol 3 (POP3), and Internet Mail Access Protocol (IMAP). It supports e-mail, news, and directory standards such as Lightweight Directory Access Protocol (LDAP), Multipurpose Internet Mail Extension Hypertext Markup Language (MHTML), Hypertext Markup Language (HTML), Secure/Multipurpose Internet Mail Extensions (S/MIME), and Network News Transfer Protocol (NNTP). Outlook Express includes migration tools that automatically import existing mail settings, address book entries, and e-mail messages from Eudora, Netscape, Microsoft Exchange Server, the Windows Inbox, and Outlook. OE also includes the ability to receive mail from multiple e-mail accounts, as well as the ability to create Inbox rules to manage and organize e-mail.
Outlook is a more robust stand-alone application that is shipped with the Microsoft Office Suite. However, unlike Outlook Express, it does not include a news client. (While Outlook 2003 may appear to support newsgroups, the newsreader actually opens an Outlook Express window.) It provides performance and integration with Internet Explorer, as well as e-mail, calendaring, and contact management, making it popular with business users. The final version of Outlook for Macintosh was 2001, replaced by Entourage (bundled with Office 2001 and X), a new application to m anage contacts, calendar items, tasks, notes and multiple e-mail accounts in one view. [None of the products for Macintosh are vulnerable to the Windows-based viruses or worms. The volume of infected e-mails may be annoying, but they won't harm systems running other platforms.]
Outlook organizes information to work seamlessly with Office applications. There are Inbox rules to filter and organize messages, and e-mail from multiple e-mail accounts, personal and group calendars, contacts, and tasks can be integrated and managed. Outlook is designed for use with the Internet (SMTP, POP3, and IMAP4), Exchange Server, or any other standards-based communication system that supports Messaging Application Programming Interface (MAPI), including voice mail. Outlook is based on Internet standards and supports e-mail, news, and directory standards, including LDAP, MHTML, NNTP, MIME, and S/MIME, vCalendar, vCard, iCalendar.
Outlook also offers the same import tools as those offered with Outlook Express to migrate from other e-mail clients, plus additional migration tools for Microsoft Mail, Microsoft Schedule+ 1.0, Microsoft Schedule+ 7.0, Lotus Organizer, NetManage ECCO, Starfish SideKick, Symantec ACT, and synchronization with Personal Digital Assistants (PDAs).
Some Tips to Help You Help Yourself
The biggest weakness is a feature shared by both programs, the support of HTML in e-mail messages. The following steps (reprinted from the Microsoft Knowledge Base) will help to minimize this vulnerability in Outlook Express.
Additional Configuration Help
Avoiding Malicious Links
Although the following actions don't help you identify a deceptive (spoofed) web site or URL, they can help limit the damage from a successful attack from a spoofed web site or a malicious hyperlink. Bear in mind that they also restrict e-mail messages and web sites in the Internet zone from running scripts, ActiveX Controls, and other potentially damaging content.
Use your web content zones to help prevent web sites that are in the Internet zone from running scripts, running ActiveX Controls, or running other damaging content on your computer. First, set your Internet zone security level to High in Internet Explorer. To do so, follow these steps:
Next, add the URLs for Web sites that you trust to the Trusted Sites zone. To do so, follow these steps:
Using Virus Protection Features in Outlook / OE 6
Reading e-mail messages in plain text in Outlook or Outlook Express will allow you to see the full URL of any hyperlink and examine the address that Internet Explorer will use. Some of the characters that may appear in a URL that could lead to a spoofed Web site are %00 , %01 , or @. For example, a URL of the following form: "http://email@example.com" will actually open "http://badsite.com," but the URL that appears in the address bar of Internet Explorer may show only "http://www.harmlesslink.com."
The last Outlook Email Security Update released for Outlook 98 and Outlook 2000 disables many of the features that allow viruses to spread quickly. The security update is also integrated into Office 2000 Service Pack 2. Outlook 2002 also has the features of the patch built in, with one major change -- Outlook 2002 users can modify the list of blocked attachments.
To find out whether your copy of Outlook includes the security update or can be updated, you should check the version number with the Help | About Microsoft Outlook command and compare it with this chart, which lists the versions with the security update:
The update makes it difficult, if not impossible, to execute program files in Outlook -- including VBScript .vbs files like those that spread Loveletter. It is also aimed at making it more difficult for a virus to use Outlook to transmit itself via e-mail. This aspect of the patch, however, means that some Outlook features will no longer function at all. In other cases, a user may need to authorize access by outside programs, such as bulk mail applications.
Disabling Active Scripting in Internet Explorer can prevent many pop-up windows from opening on your computer as well. To disable Active Scripting for a particular web site, you can add that site to the Restricted Sites zone, and then disable Active Scripting and other content for the Restricted Sites zone. This prevents most pop-ups from working, but only for the sites that you add to the Restricted Sites zone.
To add a site to the Restricted Sites zone in Internet Explorer:
Virus Protection features in Outlook Express 6 are found on Security tab of the Tools, Options dialog box.
Microsoft-assisted support for Outlook 97 and 98 have ended, so no additional patches will be issued. Help can be found only by searching or posting a question to newsgroups, or reviewing support documents that are posted on the HALNet Support page at www.hal-pc.org/support/ (scroll down to the "email" section).
To play it safe, you should update your Internet Explorer and Outlook or OE to the latest version and keep an eye out for those critical patches and updates. The newest versions are not OS-specific and are compatible with any Windows OS after Win98. Otherwise your PC may end up in the computer hospital in critical condition.
Beverly Rosenbaum, a HAL-PC member, is a 1999 and 2000 Houston Press Club “Excellence in Journalism” award winner. She can be reached at firstname.lastname@example.org.