Microsoft Outlook's so-so security
An Internet privacy researcher releases a list of four yet-to-be-fixed security problems with the software giant's mail program.
Although Smith called only one of the issues "critical," he said he released the list to bring the potential security hazards out into the open.
"I just wanted to get it off my table," he said. "I would like to see these issues addressed."
The critique comes two months after Microsoft called for a "Trustworthy Computing" initiative. Kicked off by a memo from Chairman Bill Gates to every employee, the strategy aims to further secure the company's Windows operating system and other products.
For the most part, Microsoft has done a decent job securing its mail program, Smith said, pointing to the latest security patch for Outlook 2002 that eliminates most of the popular vectors for computer viruses. Microsoft representatives were not immediately available for comment.
But Smith said the company needs to do more to fully secure the program, especially around e-mail that includes HTML (Hypertext Markup Language), a collection of formatting commands used to create Web pages. He pointed to a drop-off in the prevalence of macro viruses following a security fix to Word 2000 that required macros to have a valid digital signature before running them.
"So you can see, technical fixes do help," Smith said.
Among the issues Smith called critical is the ability for an e-mail that includes a special HTML tag, known as an IFRAME, to run an attached program. That weakness could be used by a virus to spread to computers through Outlook.
Other HTML problems included the ability to run JavaScript--a programming script that can be used to create interactive documents--in e-mails and the ability to read and set cookies via such e-mail. Cookies are small data files written to your hard drive by some messages when you view them.
Smith's final beef, however, is that Microsoft sometimes goes too far in warning users of potential security hazards in fairly benign situations. When someone attempts to send a link to a friend through Outlook, the program will warn that the file could potentially be dangerous.
"It is sort of like crying wolf," Smith said. "It's hard enough to understand all this...without adding confusing alerts."