Pug’s Place

A: They were both accepted to FSU.

What have I been up to? Let’s see:

• Played D&D with Theresa and James on Saturday
• Took my first digital logic exam Tuesday night
• Read Mostly Harmless
• Wrote a manual for “Building an Effective Anti-Spam Solution” [PDF] for Speaking and Writing for Engineers. It doesn’t follow their guidelines very well, but I think it’s much better my way. Considering my way is now becoming a documentation standard at my company, hey…
• Reading Applied Cryptography
• Started putting together needed stuff to do off-my-head Dungeon Mastering for D&D

Yeah. Anyway, mostly I’ve just been doing homework and studying. I want to have as little stress Sunday evening and Monday morning as possible.

I also posted very silencing sort of message to the Student Honors Organization mailing list this morning on the subject of Outlook and Outlook Express, and malicious e-mails. You might find it informative and amusing… so I’ll close with a copy of it:

On Wed, 2004-02-25 at 01:15, Karolina Ocipka wrote:

Rik, The only thing that I found in outlook was,
that it downloads the messages automatically into the preview pane. To turn
this off, go to Tools/Options choose the Read pane and then uncheck the
"Automatically download messages when viewing in the PreviewPane".
That should prevent any kind of unwanted downloading ofmessages, other than
that I don’t believe outlook opensattachments on its own. Hope that helps,




Outlook seems to have an unending list of security vulnerabilities that allow attachments to automatically, without any user intervention other than "previewing" or "viewing" a message, execute arbitrary (read: possibly malicious) code.

As each one is identified, it’s slowly fixed.

As for some proof behind my claims that Outlook and Outlook Express are bug-ridden security nightmares that are constantly finding new ways to execute malicious code without your consent, please refer to the following helpful table that I just put together, complete with hyper-links to Security Focus entries.

Please note, this is in no way a comprehensive list. I’m not dedicated enough to go and find a comprehensive one. This list contains all known vulnerabilities that have not yet been completely fixed. If it’s on this list, it’s still exploitable.

Note that Outlook Express and Outlook are also vulnerable to most (not all, but most) Internet Explorer vulnerabilities, due to their close integration. I did not include any Internet Explorer vulnerabilities in this list. It would have doubled in size.

Some non-factual opinions and suggestions for *MUCH* better, free email clients follow the table.

Date	Outstanding Vulnerability
2004-02-20:	Multiple Outlook/Outlook Express Predictable File Location Weaknesses
2004-02-16:	Microsoft Outlook Express Arbitrary Program Execution Vulnerability
2004-02-10:	Microsoft Internet Explorer Double-Null URI Denial Of Service Vulnerability
2004-02-02:	Multiple Browser URI Display Obfuscation Weakness
2003-11-11:	Multiple Vendor Invalid X.509 Certificate Chain Vulnerability
2003-10-04:	Microsoft Internet Explorer Absolute Position Block Denial Of Service Vulnerability
2003-09-02:	Microsoft mshtml.dll Library GIF Image Handling Denial of Service Vulnerability
2003-07-25:	Microsoft Outlook Express Script Execution Weakness
2003-06-01:	Multiple IMAP Client Integer Overflow Vulnerabilities
2003-04-23:	Microsoft Outlook Express MHTML URL Handler File Rendering Vulnerability
2003-02-28:	Microsoft Outlook and Outlook Express Arbitrary Program Execution Vulnerability
2003-02-10:	Multiple Vendor Email Client JavaScript Information Leakage Vulnerability
2003-01-29:	Microsoft Outlook Express S/MIME Buffer Overflow Vulnerability
2003-01-22:	Microsoft Outlook 2002 V1 Exchange Server Security Certificate Information Leakage Vulnerability
2002-12-04:	Microsoft Outlook 2002 Email Header Processing Denial of Service Vulnerability
2002-09-09:	Alleged Outlook Express Link Denial of Service Vulnerability
2002-07-29:	Microsoft Outlook Express XML File Attachment Script Execution Vulnerability
2002-07-21:	Microsoft Outlook Express Spoofable File Extensions Vulnerability
2002-07-19:	Microsoft Outlook Express SMTP Over TLS Information Disclosure Vulnerability
2002-04-26:	Microsoft Outlook HTML Mail Script Execution Vulnerability
2002-04-24:	Microsoft Outlook Express DOS Device Denial of Service Vulnerability
2002-04-09:	Microsoft VBScript ActiveX Word Object Denial Of Service Vulnerability
2002-03-22:	Microsoft Outlook Disabled Cookies Setting Bypass Vulnerability
2002-03-22:	Microsoft Outlook IFrame Embedded Media Player File Vulnerability
2002-03-21:	Microsoft Outlook Javascript Execution Vulnerability
2002-03-21:	Microsoft Outlook IFrame Embedded URL Vulnerability
2002-02-13:	Outlook Express Attachment Carriage Return/Linefeed Encapsulation Filtering Bypass Vulnerability
2002-02-07:	Multiple Vendor HTML Form Protocol Vulnerability
2001-09-12:	Microsoft Outlook Express 6 Plain Text Message Script Execution Vulnerability
2001-08-17:	Microsoft Outlook Arbitrary Code Execution Vulnerability
2001-08-15:	Microsoft MSHTML.DLL Crash Vulnerability
2001-07-13:	Microsoft Outlook Unauthorized Email Access Vulnerability
2001-06-05:	Microsoft Outlook Express Address Book Spoofing Vulnerability
2001-05-15:	Microsoft IE and OE XML Stylesheets Active Scripting Vulnerability
2001-03-11:	Microsoft Outlook vcard Buffer Overflow Vulnerability
2001-01-22:	Microsoft Outlook Concealed Attachment Vulnerability
2000-07-18:	Microsoft Outlook / Outlook Express GMT Field Buffer Overflow Vulnerability
2000-05-12:	Microsoft Outlook 98 / Outlook Express 4.x Long Filename Vulnerability
2000-02-19:	Microsoft Signed ActiveX Active Setup Vulnerability
1999-11-08:	="http://www.securityfocus.org/bid/775"> Microsoft ActiveX CAB File Execution Vulnerability
1999-06-01:	Outlook Express POP Denial of Service Vulnerability
1999-06-01:	Multiple Vendor Buffer Overflow in MIME-aware Mail and News Clients Vulnerability

My opinion that is not backed up by a long list of evidence:

Outlook and Outlook Express are easily the World’s Worst (Graphical) Email Clients. Sure, they look pretty and do some nifty things. I’ve used Ximian Evolution for two years now, and it has every feature Outlook has, yet it’s track record for security is sterling, with fixes being posted within hours of a possible problem being identified. There are only a couple of vulnerabilities out there for Evolution, and all of them are for versions more than a year old. Did I mention that Evolution is free software?

http://ximian.com/products/evolution/

Another wonderful mail client is Mozilla Thunderbird. It has built-in Bayesian spam filtering (and is VERY good after a week of learning), is slick, secure and fast. With the Enigmail extension it has full integration with GnuPG for cryptographically secure email. And on top of that, it works perfectly on Windows.

More info: http://www.mozilla.org/thunderbird/

With excellent commercial-grade free software like Mozilla Thunderbird available on the Internet for no cost, it always bewilders me how people suffer with expensive and sub-standard programs like Outlook Express and even, to an extent, Outlook.

Even if you believe I’m a crackpot, just check out Thunderbird. It’s probably better than what you’re using, and it won’t automatically mail the next virus to everyone on your address book for the sake of being friendly.


My apologies that this email is in HTML format; it was needed for the pretty hyper-links in the above table.

I’m always more than happy to chat about computer security. If anyone’s interested, feel free to give me an email off the listserv at the above address.

Cheers,

– James ‘J.C.’ Jones
"No trees were killed in the creation of this message.
However, many electrons were terribly inconvenienced."
  - Anonymous

PS: Does it annoy anyone else that this listserv rejects    messages that have a GPG/PGP digital signature? RAR!