Two researchers at the US Air Force Academy computer science
department have published a paper that is sharply critical of
security measures implemented in a patch for Microsoft's Outlook
2000 e-mail client, issued after last year's ILOVEYOU virus attack,
saying the patch does not adequately protect users.
The paper, entitled
Reinforcing dialog-based security, was
written by Martin Carlisle and Scott Studer and will be presented
at the IEEE (Institute of Electrical and Electronics Engineers)
Systems, Man and Cybernetics Information Assurance Workshop in West
Point, New York on 5 June.
The patch in question, Outlook 2000 SR-1 E-mail Security Update,
adds three functions to Outlook 2000: e-mail attachment security,
which blocks certain types of attachments from being run within
Outlook; the object model guard, which prompts users with a
dialogue box when an external program attempts to access the
Outlook Address Book or send e-mail; and heightened Outlook default
security settings, which change the default Internet security zone
settings in Outlook to "restricted sites" and disables active
scripting.
However, many users have not installed the patch because they don't
want to block the downloading of certain attachments, leaving them
wide open to attack. Even when the patch is implemented, the e-mail
attachment security feature can be circumvented easily, executing
code from an attachment that exploits frequently discovered buffer
overflow errors, such as the vCard handler overflow, the paper
said. The vCard is a standard for electronic business cards that
are commonly attached to e-mails.
"The attacker could cause the mail client to run code of their
choice on the user's machine (by exploiting the vCard handler
overflow). Such code could take any desired action, limited only by
the permissions of the recipient on the machine," Microsoft
officials said in a security bulletin.
"There is no means by which a vCard could be made to open
automatically, so the attacker would need to entice the recipient
into opening the mail, then opening the vCard," said the bulletin.
"As always, best practices recommend against opening untrusted
e-mail attachments."
The researchers noted that social engineering tactics, whereby
users are enticed into opening an attachment that cannot be run
automatically, played a key role in the ability of ILOVEYOU and
other virus-worm hybrids to spread rapidly. Social engineering
tactics and the patch's vulnerability to buffer overflow errors
leave users dependent upon the object model guard to protect
against the spread of these viruses via e-mail, the paper said,
adding that the object model guard can itself be easily
thwarted.
Microsoft officials said in the paper that an attacker seeking to
circumvent the object model would have to place a compiled
executable file on a user's computer, adding that were this to
happen, bypassing dialogue boxes would be the least of a user's
concerns. The researchers disputed that argument in their paper,
saying that the dialogue boxes could be bypassed using a script
embedded in an attachment and published an example of a Visual
Basic script that could do just that in order to prove their point.
In addition, scripts that exploit vulnerabilities in Outlook can be
easily written by modifying code fragments copied from Microsoft's
own Web site, the paper said.
To protect against the ability to exploit these vulnerabilities,
the object dialogue guard in the patch must be reinforced, the
paper said.
"Unfortunately, given current limitations of the Windows operating
system, this turns out to be similar to trying to secure a parked
car at the airport - while you can make it harder to break in by
locking it, using a steering wheel lock, etc., you can never make
your car totally secure," the paper said.
Visit US Air Force Academy Department of Computer Science at
http://www.usafa.af.mil/dfcs/
.