US Air Force blasts Outlook security patch

Two researchers at the US Air Force Academy computer science department have published a paper that is sharply critical of...

Two researchers at the US Air Force Academy computer science department have published a paper that is sharply critical of security measures implemented in a patch for Microsoft's Outlook 2000 e-mail client, issued after last year's ILOVEYOU virus attack, saying the patch does not adequately protect users.

The paper, entitled Reinforcing dialog-based security, was written by Martin Carlisle and Scott Studer and will be presented at the IEEE (Institute of Electrical and Electronics Engineers) Systems, Man and Cybernetics Information Assurance Workshop in West Point, New York on 5 June.

The patch in question, Outlook 2000 SR-1 E-mail Security Update, adds three functions to Outlook 2000: e-mail attachment security, which blocks certain types of attachments from being run within Outlook; the object model guard, which prompts users with a dialogue box when an external program attempts to access the Outlook Address Book or send e-mail; and heightened Outlook default security settings, which change the default Internet security zone settings in Outlook to "restricted sites" and disables active scripting.

However, many users have not installed the patch because they don't want to block the downloading of certain attachments, leaving them wide open to attack. Even when the patch is implemented, the e-mail attachment security feature can be circumvented easily, executing code from an attachment that exploits frequently discovered buffer overflow errors, such as the vCard handler overflow, the paper said. The vCard is a standard for electronic business cards that are commonly attached to e-mails.

"The attacker could cause the mail client to run code of their choice on the user's machine (by exploiting the vCard handler overflow). Such code could take any desired action, limited only by the permissions of the recipient on the machine," Microsoft officials said in a security bulletin.

"There is no means by which a vCard could be made to open automatically, so the attacker would need to entice the recipient into opening the mail, then opening the vCard," said the bulletin. "As always, best practices recommend against opening untrusted e-mail attachments."

The researchers noted that social engineering tactics, whereby users are enticed into opening an attachment that cannot be run automatically, played a key role in the ability of ILOVEYOU and other virus-worm hybrids to spread rapidly. Social engineering tactics and the patch's vulnerability to buffer overflow errors leave users dependent upon the object model guard to protect against the spread of these viruses via e-mail, the paper said, adding that the object model guard can itself be easily thwarted.

Microsoft officials said in the paper that an attacker seeking to circumvent the object model would have to place a compiled executable file on a user's computer, adding that were this to happen, bypassing dialogue boxes would be the least of a user's concerns. The researchers disputed that argument in their paper, saying that the dialogue boxes could be bypassed using a script embedded in an attachment and published an example of a Visual Basic script that could do just that in order to prove their point. In addition, scripts that exploit vulnerabilities in Outlook can be easily written by modifying code fragments copied from Microsoft's own Web site, the paper said.

To protect against the ability to exploit these vulnerabilities, the object dialogue guard in the patch must be reinforced, the paper said.

"Unfortunately, given current limitations of the Windows operating system, this turns out to be similar to trying to secure a parked car at the airport - while you can make it harder to break in by locking it, using a steering wheel lock, etc., you can never make your car totally secure," the paper said.

Visit US Air Force Academy Department of Computer Science at .

Read more on Operating systems software