Why is MS Outlook so vulnerable?

So there’s yet ANOTHER computer virus going around that screws up your computer through the good graces of Microsoft Outlook. This one is particularly charming in that it pretends to be a poll about the WTC bombing.

What makes that program so suceptible to viruses? Can MS fix it?

Why do so many people use Outlook if this is such a problem? I won’t touch it myself…

Hmm. It’s open to virii because it allows messages formatted as html, and allows executable attachments. Since it’s also the most popular email program(maybe besides the AOL email package), it tends to get hit a lot. It wouldn’t make sense to send a virus out to hit Groupwise users, for example, since there aren’t that many.

Why is it so popular? Because it installs with Internet Explorer(at least the Outlook Express version), or Microsoft Office. Since those are the two most popular software packages in their fields, it gets out there. It also comes preinstalled on most new computers. People have a tendency to run what comes with the system, instead of installing their own software. So, outlook is popular, and it gets hit with a lot of virii.

Also, because it is such a popular program, many of the virii (viruses?) are written specifically for MS Outlook. If another program (Eudora, Netscape messenger) was as popular, people would write virii that affected those programs, and not MS Outlook.

I think Tattva is on to something. When is the last time you heard of a big MAC virus going around.

MS Outlook appears to be vulnerable to a lot of viruses simply because a lot of viruses are written that exploit flaws in the software. It’s popularity as an email program/organizer application likely has a great deal to do with this.

That said, Outlook (and to a large extent most major MS applications) suffers from a design weakness. The whole philosophy of Microsoft products in general is that they should be easy to use and require as little technical knowledge as possible on the part of the user. While this is noble goal, in the end, a lot of the inner workings are hidden from the user, which turns out to be a very bad thing.

In the case of MS Outlook, the software, upon noticing an incoming attachment, will try to determine what program to use in order to open the attachment automatically. The idea here is to spare the user the trouble of having to understand issues like various types of file formats, how to manipulate the attachment in question so as to best utilize it’s contents, etc… The software makes a “best guess” about what to do with the incoming email attachment based on information it has regarding the various file formats of which it’s aware and the corresponding applications that should work with those file formats. Outlook, in some cases, then tries to open the file so that the user is not required to figure out the technical details himself. Great, in theory, except the program never bothers to ask, “Should the attachment be opened/utilized/executed at this time?”; it assumes that if the user received the attachment in an email, he’d of course want to open that email attachment. So Outlook automatically opens certain attachments/bits of executable code, and the virus propogation begins.

While not specifically an MS Outlook design flaw, another silly thing that Microsoft Windows in general likes to do is hide the file extension by default (the part of the filename following the period). The file extension is the way Windows determines how the file should be handled (whether it should be executed, opened through another applications, etc…). The idea in this case is to hide the file extension so that the user won’t accidentally modify the extension and cause the file to open improperly. If the user really needs to determine what type of file it is, the thinking goes that he can look at the icon next to the filename (the modified listing that’s missing the extension) and from that, determine what type of file it is. Again, great idea in principle, poor idea in practice. What virus writers will do to exploit this is email the attachment as something like README.TXT.EXE, an executable file containing the virus code. However, on your screen, it will show up as README.TXT, a simple text file. Thinking that plain text files are safe to open (they usually are), you go ahead and open it, and suddenly, you’re infected with a virus.

Can these design flaws be fixed? Sure they can; require a bit more effort and knowledge on the part of the user in order to operate the system at hand. Stop designing the software to assume it can figure out things on it’s own and have it wait for the user to make a few decisions regarding what to do next. And for goodness sake, stop trying to shield the user from the way the system actually works. But these modifications, in Microsoft’s eyes, would likely constitute a decrease in the “ease of usage” that Microsoft likes to build into their products and brag about, so don’t expect these types of changes to appear any time soon.

Why is it used so much? It comes packaged with Microsoft Office and it acts as a decent client when accessing Microsoft Exchange email servers.

Not much I can add that hasn’t already been said, but I like to restate things. :stuck_out_tongue:

It’s popular verging on ubiquitous (therefore targeted); over-integrated with damn near everything instead of just being a bloody email program (therefore VB scripts, Word macros, Excel macros, evil Java, and god knows what else will execute rather than merely prompt the user to download); and the company that makes it has done little to plug up the security risks so the Outlook viruses keep coming and keep on working.

You’d THINK the latter factor would have a counteractive effect on the first factor–that after the first year of these things, no one would be caught dead running Outlook on a Windows PC–but like people who come back and rebuild at the base of the volano or on the flood plains of the river, people just keep on using it.

I think Tattva is on to something. When is the last time you heard of a big MAC virus going around.

We had a pair of Mac virii in…uh, 1998. The evil AutoStart worm and a trojan disguising itself as a Graphics Accelerator.

Anyway, your point is well taken. If it weren’t for Code Red, you’d be hard put to recall a virus that wasn’t explicitly an Outlook for Windows virus, although SirCam knew how to spread in other ways as well.

I have reasons aside from virus-fear for not using a PC and for not using Outlook. But if that were not so, I’d either use Outlook on a Mac if I needed Outlook; or I’d run Eudora under Windows if I needed Windows. (If I was working under some schmuck that insisted that we all use Outlook and all use PCs, I’d set up one PC to read incoming email but strip it of all sending capabilities, and use that box for nothing but reading incoming email; and I’d use my main PC to send outgoing email and everything else).

Caldazar: Excellent answer. Thanks for taking the time.


I work at one of the largest public libraries in the country… currently, most of our systems run on AS/400 and we have some sort of web/email servers stuck to it with what I assume is duct tape. All machines run Netscape 4.7x, but most of the emailing is still done through AS/400

We’re currently converting our catalog from our 14 year old custom system to DRA, and at some time in the near future everything will be handled through NT servers. Everybody will get Wyse ThinClient terminals rather than our current PCs and AS/400 dummy terminals, running IE and Outlook.

AS/400 may be an arcane sumbitch to learn, but the prospect of 1200 inexperienced employees suddenly thrust into the teeming jungle of WinViruses makes me verrry nervous. All because Administration wants everything delivered to them in a nice single package.

I’m scared. Hold me.

The Mac OS is (generally speaking) more secure than Windows, in large part because a lot of the poor decisions in Microsoft’s products (default disabling of security features, system-wide scripting that’s allowed to delete critical files) aren’t on the Mac. For instance, trying to trash a critical System file while the user is using the computer is almost impossible, and will usually result in a suspicious error message instead.

When the Mac community gets a virus, it’s big news, just for the sheer novelty of it. Saying “Windows gets more viruses because it’s more popular” is just a lazy man’s way to gloss over the major security holes in Microsoft’s stuff. With proper system design and a good permission scheme, any OS can be secure from most home-brewed viruses.

Groupwise admin chiming in…

We can get viruses through e-mail, but they don’t auto-mail out copies of themselves. They can, however, still infect hard drives and servers, and be sent manually through infected documents. We’re far enough along in the progression of time zones that we can download the updated pattern files and catch it before more than a couple of workstations are affected.
The problem we’re having is we need an upgrade Real Soon Now, and there is a push from Marketing to convert to Outlook.

Fellow techies, pray for me…

It’s interesting to note that most viruses actually making the rounds which are cited as “Outlook Viruses” aren’t actually Outlook-specific at all: SirCam, Magistr, Hybris, BadTrans, MTX, Nimda, Happy99, etc. Maybe users think they’re immune to these viruses because they’re not using Outlook.

Outlook is not designed to run potentially dangerous attachments on its own. There were some security holes which allowed this to happen but they were accidental and patches were quickly released to plug the holes. To get infected with a virus like LoveLetter or AnnaKournikova the user has to click on the attachment(the real extension is not hidden at this point if there is a double extension), then they get a choice of opening it or saving to disk (viruses are specifically mentioned at this point). If they choose to open the file, the file is saved to a temporary directory, and passed the the Operating System which decides how to open it. The Operating System then treats it like you double-clicked a file on your local hard disk, because it is a file on your local hard disk. Attachment-wise, Outlook has no special integration with Word documents, Excel workbooks, VBScript files, EXE files, etc.

Outlook is popular with malicious code because it allows external programs to access its address books, and create and send e-mail, with just a few lines of code. Securing Outlook is not so simple as making accessing the address book harder. When Microsoft released the Outlook E-mail security Update that made Outlook prompt before external programs could access the address book, authors and users of programs that accessed the address book (like programs that synchronzied between Outlook and a PDA) screamed bloody murder.

The Outlook E-mail security Update also makes it impossible to open certain types of files. Before the patch, there was a warning and people were still getting infected, so to Microsoft, the next logical step was to make it impossible to open certain kinds of attachments. Again people screamed bloody murder.

Another thing the Outlook E-mail security Update did was disable embedded scripts. Scripts embedded in e-mail messages are different from scripts in attachments. Scripts embedded in messages are not supposed to be allowed to do anything dangerous. There were some holes in this model and patches were released, but most users haven’t installed them. I totally agree with turning off scripts in the restricted sites zone and setting e-mail to run in the restricted sites zone.

I actually feel more secure with Outlook then I would with any other e-mail client. I’ve turned off scripting which is the source of most problems and installed all the patches. I know that Outlook is under constant scrutiny, and has enough exposure that problems would become public knowledge quickly.

That’s not to say that I’m totally happy with Outlook. There’s no way to turn off the fancy HTML and MIME stuff. The Outlook E-mail security Update is far too draconian. Without it, malicious extensions like .jpg.vbs get the same warning as .jpg.

rjung wrote

There are plenty of security holes in Microsoft. But that’s not why viruses exist overwelmingly in MS products. Viruses are a product like any other, and their creators desire to attack (so to speak) as large a market as possible. MS’s overwelming market dominance is the chief (almost exclusive) reason for their targeting by hackers.

If you ever have opportunity to meet hackers in person or virtually, you’ll discover that the subject of mac’s tight (according to you) security is just not being discussed. Mac just isn’t on their radar screen.

Although you’ll be happy to know that they do tend to be Anti-MS type folks, and I’m sure you could spend many a happy beer with them insulting Windows.

Caldazar wrote:

Just to re-iterate what cls said, this isn’t really the way it happens. Outlook was not designed to automatically execute any part of an attachment without the user specifically requesting that it do so. But there was a bug that would let some kinds of attachments do this. However, most of the viruses we’ve seen over the past year are propagated by users who explicitly execute an attachment. The recent Nimda virus is the exception, as I understand it.

In my company, one of the bigger startup problems we had with Outlook was that some users didn’t seem to understand the “reply to all” feature. Several times (as each area/country was brought up on Outlook), some idiot would send a message inappropriately do the whole company distribution list. Then the replies would start. You’d get a first round of many people replying to it, but “relying to all,” then a second round of people who reply to all with the message “Please don’t reply to all,” then a third and fourth round chastising those people about replying to all, but replying to all themselves. Our mail system was loaded down to a useless level several times.

Much of software development is focused on adding functionality. In contrast, security is focused on removing functionality, restricting what the user is allowed to do. Every application must balance these two, compromising one for the other.

Microsoft has done a very good job adding features and integrating their various applications. They have done it to make things easy for users, but many of these functions have inherently compromised security. MS software will get more secure when users let them know that security matters more than shiny new features, but that’s unlikely to happen because users just want it to work without compromise. As long as users continue to use software with demonstrable and repeated security problems, MS has no incentive to change.

Fair enough. Intended or not, though, that’s the way Outlook handled things. This was an especially large problem with the auto-preview functionality.

Regarding Nimda, yes and no. It wasn’t an Outlook exploit, but one of the methods of propogation (there were several) was through opening email attachments. Another way it propogated itself was by infecting web servers and embedding executable code into HTML pages on the server. When users visited the infected page with some unpatched versions of Internet Explorer, the code would automatically execute. Essentially the same idea as autoexecution under Outlook, just exploiting a different program. Like many of the more recent viruses, it did have it’s own mailing agent and did pull email addresses from Outlook address books.

This is one of the reasons Outlook virii are so troublesome. If the user foolishly opens unknown attachments, the virus is propagated to everyone in their addressbook. Yeah!! Great feature for script kiddies.

The best security measure is user education, but, well… hahahahahha. That hurt.

I work as a computer tech in an office that uses MS Exchange mail, so we run into these virii all the time. Many Outlook virii get filtered out in the Exchange server, so security features can be added without affecting the actual MS Outlook program.

In my previous post, I didn’t mean to imply that only MS virii are important, and Mac virii are unimportant. My point was there were features available in MS Outlook that make virus writing more pleasant. Heck, I remember the Merry Christmas virus from 6-7 years back that killed all my high schools Powerbooks.

People have described it well: MS Outlook is especially vulnerable because it allows software to access the address book without the user’s knowledge. Newer versions let you know when this is happening; it’s useful when hotsyching a PDA, so you can’t remove that functionality.

However, the most common e-mail virus in history – Sircam (see Message Labs) does not require Outlook to propagate, nor does Code Red.

Microsoft is the target because 1) they’re more common and 2) they work to make their programs interconnected, which leave security holes.

As other systems become popular, they’re going to be attacked. There was a linus virus earlier this year – lion – that was potentially more dangerous than any of the PC server viruses. (Contrary to what the penguins say, Linux is really no more secure than NT – SANS has a 40-page manual on securing NT, while their Linux manual is over 100 pages to shore up all the holes.)

There was also a Mac virus earlier this year (macsimpsons), which shows that Macs aren’t ignored. But if your goal – like most virus writers – is to spread the virus as far and as fast as possible, it makes sense to use the system that has the most users.

Bill H

I’m a Mac user of the no-compromise, “you’ll take away my Mac when you pry my one-button mouse from my cold dead fingers” tradition, but I agree with this. I could probably write a virus in AppleScript, paste a text icon onto it, and send it to another Mac user. We don’t even have (or need) extensions and who the heck checks for file type before opening an attachment?

I’m not saying there aren’t any intrinsic advantages to the MacOS when it comes to security and responsiveness to malicious code, but the main advantage is that it isn’t what everyone else is using.

I really don’t understand the rush to follow the pack, to use what everyone else is using. I don’t dress that way and I don’t use my computer that way either.

cls wrote:

How do you set up email to run in the restricted sites zone?

-open Internet Explorer
-choose the Tools menu
-choose Internet Options
-click the Security tab
-click the Restricted Sites icon
-click “Custom Level”
-scroll down to “Active Scripting” and set it to Disable or Prompt
-Click OK
-open Outlook
-choose the Tools menu
-choose Options
-click the Security Tab
-In the “Security Zones” section, choose the “Restricted Sites” zone