Why does Outlook have an OM?

re: Why does Outlook have an OM?

Charles Maxson — Sat, 17 Apr 2004 02:18:00 GMT

Here! Here!

You are bang on Peter! All these damn users out there parading around as their own Admin on their box propagate the problems, not a rich OM. Many people get it and have stopped opening attachments from people they don't know. Some still do... explains my vast collection of free Levitra samples. But we need rich programmablity else we will never get all the features we need.

Vote here for more not less!

re: Why does Outlook have an OM?

Alex Angelopoulos — Sat, 17 Apr 2004 02:30:00 GMT

> This one could be controversial ;-)

Only because it is also pointless since arguments against automation on these grounds are rarely well thought out. But I want to add some suppressing fire. =)

Let me be up front about pointing out that I am biased. Very biased. I do a lot of scripting, and see the lack of easy automation interfaces to every bit of Windows and Windows applications as a Bad Thing.

Nonetheless, this is not a COM thing or even a Windows thing. It is fundamental to the concept of computing: automation is inherently good. Potentially dangerous aspects of a computing systems are made safe not by driving them underground, but by providing effective safeguards. There are lots of ways of safeguarding things, but the simplest and most rational is a perimeter defense with some depth - e.g., AV software to catch actual malware in the act, and a firewall to detect attempts to break in or out.

Crude statistics from personal history here. I've helped about a dozen people with severe remailing virus problems in the last few months. One used Eudora, 2 used Outlook Express, and the rest used webmail of various kinds. What all had in common was:
+ Machine and network connections were "acting funny" (sometimes for months);
+ NO active and up-to-date antivirus application;
+ Did lots of surfing, online chatting, or instant messaging WITHOUT having a firewall in place.
All were fixed by installing an antivirus application and using it to clean the system. In several cases, activating a firewall initially also caught the backdoors involved before the AV software was installed.

The obvious lesson here: if you want to be secure, TRY to be secure. If you don't use antivirus software, you're sticking some stranger's dirty fork in your mouth; if you don't use a firewall, you're leaving all of your doors and windows unlocked. It doesn't even need to cost money; Trend Micro and McAfee have free online scanners, and a host of small commercial AV vendors make their packages free for personal use. Firewalls, the same: XP comes with one, and several others such as Zone Alarm have free versions.

Miscellaneous quick comments below. I almost shouldn't bother. ;)

> The obvious answer is that having an object model in Outlook makes all those mass-mailing viruses possible.
Oddly enough, arguing against an Outlook object model for this reason looks a LOT like "security through obscurity". And of course since so many non-Microsoft email clients use plain-text address books and email storage, they are even easier to parse.
Of course, if users have firewalls and antivirus software, they've reduced their attack surface and can stop a hypothetical application that does this, but it probably wouldn't be on their system anyway then, would it? ;)

> It scans files on your hard-disc to scavenge e-mail addresses, and then it uses a built-in SMTP mailer to send out the mails.
Note that some of these viruses don't even do that. It seems viruses that "phone home" or just sit and wait for someone to find them are the big thing now - and then they get an email list and run it repeatedly. They also use random combinations of common names and large domains to autogenerate "possible" email addresses.
A clever trick for users to stop these viruses cold: instead of uninstalling Outlook, try INSTALLING a firewall and an antivirus application.

> If you are running Lotus Notes or Pine or Eudora or Mozilla Mail or any other e-mail client and you execute a MyDoom-like virus program, you are in trouble.
This isn't true. If they have an effective antivirus program they'll stop it. And a firewall would catch the network activity.
Of course, if they don't have either one, it doesn't matter if they have NO email client. ;)

> What the kiddies can do is surf around on #hacker IRC channels, download pre-canned exploit code from hackers, double-click on the icon on their desktop, and then brag to all their other 1337 friends.
Common viruses, yes - and this probably makes up the bulk of the virus infection attempts out there. Oddly enough, these commonly "handed down" viruses and trojan horses are usually well-known to antivirus and firewall applications. But then, I repeat myself. ;)

re: Why does Outlook have an OM?

Bob Riemersma — Sat, 17 Apr 2004 02:51:00 GMT

I think the problem gets a little more complex than this.

As most of us do, I have to wear a number of hats. One of these hats is as a Windows developer. Sometimes a Mort looking out for my own needs, other times as a pro hacking on some custom middleware service I need to build to plug a group of web developers into some random legacy system.

The bane of my existence is Joe Admin. The guy who thinks it's just spiffy to lock everything down to where nobody else can get any work done.

I have to perform certain types of system management on a mainframe system from a distance, basically with boxing gloves on. No admin rights, no direct access to management tools, capacity monitoring software, or much of anything really. Instead they like to just crap out emails at me containing the "facts I need."

To survive I have a number VBA routines to harvest these oh-so-wonderful reports from my Outlook inbox. Then there is a set of scripts to post-process the stuff (I get inline text, RTF or PDF attachments, you name it), archive it, and parse out the useful data and load it into a Jet database. Then I have a few HTAs to pull selected data over selected time ranges out and create Excel sheets and charts or do other types of analysis - then fire these back out as emails to those who pay the bills (and want to know where their money is going).

What it comes down to is my hands are pretty tied already.

The LAST thing I need is Joe Admin coming around and locking down Outlook VBA, WSH, and HTAs on me. What next? Strip out the Excel and Word object models too? Lock down Task Scheduler?

We aren't all Minnie the Administrative Assistant out here. Give us poor folks trying to get work done a break too. Please??

I'm well aware of the exploit woes out there. Heck, I was the guy who had to embarrass our Joe Admins into looking at SUS after we got seriously Blastered one recent summer. ;-) Ahh, anonymous forums! How would we ever get these folks to toe the line without 'em?

re: It's not your father's Office (dev)

Philo's WebLog — Tue, 20 Apr 2004 19:34:00 GMT

re: Why does Outlook have an OM?

Chris Quirke — Fri, 23 Apr 2004 08:54:00 GMT

MS's own advice is; if the bad guy can run code, it's not your system anymore. So why do we want to transfer ownership to any unsolicied email message "text", "data" file, or web site we visit?

Outlook may not auto-run scripts in email message "text" anymore, but it's taken *years* for this clue to sink in since IE 4. Even post-Kak WinME shipped with OE running in email zone by duhfault.

As to "running with admin rights"; us standalone PC users already have a security model we understand. The "home" concept is "a physical location where safety can be assumed". Those with physical access have full rights; those with remote access have zero rights.

So why should we have to wear name tags while walking between rooms in our "home", just because our OS is designed to be a network client rather than a properly-frontiered stand-alone OS?

As it is, user accounts in XP Home are unfit for use until:

1) The base prototype account can be preset so that new accounts can inherit our choice of settings (shell folder locations off C: perhaps, less massive web cache allocations, show file extensions, kill eye candy, etc.)

2) Limited rights accounts retain settings; at present they re-duhfault to hide files/paths/.ext etc. making WYSIWYG risk assessment impossible

3) Admin can see and apply settings across all user accounts, e.g. when cleaning up commercial malware that's patched into each account

As it is, using anything other than "admin" not only tends to cause apps written for Win9x to fail, but also means having to lose the safety of more clueful settings. So before you start waving limited accounts around as a panacea, fix 'em so they work better, m'kay?

re: Why does Outlook have an OM?

Peter Torr — Fri, 23 Apr 2004 15:39:00 GMT

Chris,

Your home analogy is not complete. Do you randomly walk into any room in the house at any time -- for example, into the bathroom when you know someone else is taking a shower? Most likely not. People like to have privacy even in their own homes, and it is the same with a PC.

Would you want your kids (assuming you have them) rifling through your filing cabinet looking for financial information? Or leafing through your chequebook and writing cheques to themselves? If not, then why do you want them to be able to do the same things on your PC?

Also you don't tend to invite random strangers into your house, but computer users WANT to let random strangers into their computers (think of all those file-sharing networks).

Limited user accounts are <ahem> limited at the moment, but I believe you can achieve some of what you want by modifying the .DEFAULT user account in the registry (but that's probably not supported...).

I also don't have settings changing behind my back (and I am not an admin on my machine). Perhaps you are experiencing some other kind of problem?

Admins can of course see and apply settings across all user accounts -- that's the purpose of the Administrator!

re: Why does Outlook have an OM?

Karl Levinson, MS MVP, MCSE, CISSP — Fri, 23 Apr 2004 18:27:00 GMT

I don't see how you can argue that technologies like VBA and WSH don't present a very compelling attack surface, given the billions of dollars and system availability that have been lost combatting Office macro and .VBS viruses over the years. And now MSH is coming down the pipe.

XP SP 2 does *not* fix the problems with VBA and WSH viruses... precisely because it does not disable the technologies in question. As I understand it, SP2 adds the AES API to block attachments and integrates this with OE and Windows Explorer. Unless I'm mistaken, some of the features of AES may not protect users of other non-Microsoft software, email clients, P2P file sharing clients, etc.

You don't explain why it's a good security practice [dare I use billg's words, "secure by default"] to (1) leave these technologies enabled on, say, home computers, and (2) give the user absolutely no way to disable unwanted technology such as VBA despite numerous user requests. I'm not asking for Microsoft to get rid of VBA or WSH or MSH... just recognize that these are proven virus platforms, and that we should have an easy way to disable them if we want, or even consider the security benefits of making them disabled by default.

You state that disabling WSH and VBA would just "make you less vulnerable to the more "popular" attacks." To me, that's like saying "you shouldn't run a firewall, because you'll still be vulnerable to viruses." Yes, the virus authors would probably start using other attack vectors... at which point we would want to take steps to reduce the risk from THAT new vector. Also, making a truly secure by default computer does not mean secure yourself just from the most popular viruses. Even if few people are writing Word macro viruses nowadays, you're still at risk from a teenager from Iraq writing one up to get into your nation's infrastructure. Blaming the user here doesn't increase security much, not when it's a sure bet that at least 1 in every 100 users will execute an attachment, and you only need 1.

Nobody argued for disabling RPC in Windows because Microsoft programmed RPC into many other products that Microsoft Windows customers are also running. Besides, there's already a way to disable RPC/DCOM if you wish. There's no way to disable VBA. I've asked.

Did your company have to shut down its email server for the ILOVEYOU virus? We wouldn't have had an ILOVEYOU virus if Microsoft had simply changed the default action on .VBS and other files from Execute to Edit. Users and administrators could still run VBS / WSH files by right-clicking instead of double-clicking, or by using a command line or a batch file that explicitly specifies CSCRIPT as the host application. Can you give me a good reason why this still hasn't been done on the "secure by default" XP SP 2 and Windows Server 2003? Will you trudge out the old excuse that this would somehow "break functionality?"

Running as a non-administrator does not stop viruses. A non-admin user can still execute a virus and access the TCP/IP ports necessary to spread an RPC or email worm. My understanding is that Linux prevents non-admin access to certain TCP/IP ports, but Windows does not. A non-admin user can still save to the Word normal.dot and to his or her My Documents Startup folder. The main thing a non-admin user cannot do regarding viruses is edit the startup locations in the Registry in order to remain persistent on reboot. However, this is about as effective at preventing viruses as making the Normal.dot file read only -- based on my personal experience in a large financial environment across several states, it's not effective in preventing infection or re-infection at all.

Thanks for writing an interesting and thought provoking article. It's interesting to see the thought process from the other side.

re: Why does Outlook have an OM?

Peter Torr — Fri, 23 Apr 2004 20:32:00 GMT

Good comment; I will reply later in another post (hopefully this weekend when I have some time...)

VBA Take Two: Responding to some comments

Office Development, Security, Randomness... — Sun, 25 Apr 2004 02:38:00 GMT

What good is StrongNameIdentityPermission if you can disable it?

Office Development, Security, Randomness... — Mon, 26 Jul 2004 08:20:00 GMT