News

Air Force Paper Details Vulnerabilities in Patched Outlook

• By Scott Bekker
• May 15, 2001

According to a paper by Air Force Academy faculty members Scott Studer and Martin Carlisle, even systems protected by Microsoft's restrictive post-SR-1 patch remain vulnerable to exploitation by savvy programmers and ever more sophisticated viruses.

The paper, entitled "Reinforcing Dialogue-Based Security" and prepared for presentation at the IEEE's Systems, Man and Cybernetics Information Assurance Workshop, identifies a variety of residual problems in the Outlook security model and suggests several possible workarounds that can make Outlook systems more secure.

The post-SR-1 patch ups the ante with regard to protecting Outlook 2000 systems. For starters, it implements a draconian policy that prevents users from double-clicking and executing potentially invidious application attachments, including programs with .VBS, .INF, .EXE and .URL extensions (among others). Whenever they open e-mail messages that contain attachments of this type, Outlook 2000 users are presented with a warning which alerts them that "Outlook blocked access to the following potentially unsafe attachments."

Unfortunately, the post-SR-1 patch has also frustrated administrators, many of whom have fielded calls at one time or another from frustrated users complaining about their lack of access to important attachments.

"The most frustrating thing about it is that there's no way to recover [an attachment] once it's suppressed by Outlook, which seems slightly fascistic to me," laments Christopher DeMarco, a network and systems administrator with IT outsourcing company Taos in Santa Clara, Calif. "On the other hand, if someone sends you an attachment in a .ZIP [compressed format] file, you can still receive it and open it, even if it is a virus!"

In many cases, DeMarco suggests, the post-SR-1 patch probably won't even be applied by users who don't want their e-mail attachments suppressed - or by IT departments that are wary of a potential revolt from outraged users.

"For every virus or non-work-related attachment that you intercept, there's bound to be some work-related stuff that's suppressed," he notes.

And as Studer and Carlisle point out, the post-SR-1 patch's attachment security feature can be circumvented by means of a variety of well-known attacks that target supported application types, such as the "vCard" handler overflow. vCards define a standard format for so-called "virtual business cards" and are often attached to e-mail messages. vCards are not suppressed by the SR-2 patch.

The post-SR-1 patch also implemented the so-called "Object Model Guard" (OMG), a new dialogue-based security feature that prompts a user whenever a third-party program attempts to access his or her Outlook Address Book. ILOVEYOU and many of its variants work by mailing copies of themselves to all of the recipients in a user's Outlook Address Book.

The problem with the OMG approach, Studer and Carlisle suggest, is that it relies entirely upon the discretion of the user, who (more often than not) will reflexively click "Yes" when presented with a dialogue box of this sort. More likely, virus programmers can develop stealth applications (or write scripts) that "hide" the Outlook dialogue boxes in the background and also fool OMG by answering them, as well.

Studer and Carlisle suggest several workarounds to such problems in their paper, including an "Always on Top" display characteristic for the OMG's dialogue boxes; a (random) authorization key combination that changes with each OMG pop-up dialogue; and a "Hostile Activity Mode" in which Outlook recognizes that it's under attack. Unfortunately, each of their suggestions will most likely have to be incorporated into the Outlook code by Microsoft itself. -- Stephen Swoyer

The full text of Studer's and Carlisle's paper is available here.