Microsoft's Outlook Express 6 "E-mail attachment security" Flawed

["Arie Slob" <arie@infinisource.com>]

Hi,

I was contacted by David McSpadden, a Network Administrator from the Indiana Members Credit Union who pointed out the following:

---------------------------
 
I was wondering if you could replicate something I have found.
I set up attachment blocking as per (Q291387) on my Windows 2000 Professional Sp2 workstation for testing.  Thinking we might implement this as policy on all of our workstations with Outlook Express 6.0.  It did correctly block the attachments of the extensions I specified.  However, if I simply try and forward the email the 'blocked' item appears and I can then save or open the attachment.  This creates a dilema.  Why should I even try and stop the attachments if I can get to them anyway.
  
Please let me know if I am crazy or if I have found another hole in Outlook Express.
---------------------------

Well, I think he's right. I tested it on XP, set OE to block attachments.... that works... until you press FORWARD.... then you have full access...........

I contacted Microsoft (secure@microsoft.com) who wrote back with the attached email.

I have published and article on our Web site about this:

http://www.windows-help.net/microsoft/oe6-attach.html


Regards,

Arie Slob,
VP Information Systems
InfiniSource, Inc.
<arie@infinisource.com>

--- Begin Message ---

• To: "Arie Slob" <arie@infinisource.com>
• Subject: RE: Microsoft's Outlook Express 6 "E-mail attachment security" Flawed (tb)
• From: "Microsoft Security Response Center" <secure@microsoft.com>
• Date: Tue, 4 Dec 2001 14:00:20 -0800
• Cc: "Microsoft Security Response Center" <secure@microsoft.com>
• Thread-index: AcF9BNmuBYnvOp/2QFq4nk2EIPB+mAACC/fg
• Thread-topic: Microsoft's Outlook Express 6 "E-mail attachment security" Flawed (tb)

Dear Arie

 

Thank you for taking the time to email us.  The capability to forward an email with an attachment is a feature in Outlook Express that is by-design. As you mention, Outlook Express does allow the blocking of unsafe attachments.

 

It looks like Outlook Express successfully blocked the attachment in the Inbox for David McSpadden.

 

It is important for users to recognize that greyed-out attachments are not safe to be opened and, users should be deleting, not forwarding an email with a greyed-out attachment.

 

Many thanks again for taking the time to email us.

 

secure@microsoft.com

 

 

 

-----Original Message-----
From: Arie Slob [mailto:arie@infinisource.com]
Sent: Tuesday, December 04, 2001 12:46 PM
To: Microsoft Security Response Center
Subject: Microsoft's Outlook Express 6 "E-mail attachment security" Flawed

 

Hi,

 

Although this isn't anything fancy, I thought you'd like to know.

 

OE6 allows for a setting on the Security tab (Tools > Options) Do not allow attachments to be saved or opened that could potentially be a virus.

 

I have always argued that Microsoft should have this setting enabled as default, to reduce the number of worms spreading, due to the nature that most people just seem to open any and all attachments they receive, without giving it a second thought. 

 

But today I was contacted by David McSpadden, a Network Administrator from the Indiana Members Credit Union, who asked me for some advise on a problem he seemed to be having: When he tried to forward an e-mail with a "blocked" attachment, the attachment becomes available to be run or saved!

 

I tried the same on my install of Windows XP / OE6, and sure enough.....

 

 

Please note that I'm planning to release an article on our Web site, the concept can be found at

http://www.windows-help.net/microsoft/oe6-attach.html

 

 

Regards,

 

Arie Slob,
VP Information Systems
InfiniSource, Inc.
<arie@infinisource.com>

--- End Message ---