Outlook AutoPreview = Trustworthy Computing = F
From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 01/03/04
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 2 Jan 2004 22:37:04 -0500 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Ok, so I know I harp on this over and over again, and its probably
getting fairly boring to hear me say, once again, that Microsoft's
Trustworthy Computing effort gets yet another "F". However, here's a
good example I stumbled across today that demonstrates why I believe
Microsoft just doesn't understand what Trustworthiness means.
I have long recommended that people who use Outlook disable the Preview
Pane. Granted, over the years, Microsoft has done a great job of
limiting what Preview Pane can do. There was a time when if you had it
enabled, and someone sent you a malicious email, it would invoke that
email even when you weren't present. That's less true today than it was
in the past...kudos Microsoft.
However, even today, I still recommend that people keep Preview Pane
disabled, despite the fact it is still the default for every new folder
for Outlook. Instead, I recommend that people use AutoPreview.
AutoPreview is really benign, nothing but plain text is shown, and only
3 lines of it. If you get an HTML-based email that has no text
representation (e.g. all scripting), AutoPreview shows you nothing,
nada, a great way of telling when an email is really worth deleting
(nothing in AutoPreview, no text in the HTML-based email, please delete
ASAP.)
Anyway, so today I'm looking at my logs from my Exchange server and I
notice a bunch of spam messages that have a whole bunch of "good" words
in the urn:schemas:httpmail:textdescription of the email. Obviously
they're trying to fool somebody's Bayesian filter. I look at the same
message in one of my Outlook folders, and sure enough, AutoPreview shows
me these "good" words. In my logs, however, I can see that the same
messages have elaborate urn:schemas:httpmail:htmldescription values.
Comparing the two shows me that nothing from the
urn:schemas:httpmail:textdescription is in the
urn:schemas:httpmail:htmldescription. I look at the message in my
folder, and then double-click it. Wow, am I surprised.
What I see in AutoPreview has nothing to do with what I see when I open
the message. Now I should point out that I have my Outlook configured to
ReadAsPlain, so there's a Microsoft conversion process being done to the
urn:schemas:httpmail:htmldescription prior to me seeing the message,
converting it to plain text.
I figure that AutoPreview is doing the same conversion, but nooooo....
AutoPreview is simply showing you whatever is in the
urn:schemas:httpmail:textdescription of the message. Since that doesn't
have to have anything to do with what's actually in the
urn:schemas:httpmail:htmldescription, spammers are filling in both
header components with completely different stuff.
The result, viewing an AutoPreview message doesn't necessarily tell you
anything about the message you're going to see when you actually open it
in Outlook.
What's interesting is that MS tells us the default for
AutoGenerateTextBody is true. This key is supposed to tell Outlook
whether the urn:schemas:httpmail:textdescription of an email is going to
be extracted by parsing the urn:schemas:httpmail:htmldescription and
removing HTML formatting. Despite it being the default, I've yet to see
any email arrive through an Exchange server where the value is set to
true. When its not true, the urn:schemas:httpmail:textdescription and
urn:schemas:httpmail:htmldescription are independent, and need not match
(or more accurately, have anything to do with each other.)
http://msdn.microsoft.com/library/en-us/wss/wss/_cdo_imessage_autogenera
tetextbody.asp says that this can happen by design.
I say this is yet another opportunity for spammers or people phishing to
lure people into obscuring what you're going to see.
I say AutoPreview should be a preview of what you will see when you open
the email. The simple fact that Outlook isn't going to show you what you
saw in AutoPreview when you open the message means, to me, that
Microsoft's idea of Trustworthiness is still skewed. See one thing in
AutoPreview, see something completely different opening the message,
yah! that will make me trust you.
I'm going to try modifying my BadURLs script for Exchange servers to set
AutoGenerateTextBody to True, regardless of how it arrives. For
99.999999% of emails you receive, this is what you expect to happen
anyway. Meanwhile, I've also added a component that loops through the
words in the urn:schemas:httpmail:textdescription and sees if they exist
in the urn:schemas:httpmail:htmldescription. If the majority don't, its
a spam message pure and simple.
Microsoft were informed prior to this posting.
Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor
p.s. I refer to elements here according to CDO specifications, not RFC
specifications, since they may or may not be present in environments
that aren't based on CDO/ADO.
-----
Editor's Note: The 43rd Most Powerful Person in Networking says...
Marcus Ranum's new book "The Myth of Homeland Security" is now out and is available from http://www.amazon.com/ranum In this hard-hitting review of the homeland security business, Ranum shows us how the problem is vastly harder than it's being made to sound, and how special interests, *** covering, and bureaucracy are threatening to derail any chance of making progress.
-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
