Re: Office XP SP3 breaks 3rd-party junk email filter

From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 03/12/04

  • Next message: NGSSoftware Insight Security Research: "With regards to the Adobe Acrobat Reader advisory (#NISR03022004)"
    Date:         Thu, 11 Mar 2004 20:53:36 -0500
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    I'm not convinced that Outlook 2002 SP3 actually created any new problems wrt the Object Model Guard. It may have, but as far as I can tell there's nothing new there that hasn't been around since Outlook 2002 was first released.

    On June 9th, 2000, Microsoft released the Outlook Email Security Update. This functionality was subsequently built into the Gold versions of both Outlook 2002/XP and Outlook 2003. Full details of its features can be found in the following document at the section titled "Outlook Security Enhancements";

    http://www.microsoft.com/technet/prodtechnol/office/officexp/maintain/xpsec.mspx

    Among them is the Object Model Guard. Details about what the OMG does can be found in the following document at the section titled "About the Outlook Object Model Guard";

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnout2k2/html/odc_olsecurityovw.asp

    There you will also find recommendations from MS about how to perform tasks that were previously possible, such as accessing email addresses or programmatically sending email.

    Boils down to this;

    - You must use an Exchange Server with Outlook. In such an environment you can disable any of the Outlook Security features by user.

    or

    - The Add-in must use Extended MAPI. Some functionality can be achieved by using CDOSYS, but not nearly what can be done with Extended MAPI.

    Some Add-ins have been modified, others haven't. Those that haven't, won't work with Outlook once the Email Security Update is in place (and if it was added, it cannot be removed.) Plain and simple, all you can do is contact your Vendor and ask what their solution is. As we've seen, some choose to make you work around it, others build to accommodate it.

    If anyone's wondering if these security features have had an impact, consider what you're seeing these days in terms of email-borne attacks. Firstly, they've all shifted to searching your file system for addresses, so we get distribution to unknown or people you may have never emailed instead of being sent to your address book, or an Exchange Server's Global Address List. While its annoying, its better than spreading viruses to your friends and business partners, IMO.

    Secondly, they have to supply the SMTP code. The advantage to us is that our mail servers aren't bogged down by our own desktops any more. Further, if we block outbound SMTP access at our borders we can prevent one of our infected systems from infecting anyone else, plus, we're able to identify infected hosts fairly easily.

    I see both of these results, directly due to the Email Security Update, a definite benefit to the business world. Granted, doesn't have much effect on the home user, but then they aren't typically using Outlook anyway (they're using Outlook Express, or some other MUI.)

    Anyway, there's a ton of articles on the MS KB and MSDN related to this topic:

    Microsoft Outlook Security Center
    http://www.microsoft.com/technet/security/prodtech/outlook/default.mspx

    OL2002: Developer Information About E-Mail Security Features
    http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q290500

    Microsoft Outlook 2002 Developer Security Overview
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnout2k2/html/odc_olsecurityovw.asp

    For those of you who are in an Exchange Server environment:

    Customizing the Outlook Security Features Administrative Package
    http://www.microsoft.com/office/ork/xp/four/outg03.htm

    Using the COM Add-in Shim to Trust Outlook 2002 Add-ins Built with Visual Studio .NET
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnout2k2/html/odc_outlookcomshim.asp

    As well as a general page about the Outlook Email Security Update for Outlook 98/2000 and 2002:

    Security Features for Outlook 2002 and Previous Versions
    http://www.microsoft.com/office/previous/outlook/2002security.asp

    Cheers,
    Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

    -----
    NTBugtraq Editor's Note:

    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you''ll have to copy their email address out of the message and place it in your TO: field.
    -----


  • Next message: NGSSoftware Insight Security Research: "With regards to the Adobe Acrobat Reader advisory (#NISR03022004)"

    Relevant Pages

    • Re: Allow advance Control for Attachment blocking
      ... For more information on the security features, ... Teach Yourself Outlook 2003 in 24 Hours ... > the end user should be allowed to decide to download a blocked attachment ... this unconditional no user intervention Attachment blocking is ...
      (microsoft.public.outlook.installation)
    • Re: Outlook Blocked Access to the following potentially unsafe attachm
      ... For more information on the security features, ... Teach Yourself Outlook 2003 in 24 Hours ... Google and Other Search Engines (Visual QuickStart Guide) ... Join OneNote Tips mailing list: http://www.onenote-tips.net/ ...
      (microsoft.public.outlook.installation)
    • Re: How do I access a Web Share
      ... For more information on the security features, ... Teach Yourself Outlook 2003 in 24 Hours ... Google and Other Search Engines (Visual QuickStart Guide) ... Join OneNote Tips mailing list: http://www.onenote-tips.net/ ...
      (microsoft.public.outlook)
    • Re: Outlook XP attachments
      ... For more information on the security features, ... Teach Yourself Outlook 2003 in 24 Hours ... Google and Other Search Engines (Visual QuickStart Guide) ... > How do I configure Outrlook XP to allow me to view email attachments from ...
      (microsoft.public.outlook.installation)
    • Re: Add Contact to a message being composed
      ... this is the outlook email security feature to prevent ... Note Because of the Outlook E-Mail Security Update, ... see Security Features for Outlook 2002 and Previous ...
      (microsoft.public.dotnet.languages.vb)