Re: Hotmail not scanned?

From: x y (jamescagney90210@excite.com)
Date: 07/15/02 

From: "x y" <jamescagney90210@excite.com>
Date: Mon, 15 Jul 2002 08:40:14 -0400

"Nick FitzGerald" <nick@virus-l.demon.co.uk> wrote in message
news:3d30b318@clear.net.nz...
> "Ken Blake" <kblake@this.is.an.invalid.domain.com> wrote:
>
> > I completely disagree. I use both Outlook and Outlook Express
> > here. I've used them both for years, and *never* gotten a virus.
> > I know many others who can say the same thing.

> You clearly have no grip whatsoever about what you are talking about.

> And, as you are an IE/Outlook/OE user I sure hope you've been keeping
> up with your security reading and finally decided to disable ActiveX
> in the Internet security zone as yet another fundamental design error
> in the handling of security zones as regards scripting of ActiveX was
> announced the other day. Microsoft does not have a patch out yet, and
> as scripting and ActiveX are the source of all but about two of all
> the really bad IE security holes ever, it is now clearly irresponsible
> to use the product with either feature enabled. Of course, that will
> break millions of exceptionally crappily "designed" (I hesitate to use
> the term here, other than in its most sarcastic of connotations) web
> sites, but such is the almost inevitable price of trying to glue "user
> interface" functionality onto a protocol that was never designed for
> such an application in the first place and is, rather predictably as a
> result (especially after Microsoft became involved), entirely unsuited
> to the task.

I disagree. You're technically right that malicious code could
theoretically slip onto an Outlook Express machine with only Antivirus and
common sense for a defense. BUT, Active-X exploits remain a largely
theoretical risk, and active-x exploit code that is not detected by an
antivirus program is even more remote. Comparing it to driving a Pinto is
not a fair comparison. Not everyone needs to agree with you that they must
enable a setting that breaks millions of web sites for all their corporate
users in order to eliminate an issue that is rarely seen in the wild. There
is no one correct solution for security, it depends on how you want to
balance convenience, functionality and security.

Relevant Pages

  • Re: [Full-Disclosure] Email marketing company gives out questionable security advice
    ... > released the Outlook Security Update a few years back because anti-virus ... Turning back on ActiveX and ... security zone mechanism provides adequate protection --- is that the ...
    (Full-Disclosure)
  • Re: how to get rid of activex disabled warning in IE6?
    ... All the activeX related items at the top ... >>Your security settings prohibit running ActiveX controls on this page. ... >Note the section on Outlook and Outlook Express security at the bottom ...
    (microsoft.public.win2000.security)
  • Re: Embedding Simple MFC GUI app into website
    ... particular technology is "evil" goes beyond common sense and increases ... his denouncement of ActiveX and Java (and Flash, ... ActiveX, in particular, is an antipattern for security. ... Since you must obtain a certificate for code signing from the trusted ...
    (microsoft.public.vc.mfc)
  • [NT] MHTML vulnerability in Outlook Express
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerability in Outlook Express allows an attacker to run code of the ... If an attacker were to host a malicious website that contained an MHTML ...
    (Securiteam)
  • Bypassing SMTP Content Protection with a Flick of a Button
    ... How about using Outlook Express as ... more than an Outlook Express client and employs a rarely-used feature ... This RFC documented feature called "Message Fragmentation and ... comprehensive security policy to restrict potentially harmful content ...
    (Bugtraq)