Two researchers at the U.S. Air Force Academy Computer Science Department have published a paper that is sharply critical of security measures implemented in a patch for Microsoft Corp.'s Outlook 2000 e-mail client, issued in the aftermath of the ILOVEYOU virus attack last year, saying the patch does not adequately protect users.
The paper, entitled "Reinforcing dialog-based security," was written by Martin Carlisle and Scott Studer and will be presented at the IEEE (Institute of Electrical and Electronics Engineers) Systems, Man and Cybernetics Information Assurance Workshop in West Point, New York on June 5. The two-day event, which will be held June 5 to 6, is sponsored by the U.S. National Security Agency.
The patch in question, Outlook 2000 SR-1 E-mail Security Update, adds three functions to Outlook 2000: e-mail attachment security, which blocks certain types of attachments from being run within Outlook; the object model guard, which prompts users with a dialogue box when an external program attempts to access the Outlook Address Book or send e-mail; and heightened Outlook default security settings, which changes the default Internet security zone settings in Outlook to "restricted sites" and disables active scripting.
However, the inclusion of the e-mail attachment security feature in the patch means that it has not been installed by many users who do not want the ability to download certain attachments blocked, leaving them vulnerable to attack, the paper said. Even when the patch is implemented, the e-mail attachment security feature can be easily circumvented, executing code from an attachment that exploits frequently-discovered buffer overflow errors, such as the vCard handler overflow, the paper said. The vCard is a standard for electronic business cards which are commonly attached to e-mails.
"The attacker could cause the mail client to run code of her choice on the user's machine (by exploiting the vCard handler overflow). Such code could take any desired action, limited only by the permissions of the recipient on the machine," Microsoft officials said in a security bulletin.
"There is no means by which a vCard could be made to open automatically, so the attacker would need to entice the recipient into opening the mail, then opening the vCard," said the bulletin. "As always, best practices recommend against opening untrusted e-mail attachments."
Yet, when it comes to security, best practices are frequently not implemented by end users in the real world. The U.S. Air Force Academy researchers noted that social engineering tactics, whereby users are enticed into opening an attachment that cannot be run automatically, played a key role in the ability of ILOVEYOU and other virus-worm hybrids to spread rapidly. Social engineering tactics and the patch's vulnerability to buffer overflow errors therefore leave users dependent upon the object model guard to protect against the spread of these viruses via e-mail, the paper said, adding that the object model guard can itself be easily thwarted.
In a response from Microsoft quoted in the paper, officials from the Redmond, Washington-based software giant said an attacker seeking to circumvent the object model would have to place a compiled executable file on a user's computer, adding that were this to happen, bypassing dialogue boxes would be the least of a user's concerns. The researchers disputed that argument in their paper, saying that the dialogue boxes could be bypassed using a script embedded in an attachment and published an example of a Visual Basic script that could do just that in order to prove their point. In addition, scripts that exploit vulnerabilities in Outlook can be easily written by modifying code fragments copied from Microsoft's own Web site, the paper said.
To protect against the ability to exploit these vulnerabilities, the object dialogue guard in the patch must be reinforced, the paper said.
"Unfortunately, given current limitations of the Windows operating system, this turns out to be similar to trying to secure a parked car at the airport -- while you can make it harder to break in by locking it, using a steering-wheel lock, etc., you can never make your car totally secure," the paper said.