HomeSearchMerchandiseAboutMichael HorowitzMy CNET Blog

Microsoft Outlook Virus Outlook is both an email program and a PIM (Personal Information Manager)

Continues...

Although this web page was originally created in 2000, the basic issue remains. You can be affected by a security problem without your doing anything - no need to run a program or click on a file attached to an email message.

New Bagle Worm Variant Can Run Without Launching Attachment By Larry Seltzer in eWeek.  March 18, 2004. Quoting: "A series of new variants of the prolific Bagle worm has raised alarms in the security community through an innovative infection mechanism: The e-mail message in which the variants arrive may have no file attachment, and it's possible for a user to become infected without having to launch one."

July 9, 2003. The story below is about a bug that allows a hacker to run a program of their choosing on your computer. This HTML related bug can be "used by hackers to spread the code either by sending an HTML e-mail or by creating a special Web page that triggers a download of the code."
"Critical" flaw found in Windows CNET News.com July 9, 2003.  

Bugs, Bugs, Bugs, Bugs, Bugs ...

The list of bugs with Outlook and Outlook Express is a virtual flood. Around July 20, 2000 or so, bugs came to light that can cause serious damage just by downloading an email message!  Yikes. Let me be clear, you do not have to open the offending email message to be effected. 

The Langa List newsletter describes three different bugs in the July 24, 2000 issue. The first bug (item 3 in the newsletter) is the one mentioned above. Quoting from the newsletter: 

The same issue of the newsletter discusses another Outlook Express bug, one that could allow someone to read your other email messages as you previewed them. The newsletter describes how to fix/upgrade Outlook, Outlook Express and IE.

July 20, 2000. eWeek Magazine (part of ZDnet) also describes this buffer overflow issue with message headers. The article says this problem "could give outsiders access to a remote computer". It also says that if the attacker is smart, you can't even tell that you have been victimized, but data could be stolen, files could be deleted, even a virus could be planted. 

The Gartner Group also covered this story on July 19, 2000. 
For the official word from Microsoft on this, click here.

An Architecture for Viruses

By setting certain default options, Microsoft has created a virus-friendly environment. That is the theme of the stories below. The ILOVEYOU virus did not take advantage of bugs, instead it took advantage of choices Microsoft made, choices they still defend. 

Robert X. Cringely said on August 2, 2001: 

Microsoft criticized for lack of software security CNET. May 5, 2000. Security experts said the quick spread of the Love Bug is a demonstration of Microsoft software working as designed - they chose added functionality over security. Microsoft's response is that there are options galore and anyone can configure their software as they please. Of course, most people don't understand the options and the debate is really about the default choices made by Microsoft.  

Microsoft to Blame for 'Love Bug'?  The Standard  May 11, 2000. Security experts say automation features in Windows make it a potential breeding ground for viruses. This article quotes security experts Richard M. Smith, Bruce Schneier and Steven Bellovin. It discusses features of Microsoft software that all but invite hackers and makes the point that these features should be disabled by default. The point is made that Microsoft faces no liability for these viruses. 

The above article references an article by James Gleick in Slate magazine called "Who's to blame for the ILOVEYOU virus? Who Else?". This article goes over the actions taken by the ILOVEYOU virus in detail and takes Microsoft to task for making these things so easy to do. 

Walter Mossberg devoted his Mailbox column on May 18 to this topic (First click on the link for Column Archive, then click on Mossberg's Mailbox for May 18, 2000). He says the reason for viruses such as ILOVEYOU is that Microsoft has "stubbornly insisted" that Outlook and the entire Office suite of software be programmable. Mainstream users of Microsoft Office derive few benefits from this programmability, Mossberg claims, but Microsoft does not listen to mainstream users. Rather, they listen to "techies, developers and corporate computer departments" who love the programmability features. He suggests that Microsoft make programmability and extra option for those who want it rather than an integral part of the products. His gripe is that Microsoft won't do this. Prior to the publicity surrounding the ILOVEYOU virus, Mossberg says "...the company has taken only small and grudging steps to degrade the programmability in the name of security." The majority of the column is devoted to steps you can take to protect yourself. 

The Wall Street Journal ran a story May 24, 2000 called Love Bug Prompts Security Experts to Poke at Microsoft's Weak Points by Lee Gomes. It says that security experts blame Microsoft for not moving fast enough to adapt to security threats in the Internet age. Many experts say the vulnerability of Outlook is evidence of fundamental flaws in many Microsoft products. Rather than bugs, the problem is a flawed approach to software design. Too many Microsoft products were designed for the long-gone world of the stand-alone PC. One example cited are programming languages included with Microsoft's Windows products that lack fences to prevent destructive programs from hurting a machine. Such fences are a standard feature in other computer languages intended for use on the Internet. Another example is Windows 98 which lacks security that experts say ought to be routine in such a major piece of software. The article also points out that Microsoft often ships software with settings at the least secure positions. The article mentions the flip-flop reaction of Microsoft to the ILOVEYOU virus. At first Microsoft executives defended the ability for email files to launch programs. Lately however, Microsoft says it is toying with removing this feature. Stories from the Journal are not available for free at their web site. 

Gripes about the fix (aka patch, aka zap, aka PTF, aka Outlook Security Update) 

Microsoft eventually relented to the bad publicity and will provide a fix for Outlook 98 and Outlook 2000. Of course, for a long time they maintained that there was nothing to fix. Indeed, the software was working as designed. Then it took a long time to release the fix (it was released around June 11th). The fix is only for Outlook 2000 and Outlook 98. Users of older versions of Outlook Express and older versions of Outlook are out of luck, at least for the time being (the article linked to here says nothing at all about Outlook Express). 

Applying the fix is likely to be too difficult to non-technical users. It first requires applying another bunch of bug fixes for Office 2000 known as Service Release 1a or SR1a for short. Its not clear to me what the pre-req is for users of Outlook 98 which is not part of Office 2000. Also, articles from non-Microsoft sources have said that SR1 is required, so its not clear to me whether you really need SR1a or if SR1 alone is good enough. 

June 9, 2000 on the Windows Magazine web site, Dave Methvin said: This patch is a bit like trying to stop a nosebleed by putting a tourniquet around your neck. He points out that Microsoft could have easily overcome many of the problems in
this update by allowing users more flexibility in choosing what features they wanted to install. In discussing the list of file types that Outlook bans Dave pointed out that Word and Excel files are allowed through despite the fact that viruses have come through these file types in the past.  

June 12, 2000. On the Windows Magazine web site, Karen Kenworthy said:  The updated Outlook doesn't know, or care, whether a file attached to an e-mail message is actually harmful. This makes it difficult for software companies and support personnel to distribute programs and patches. And it even blocks all sorts of animated "greeting card" attachments. Files attached to messages you've already received become inaccessible. The update's address book warning feature can cause problems for some Handheld PCs, Personal Digital Assistants and cell phones that include software that synchronizes their internal address book with the one maintained by Outlook. Finally she notes that you should be sure before applying this fix. To back it out, you must completely uninstall Outlook, and all accompanying Microsoft Office products, then re-install everything from the original CDs.  

FYI:  For more background information on the fix see the May 18th issue of the Langa List newsletter. 

FYI:  In response to this virus Windows Magazine has written a free program called WatchDog that you can download and install on your computer (Windows 95, 98, NT4, 2000). Quoting from their web site: "WatchDog will, with your consent, become the default program for Visual Basic Script (VBS) and other scripting files. When you launch one of these files, WatchDog will look it over and warn you of any possible security risks. You can then determine whether the program is supposed to be taking these actions and how to proceed."

FYI: An article at the Windows Magazine web site discusses Outlook Express vs. Outlook. Turns out that Outlook Express can not spread the ILOVEYOU virus. 

FYI: The main Microsoft site for updates to the Office suite is officeupdate.microsoft.com 

Even Worse Viruses

The ILOVEYOU virus unleashed on May 4, 2000 was bad enough. An even more serious problem is waiting in the wings. To be infected by the ILOVEYOU virus a person had to open/run a file attached to an email message. You may think that by not opening attachments you are safe from email based viruses. Not so. 

Fix Up Outlook Mail Security  November 14, 1999. Windows Magazine. by Dave Methvin 
There's a dangerous email worm called BubbleBoy that doesn't even require you to open an attachment for it to infect your system. If you have the message preview pane turned on in Outlook, then just clicking on a message in your inbox could trigger the thing. The danger applies to Outlook 98, Outlook 2000, and Outlook Express 5.0. Netscape Communicator is not at risk from these particular problems. The article includes instructions for configuring these three programs to make them safe. This involves preventing Outlook from automatically try to run any scripting or ActiveX content that you receive in your mail.  

Virus hoax illustrates Microsoft email security issues  CNET. May 5, 2000. Summary: A security hole in Outlook and Outlook Express allows email to be loaded with a destructive program that could go as far as wiping a person's hard drive. Programs that take advantage of this would have no attachment and would give no indication that they were anything other than ordinary email. Microsoft has defended its decision to leave default settings open in the interests of convenience, noting that concerned people can change the security settings. No widespread virus attack has yet taken advantage of this hole.  

The CNET story above linked to a Microsoft Knowledge Base article about changing security settings in Outlook 2000. Its not clear to me what the situation is with other versions/releases of Outlook and Outlook Express. This KB article says the problem is with HTML formatted e-mail messages, that embedded scripts may start without warning. Specifically, this is because Active Scripting is enabled in the Internet security zone. In one copy of Outlook 2000 that I checked, the security for the Internet Zone had defaulted to "Medium". Sure enough, Active Scripting was enabled with the "Medium" settings. It can be changed to either Disabled or Prompt, and the KB article says to use Disabled. It does not, however, discuss the implications of the Prompt option. The article also does not even mention the possibility of setting the Internet Zone to "High" security. 

To change Active Scripting in Outlook 2000: 
 -From the menu bar select Tools, then "Options..." 
 -Select the Security tab 
 -Make sure the Zone is set to Internet, then click on the "Zone Settings..." button 
 -Outlook spits out a warning message that whatever you do next will also effect IE and Outlook Express
 -Click on the OK button 
 -This opens a Security window that should be positioned on the Internet zone
 -Click on the "Custom Level..." button 
 -This opens a Security Settings Window 
 -Scroll down to the Scripting Section (its after the Miscellaneous section and before the User Authentication section)
 -Active Scripting is the first clump in the Scripting Section. It will have radio buttons for Disable, Enable and Prompt
 -Change it from Enabled to Disabled (Prompt may be okay too, I don't know)  
 -Clicking on three OK buttons should get you back to Outlook 2000 

This KB article does not mention that disabling Active Scripting in Outlook 2000 has a side effect on Internet Explorer 5  - the auto search feature no longer works. Auto search lets you enter "Metropolitan Opera" in the address bar (for example) and it will automatically search for the web site of the opera company and return a list of best guesses in a side frame. After disabling Active Scripting, use of auto search results in this error: 

It also effects the use of JavaScript in Internet Explorer. To read about this, see the IE 5 gripes.

For background information on security zones in Outlook 2000 (not IE, not other versions/releases of Outlook) the above article, links to another Knowledge Base item, Security Zones in Outlook 2000. This article says of the "Medium" setting that it "provides a warning before opening content that is potentially damaging". Not true. 

The last paragraph of the May 11 article in The Standard (above) says there is a "Kak" email virus that fits this profile. Fortunately it is not destructive, but the article ends by saying "a destructive version of it is almost certainly coming to a computer near you". 

Other Viruses/Worms You Can Get by Just Reading Email

November 27, 2001. Yet another "worm" has been released that can infect the computer of Outlook and Outlook Express users just by their reading the email message. You do not have to click on or run an attached file to get infected by this program which is called "Badtrans". The infection consists of a keystroke logger that surreptitiously can record passwords, credit data, and other information. The worm drops a backdoor trojan program on your computer which allows a hacker to access personal information. It uses a vulnerability in Internet Explorer 5.01 and 5.5 to automatically execute itself on PCs that don't have a patched Web browser. This same vulnerability is used by the Nimda worm. 
Read about this in the San Jose Mercury News Nov 27, 2001
Read about this in CNet November 27, 2001. 
Read the Microsoft security bulletin about the bug in IE5
Sophos describes how the virus works
MessageLabs offers some quantitative analysis

April 21, 2002. There is yet another virus you can get just by previewing an email message without having to run an attached file. The Klez family of email viruses have been around since 2001, but they have spread a lot in the last few days. Woody's Office Watch newsletter discusses the problem which is really with IE, not with Outlook. Perhaps the biggest gripe regarding the Klez virus is the lack of owning up to it by Microsoft. Quoting Woody: "Despite the threat against their products you won't find anything directly relevant on the Microsoft web site unless you know the code words - and even then you have to check the fineprint."

Microsoft Upgrades Warning on IE Flaw. Users urged to patch security hole now considered 'critical.' IDG News Service.  December 13, 2002. Still another bug that can cause you to get a virus by reading an email message without executing an attachment.  

FYI: March 30, 2001. A BIG BUG exists in IE5 that can cause Outlook and Outlook Express to delete all the files on your computer just by viewing an email message. 

FYI: October, 2001. Bugs in Outlook that can result in all the files on your computer being deleted are no longer news. In the October 2001 issue of PC World magazine, Stuart J. Johnston writes (Security Scares With Microsoft Outlook) about a current bug that effects Outlook 98, Outlook 2000 and Outlook 2002. As of this writing, there is no fix for this bug.  

FYI: March 21, 2002. Microsoft Outlook's so-so security. By Robert Lemos, CNET News.com. Internet privacy researcher Richard Smith released a list of four issues that continue to undermine the security of Microsoft's Outlook 2002 and could leave the major mail program open to attack by virus writers. 

Other Gripers

Ban Outlook--now. By Steven Vaughan-Nichols on ZDNet. September 25, 2001. Outlook, with it deep hooks into the operating system, will always have security problems. So I'd like to propose a radical way to prevent Outlook transmitted diseases (OTDs): ban Outlook from corporate desktops. Outlook is vulnerable by design. If you want all that power to trade data and code with programs like Excel and Word, security is the price you pay. Even when good users and administrators patch their software, this only closes the barn door after the horses have fled. Want a replacement? I like Pegasus Mail--and it's free. Eudora also still has its fans and can run on Windows PCs, Macs, and even Palms. The article concludes with advice on how to configure Outlook to be as safe as possible. 

Things about MS Outlook that bug me  David Coursey. ZDNet AnchorDesk. February 11, 2002.

Frustrated With Outlook?  Take the Express Route By Walter S. Mossberg October 2002. The Mossberg Report. Quoting: "I don't use Outlook. I find it dense, ponderous and slow. It is the most overengineered, unnecessarily complicated program in common use today. While it has gotten a little simpler over the years, it's still overkill for most people."