Stuart Sanders
stuart at pacific.net.hk
Fri Nov 21 00:24:48 CST 2003
The Outlook security patch is a half-assed reaction to what was at the time a big press issue. With repeated massive virus attacks crippling mail servers world wide, they had to appear do something for public image and if it helped lessen the problem all the better. This was quick and dirty and since it was done, it stuck, but at least in later office versions you could uncripple outlook for certain things. Why is it half assed? 1. It is indiscriminate and broke a lot of existing and widely used applications that hooked into outlook. Remember that Office and vba is supposed to be all about flexibility developing solutions. They broke that big time. 2. It isn't about fixing security vulnerabilites. MS has had plenty of security vulnerabilites and they fix those with minor patches, not wholesale surgery on applications. The patch doesn't stop you receiving viruses, or running them, or them sending mail out simple inbuilt smtp engines which most successful trojans have had for years. By and large viruses/trojan in this day and age do not use security vulnerabilities as their primary means of infection. 3. And this is the kicker for me. If redemption bypasses security by using extended mapi, how long will it really be before some virus/trojan writer uses extended mapi to access the address book. Remember the majority of viruses these days are trojans not scripts. They don't use security vulnerabilites to spread and infect, they use social engineering to trick people into thinking they are from people they know. So should I now spend US$200 on a control that may well be crippled sometime soon as MS uses the same half baked strategy again. If they are going to close access to the address book why not close it the first time, and not leave a back door that will spawn another generation of super spreading viruses? It it worth trying to bypass Outlook security? If I can bypass it with a simple control, so any decent virus writer with half a brain can build the same into his newest attack. Stuart > -----Original Message----- > From: accessd-bounces at databaseadvisors.com > [mailto:accessd-bounces at databaseadvisors.com] On Behalf Of > Stuart McLachlan > Sent: Friday, 21 November, 2003 8:32 AM > To: Access Developers discussion and problem solving > Subject: RE: [AccessD] Redemption DLL WAS: Poll: How many versions... > > > On 20 Nov 2003 at 17:55, Brett Barabash wrote: > > > > > >I bypassing it by not installing the service pack that > turns it on. (A2K) > > Not installing a security service pack to stop malicious > VBScript code from > > propogating viruses IS a big deal. Are you advising your > clients not to > > install security patches so your email code will work? > > > > > I'm with JC 100% on this one. > > The "security" patch is not about stopping viruses from infecting > machines. It's not about stopping viruses from causing damage. It's > not about stopiing viruses from doing anything. > > It's about stopping the perfectly legitimate function of interprocess > communication which is supposed at the heart of the MS software suite > paradigm. It's a half-witted attempt at arse covering by MS which > has the side effect of destroying the functionality of many existing > applications. > > Yes I am advising my clients not to instal it. > (At least the ones who don't heed my other advice to use non-MS email > programs. My Pegasus/Mercury using clients don't have to worry about > it at all <VBG>) > > > > > > > > -- > Lexacorp Ltd > http://www.lexacorp.com.pg > Information Technology Consultancy, Software > Development,System Support. > > > > _______________________________________________ > AccessD mailing list > AccessD at databaseadvisors.com > http://databaseadvisors.com/mailman/listinfo/accessd > Website: http://www.databaseadvisors.com >