[AccessD] Redemption DLL WAS: Poll: How many versions...

Stuart Sanders stuart at pacific.net.hk
Fri Nov 21 00:24:48 CST 2003


The Outlook security patch is a half-assed reaction to what was at the time a
big press issue.  With repeated massive virus attacks crippling mail servers
world wide, they had to appear do something for public image and if it helped
lessen the problem all the better.  This was quick and dirty and since it was
done, it stuck, but at least in later office versions you could uncripple
outlook for certain things.  Why is it half assed?

1. It is indiscriminate and broke a lot of existing and widely used applications
that hooked into outlook.  Remember that Office and vba is supposed to be all
about flexibility developing solutions.  They broke that big time.

2. It isn't about fixing security vulnerabilites.  MS has had plenty of security
vulnerabilites and they fix those with minor patches, not wholesale surgery on
applications.  The patch doesn't stop you receiving viruses, or running them, or
them sending mail out simple inbuilt smtp engines which most successful trojans
have had for years.  By and large viruses/trojan in this day and age do not use
security vulnerabilities as their primary means of infection.

3. And this is the kicker for me.  If redemption bypasses security by using
extended mapi, how long will it really be before some virus/trojan writer uses
extended mapi to access the address book.  Remember the majority of viruses
these days are trojans not scripts.  They don't use security vulnerabilites to
spread and infect, they use social engineering to trick people into thinking
they are from people they know.

So should I now spend US$200 on a control that may well be crippled sometime
soon as MS uses the same half baked strategy again.  If they are going to close
access to the address book why not close it the first time, and not leave a back
door that will spawn another generation of super spreading viruses? 

It it worth trying to bypass Outlook security?  If I can bypass it with a simple
control, so any decent virus writer with half a brain can build the same into
his newest attack.

Stuart

> -----Original Message-----
> From: accessd-bounces at databaseadvisors.com 
> [mailto:accessd-bounces at databaseadvisors.com] On Behalf Of 
> Stuart McLachlan
> Sent: Friday, 21 November, 2003 8:32 AM
> To: Access Developers discussion and problem solving
> Subject: RE: [AccessD] Redemption DLL WAS: Poll: How many versions...
> 
> 
> On 20 Nov 2003 at 17:55, Brett Barabash wrote:
> 
> > 
> > >I bypassing it by not installing the service pack that 
> turns it on. (A2K)
> > Not installing a security service pack to stop malicious 
> VBScript code from
> > propogating viruses IS a big deal.  Are you advising your 
> clients not to
> > install security patches so your email code will work?
> > 
> > 
> I'm with JC 100% on this one.
> 
> The "security" patch is not about stopping viruses from infecting 
> machines. It's not about stopping viruses from causing damage. It's 
> not about stopiing viruses from doing anything.
> 
> It's about stopping the perfectly legitimate function of interprocess 
> communication which is supposed at the heart of the MS software suite 
> paradigm.  It's a half-witted attempt at arse covering by MS which 
> has the side effect of destroying the functionality of many existing 
> applications.  
> 
> Yes I am advising my clients not to instal it.
> (At least the ones who don't heed my other advice to use non-MS email 
> programs. My Pegasus/Mercury using clients don't have to worry about 
> it at all <VBG>)
> 
> 
> 
> 
> 
> 
>  
> -- 
> Lexacorp Ltd
> http://www.lexacorp.com.pg
> Information Technology Consultancy, Software 
> Development,System Support.
> 
> 
> 
> _______________________________________________
> AccessD mailing list
> AccessD at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/accessd
> Website: http://www.databaseadvisors.com
> 


More information about the AccessD mailing list