[AccessD] Redemption DLL WAS: Poll: How many versions...

Charlotte Foust cfoust at infostatsystems.com
Fri Nov 21 10:29:47 CST 2003


This thread seems to be degenerating into Microsoft bashing and rant,
but let me clarify something.  The Redemption dll is NOT a control.  It
is a library that you call into, a wrapper for Extended MAPI calls.
Feel free to write your own ... Or to use a different email application
... Or to use SMTP instead.

Charlotte Foust

-----Original Message-----
From: Stuart Sanders [mailto:stuart at pacific.net.hk] 
Sent: Thursday, November 20, 2003 10:25 PM
To: 'Access Developers discussion and problem solving'
Subject: RE: [AccessD] Redemption DLL WAS: Poll: How many versions...



The Outlook security patch is a half-assed reaction to what was at the
time a big press issue.  With repeated massive virus attacks crippling
mail servers world wide, they had to appear do something for public
image and if it helped lessen the problem all the better.  This was
quick and dirty and since it was done, it stuck, but at least in later
office versions you could uncripple outlook for certain things.  Why is
it half assed?

1. It is indiscriminate and broke a lot of existing and widely used
applications that hooked into outlook.  Remember that Office and vba is
supposed to be all about flexibility developing solutions.  They broke
that big time.

2. It isn't about fixing security vulnerabilites.  MS has had plenty of
security vulnerabilites and they fix those with minor patches, not
wholesale surgery on applications.  The patch doesn't stop you receiving
viruses, or running them, or them sending mail out simple inbuilt smtp
engines which most successful trojans have had for years.  By and large
viruses/trojan in this day and age do not use security vulnerabilities
as their primary means of infection.

3. And this is the kicker for me.  If redemption bypasses security by
using extended mapi, how long will it really be before some virus/trojan
writer uses extended mapi to access the address book.  Remember the
majority of viruses these days are trojans not scripts.  They don't use
security vulnerabilites to spread and infect, they use social
engineering to trick people into thinking they are from people they
know.

So should I now spend US$200 on a control that may well be crippled
sometime soon as MS uses the same half baked strategy again.  If they
are going to close access to the address book why not close it the first
time, and not leave a back door that will spawn another generation of
super spreading viruses? 

It it worth trying to bypass Outlook security?  If I can bypass it with
a simple control, so any decent virus writer with half a brain can build
the same into his newest attack.

Stuart

> -----Original Message-----
> From: accessd-bounces at databaseadvisors.com
> [mailto:accessd-bounces at databaseadvisors.com] On Behalf Of 
> Stuart McLachlan
> Sent: Friday, 21 November, 2003 8:32 AM
> To: Access Developers discussion and problem solving
> Subject: RE: [AccessD] Redemption DLL WAS: Poll: How many versions...
> 
> 
> On 20 Nov 2003 at 17:55, Brett Barabash wrote:
> 
> > 
> > >I bypassing it by not installing the service pack that
> turns it on. (A2K)
> > Not installing a security service pack to stop malicious
> VBScript code from
> > propogating viruses IS a big deal.  Are you advising your
> clients not to
> > install security patches so your email code will work?
> > 
> > 
> I'm with JC 100% on this one.
> 
> The "security" patch is not about stopping viruses from infecting
> machines. It's not about stopping viruses from causing damage. It's 
> not about stopiing viruses from doing anything.
> 
> It's about stopping the perfectly legitimate function of interprocess
> communication which is supposed at the heart of the MS software suite 
> paradigm.  It's a half-witted attempt at arse covering by MS which 
> has the side effect of destroying the functionality of many existing 
> applications.  
> 
> Yes I am advising my clients not to instal it.
> (At least the ones who don't heed my other advice to use non-MS email
> programs. My Pegasus/Mercury using clients don't have to worry about 
> it at all <VBG>)
> 
> 
> 
> 
> 
> 
>  
> --
> Lexacorp Ltd
> http://www.lexacorp.com.pg
> Information Technology Consultancy, Software 
> Development,System Support.
> 
> 
> 
> _______________________________________________
> AccessD mailing list
> AccessD at databaseadvisors.com 
> http://databaseadvisors.com/mailman/listinfo/accessd
> Website: http://www.databaseadvisors.com
> 


More information about the AccessD mailing list