Microsoft Outlook: Security Features. and Vulnerabilities



Similar documents
Guidance for recipients of an encrypted NHSmail

Anti-Virus Policy. Computing and Networking Services (CNS).

BARRACUDA. N e t w o r k s SPAM FIREWALL 600

ARIMS Bulk Archive Tool (ARIMS-BAT) User s Guide v 3.7

Now select Properties and click the Folder Size button. This will show the size of all the folders in your mailbox and a grand total.

UQconnect + for Life Basics

NITB Public & Partner File sharing Websites. User Guide

Protecting computers from hidden threats. Implementation Guide. PestPatrol. In a Networked Environment

ANTI-VIRUS POLICY OCIO TABLE OF CONTENTS

PC Security and Maintenance

OUTLOOK GETTING STARTED

TROUBLESHOOTING GUIDE

Configuring, Customizing, and Troubleshooting Outlook Express

NOAA Unified Messaging System Policy

WINDOWS LIVE MAIL FEATURES

Microsoft Outlook Reference Guide for Lotus Notes Users

Microsoft Outlook 2010 Hints & Tips

Entourage - an Introduction to


MS OUTLOOK

Using Webmail. Document Updated: 11/10. Technical Manual: User Guide. The Webmail Window. Logging In to Webmail. Displaying and Hiding the Full Header

Using Outlook Securely

Where do I find? Global Outlook options and features

Outlook XP Only

Outlook Web Access User Guide

USING MICROSOFT OUTLOOK 2013

Module One: Getting Started Opening Outlook Setting Up Outlook for the First Time Understanding the Interface...

OUTLOOK 2010 TIPS TABLE OF CONTENTS 1. SEND A BLIND CARBON COPY MARQUETTE UNIVERSITY IT SERVICES

Outlook . User Guide IS TRAINING CENTER. 833 Chestnut St, Suite 600. Philadelphia, PA

Rev. 06 JAN Document Control User Guide: Using Outlook within Skandocs

Using etoken for Securing s Using Outlook and Outlook Express

OWA User Guide. Table of Contents

The online environment

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

Microsoft Outlook 2013 Part 1: Introduction to Outlook

Using Microsoft Office 2013: Outlook. Gerry Kruyer

Lesson 7: Maintenance

Outlook Web Access 2003 Remote User Guide

Microsoft Outlook Web Access User Guide to Basic Features

Microsoft Outlook Quick Reference Sheet

Outlook Web App OWA Quick Guide. Getting you up to speed quickly.

MICROSOFT OUTLOOK TIPS AND TRICKS

Outlook 2010 Essentials

Outlook Managing Your Items

Microsoft Exchange Training. Microsoft Outlook 2007 Outlook Web App

Outlook Today. Microsoft Outlook a different way to look at E. By Microsoft.com

NeoMail Guide. Neotel (Pty) Ltd

TCS-CA. Outlook Express Configuration [VERSION 1.0] U S E R G U I D E

Outlook Web Access End User Guide

Core Essentials. Outlook Module 1. Diocese of St. Petersburg Office of Training

Cloud. Hosted Exchange Administration Manual

Outlook. Getting Started Outlook vs. Outlook Express Setting up a profile Outlook Today screen Navigation Pane

Microsoft Outlook And- Outlook Web App (OWA) Using Office 365

1. How to Register Forgot Password Login to MailTrack Webmail Accessing MailTrack message Centre... 6

Setting Up . on Your Sprint Power Vision SM Mogul by HTC

Lotus Notes Client Version 8.5 Reference Guide

PolyU Staff Service. Outlook Web App (OWA) User Guide

Outlook 2010 Desk Reference Guide

How to access a Functional Mailbox via Outlook Web Access (OWA)

Outlook Security in the Midst of Malicious Code Attacks

Introduction. POP and IMAP Servers. MAC1028 June 2007

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

Webmail User Guide. The Webmail Window. Logging In to Webmail. Displaying and Hiding the Full Header. Printing an . Composing a New

MailEnable Web Mail End User Manual V 2.x

What browsers can I use to view my mail?

MailEnable Connector for Microsoft Outlook

QUICK START GUIDE

Using the City of Stamford / Stamford Public Schools. Web System

User Guide for the VersaMail Application

O UTLOOK 2003 HELP SHEET MAIL. Opening the program. Mail

Table of Contents Chapter 1 INTRODUCTION TO MAILENABLE SOFTWARE... 3 MailEnable Webmail Introduction MailEnable Requirements and Getting Started

Mail tips. Set a reminder to reply to a message. Right-click the message you want to set the reminder for, point

Life after Microsoft Outlook Google Apps


New Features in Outlook Web Access

Using Voltage Secur

Introduction to Outlook Information Technology Services Education and Development The University of Texas at Austin

Microsoft Outlook 2010 Part 1: Introduction to Outlook

Vodafone Text Centre User Guide for Microsoft Outlook

CITY OF BURLINGTON PUBLIC SCHOOLS MICROSOFT EXCHANGE 2010 OUTLOOK WEB APP USERS GUIDE

Technical Documentation SEPPmail Outlook Add-In v1.5.3

Microsoft Office 365 Outlook Web App (OWA)

Microsoft Outlook 2003 Basic Guide

Outlook Tweaks and Tips

User Guide Using Certificate in Microsoft Outlook Express

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

Accessing your using a web browser

If you encounter difficulty or need further assistance the Archdiocesan help desk can be reached at (410) , option 1. Access Methods:

Microsoft Outlook 2010 contains a Junk Filter designed to reduce unwanted messages in your

Nielsen Extranet - Troubleshooting Guide March 25, 2015

Microsoft Outlook 2010

What is ? (using Outlook Express)

Transcription:

Microsoft Outlook: Security Features and Vulnerabilities ECE478 Report By: Mohammad Al-Fares Fares Al-Osaimi

Abstract: Microsoft Outlook has been a favorite victim of virus makers for its relatively easy access to the user's address book. The "Love Bug" and the "Melissa" viruses were mainly perpetuated using Outlook. The Preview pane's default setting allows the execution of attached code, which is most likely a virus which would send itself to the user s contact list. This paper discusses the security features and vulnerabilities of Microsoft Outlook. We examine the structure of the address book, and the method in which most viruses spread. We will suggest ways to prevent these security holes.

Introduction: It seems in recent years that the Microsoft monopoly trials have not stopped the almost cancerous-like proliferation of their products in the marketplace. Nine in ten home computers in the United States uses the Windows operating system. Microsoft Office is the most widespread suite of programs which offer word processing, spreadsheets, schedule management, slide presentations, and the E-mail client Microsoft Outlook among other uses. Outlook s availability and ease of use made it surpass its leading competitor, Qualcomm s Eudora, which was the dominating E-mail client on the market in the mid 1990 s. The recent versions of the Windows operating system come with Outlook Express, a free and fully functional version of Outlook. Approximately 84 million people use Outlook or Outlook Express in the United States as their main E-mail client. And of course, since Microsoft doesn t believe in the open-source philosophy, the weaknesses of the program are fully exploited by hackers and virus makers to no end. The patches that Microsoft releases for the program can barely keep up fixing the latest loopholes. In this paper, we will discuss the security features and vulnerabilities in Microsoft Outlook which hackers use to spread specific viruses. We will mention the different kinds of attacks and possible ways to prevent them. We ll analyze the structure of the user s address book, which most viruses use to spread themselves, and provide information on the latest security alerts. As a case study, we will discuss the workings of the I LOVE YOU virus in detail as an example.

About Microsoft Outlook: Microsoft Outlook provides a solution for organizing and managing digital communication tools such as E-mail, newsgroups, and instant messaging, along with all day-to-day organizational information from calendars and contacts to task lists and notes. Outlook controls the deluge of e- mail, appointments, and contacts, helping the user to manage his time and tasks more effectively, while making it easier to share information and communicate with others. The new version of Outlook also works as a web and FTP browser, eliminating the need for a separate Internet browser program. Beyond the many features included in it, Outlook can access web-based E-mail services, such as Hotmail. It can also initiate instant chat sessions using Microsoft s instant messaging program MSN Messenger. Furthermore, the mailbox cleanup tool Figure 2 identifies messages by age and can easily find and delete older messages. Another feature automatically reformats HTML code to plain-text e-mail, just in case the receiver cannot read e- mails with HTML. On the other hand, Outlook security futures are not as impressive. As a counter measure for the Melissa and I Love You viruses, Outlook won't let the user receive certain file formats which may be virus carriers. Although Outlook notifies the user about such attachments, they can't be seen, opened, or saved. The default user of this program cannot change this behavior. Therefore, if your job

requires that you receive these kinds of files, it is recommended that you look for another software package to handle your e- mail. The ability to handle add-ins is a feature or vulnerability, depending on the way you look at it. There are many outside add- ins for Outlook such as Inbox Protector, which detects spam and moves it to the deleted messages folder. Screen Shots: Figure 3: The Application Interface lets you access most of the features.

Figure 4: Integration of Internet Explorer by placing the Favorites menu in Outlook Figure 5: Outlook features the ability to manage different accounts for different users

Security Features: Microsoft has responded to the market s demand for encryption, signature services, and virus protection. To use these extra security services (which most users don t bother with), Outlook requires a Digital ID which the user needs to purchase from a company like VeriSign (the most popular of several similar companies). It uses the RSA scheme of a private-public key combination and binds the user s E-mail address to that pair. The public key is openly published in their Public key directory. To encrypt a message to someone, the user must find that person s public key (which is in the directory). In the option pane (Figure 1), the user can modify his security settings like so: Figure 6: The Security tab in the Options screen

Encryption: If the encryption box is checked and the user marks the message for encryption when writing new mail, Outlook will use the public key of the receiver to encrypt it. The receiver s email client will then use his private key to decrypt the message and display it. This way confidentiality is assured because no one without the receiver s private key can decrypt the message. Digital Signature: If the user wishes to digitally sign his message, Outlook will encrypt it with the sender s private key, then append the sender s public key to the message so the receiver need not bother look it up in the directory. But to prevent impersonation, the public key is signed by the certificate authority (VeriSign in this case) so that the reader can be sure this is the correct public key. E-mail Attachment Screening: Outlook automatically blocks emails with attachments of certain exec utable extensions known to possibly carry viruses (*.exe, *.scr, *.vbs etc). It issues warnings to the users when they try to open suspect attachments or read HTML mail containing scripts directing them to restricted areas. This sort of blind discrimination is annoying to many users who think security should be left to the discretion of the intelligent user. An extended list of the screened extensions is in Appendix A.

Spam Protection: Whenever an outside program tries to use the Send feature without the knowledge of the user, a flag is raised and the user is automatically prompted if he d allow this possible outgoing spam. Also, to counter the ever increasing efficiency of dictionary attacks on E- mail addresses, Outlook also has a Junk-filter feature which deletes incoming spam which wastes the time of the user.

Outlook Vulnerabilities: Microsoft Outlook has been criticized by many reviewers as being too insecure and a hotbed of spreading viruses. There were two main reasons for this criticism. The first being the relative ease of access to the user s address book by any outside program, and the second is the default feature of the Preview pane, which automatically opens E-mails along with any attachment. Most users don t bother changing the defa ult settings, which were not chosen carefully by Microsoft in the early versions of Outlook. The Address Book: Access restrictions to the user s list of contacts were somewhat slack in the past. A virus would copy the list of all the E-mail addresses in the user s address book, and use the send feature to send copies of itself to all these addresses. Every recipient would in turn do the same thing, and the virus would spread exponentially. With the recent security patch to Outlook, Microsoft has fixed this problem by detecting whenever a program is trying to access the address book and prompting the user about allowing access. The Preview Panel: The default setting of the preview panel opens every attachment, which is inherently unsafe. The recent patch offers the option to block certain attachment types. It also prevents unsigned (thus non-trusted) scripts from running in Preview.

Case Study: An I Love You Virus Short Story: It is the most destructive virus yet, causing damage to at least 45 million computers in 20 countries and making an overall loss of over ten billion dollars. I did not know that when I opened Microsoft Outlook to check my E- mail that day. I received an E-mail from someone named Jessica with the subject line I Love You. The body of the E-mail simply said kindly check the attached love letter coming from me. My mouse pointer raced across the screen and opened the attached file, named letter-for-you.txt.pif, and nothing happened, at least that is what I thought. I tried to remember if I knew anyone with the name Jessica while the file I just ran started to make copies of itself in a few folders of my computer and installed the following keys in the registry in order to run itself automatically at system start up; HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ MSKernel32=WINDOWS\SYSTEM \MSKernel32.vbs HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices \ Win32DLL=WINDOWS\Win32DLL.vbs It turned out that I have unwittingly participated in the distribution of this virus because I emailed pictures to my friends. The virus searched my hard drive for *.JPG files and replaced them with copies of itself. It kept the original filename and added a VBS extension to it. It also overwrote files with the following extensions with copies of itself: VBS, VBE, JS, JSE, CSS, WSH, SCT, and HTA.

This Love Bug was smart enough to spread over the internet by itself. It creates a file called letter-for- you.htm which contains the virus and this is then sent to IRC channels if the chat client mirc is installed on the user s computer. This is accomplished by replacing the file script.ini in the mirc directory My computer geek friend told me to notify all the people in my Outlook address book because the worm uses Microsoft Outlook to send copies of itself to all entries in the address book. These E-mails will be of the same format as the one I received from the still unknown Jessica. He also advised me to download Microsoft s security update for Outlook to prevent such viruses in the future. Another advice was to remove the preview panel feature in Outlook so that incoming E- mails do not open automatically and I can delete suspicious E-mails without opening them. I didn t use mirc lately so Outlook was the spread point of this worm from my computer. I would advise those who are afraid of using Outlook to use web based E-mail services and forward their all their mail to it, and never open executable files in attachments. Finally, Jessica if you are out there, E- mail me. I guess my E-mail address is in your Outlook address book already.

Bibliography: Microsoft Corp. Outlook 98/2000 Email Security Update. May 28, 2002. <http://www.microsoft.com/offic e/ork/2000/download/outsecwp.doc> Microsoft Corp. Outlook Security Features. May 25, 2002. <http://www.microsoft.com/office/outlook/evaluation/security.asp> Slipstick Systems, The Microsoft Outlook Email and Fax Guide. May 22, 2002. <http://www.slipstick.com/outlook/> VeriSign Inc. Authentication & Nonrepudiation: The VeriSign Digital ID. June 1, 2002. <http://www.verisign.com/repository/crptintr.html>

Appendix A Restricted File Types File Extension File Description. ADE Microsoft Access Project Extension. ADP Microsoft Access Project. BAS Visual Basic Class Module. BAT Batch File. CHM Compiled HTML Help File. CMD Windows NT Command Script. COM MS-DOS Application. CPL Control Panel Extension. CRT Security Certificate. EXE Application. HLP Windows Help File. HTA HTML Applications. INF Setup Information File. INS Internet Communication Settings. ISP Internet Communication Settings. JS JScript File. JSE JScript Encoded Script File. LNK Shortcut. MDB Microsoft Access Application. MDE Microsoft Access MDE Database. MSC Microsoft Common Console Document. MSI Windows Installer Package. MSP Windows Installer Patch. MST Visual Test Source File. PCD Photo CD Imag e. PIF Shortcut to MS-DOS Program. REG Registration Entries. SCR Screen Saver. SCT Windows Script Component. SHS Shell Scrap Object. URL Internet Shortcut (Uniform Resource Locator). VB VBScript File. VBE VBScript Encoded Script File. VBS VBScript Script File. WSC Windows Script Component. WSF Windows Script File. WSH Windows Scripting Host Settings File

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information