News -- Beware the Briar Patch: Outlook's Latest Security Update - Part 2

Listen Print

News -- Beware the Briar Patch: Outlook's Latest Security Update - Part 2

by Tom Syroid
07/01/2000

Part 1 | Part 2 | Part 3 | Part 4

As Tom explains in Part 1 of his series, Microsoft's recent Outlook security update, designed to limit the damage caused by the recent rash of worm viruses, was controversial before it hit the streets. Those who worked with the pre-release code complained that the patch broke more than it fixed and its implementation was a disaster.

In this series of articles, Tom guides you through the numerous complexities, contortions, and "gotchas" hidden under the covers of this update. In Part 4 of this series, Tom gives you some valuable recommendations.

Inside Outlook's New Attachment Security

Once the update is installed, Outlook views email attachments as belonging to one of three types, based on file extension: Level 1 (which Microsoft terms "unsafe"), Level 2, and Other. These levels are enforced by Outlook according to type of Information Store in use (.PST, .OST, or .MDB), which is indirectly governed by the Email Service Option, the program installed under (Internet Mail Only or Corporate/Workgroup). [The "No E-mail" setup option is not applicable here for obvious reasons.] To find out which Service Option Outlook is installed under, go to the Help menu and select About Microsoft Outlook. See Chapters 2 and 13 in Outlook 2000 in a Nutshell for details on setup options and Information Stores, respectively.

For example:

If Outlook is configured as an Internet Mail Only client, the only storage option available is a PST. In this scenario, the Level 1 list (see Table 1 below) is hard-coded and cannot be modified.
If Outlook is configured as a Corporate/Workgroup client, three storage options exist: PST, OST, or MDB (an Exchange Server mailbox). Attachments stored in a PST (local or remote) function as above. The list is hard coded and immutable. For attachments stored in an OST or MDB, the Level 1 list can be modified by the Exchange administrator either globally, or for a specific Security Group.

Level 1 File Attachments

According to Microsoft, Level 1 files are considered "unsafe" if they are capable of running an embedded script or executing code when activated. Table 1 lists the thirty-eight extensions Microsoft classify as Level 1 files.

Table 1: Level 1 File Extensions

.ade	Microsoft Access project extension
.adp	Microsoft Access project
.bas	Microsoft Visual Basic class module
.bat	Batch file
.chm	Compiled HTML Help file
.cmd	Microsoft Windows NT Command script
.com	Microsoft MS-DOS program
.cpl	Control Panel extension
.crt	Security certificate
.exe	Executable Program
.hlp	Help file
.hta	HTML program
.inf	Setup Information file
.ins	Internet Naming Service
.isp	Internet Communication settings
.js	JScript file
.jse	Jscript Encoded Script file
.lnk	Shortcut
.mdb	Microsoft Access database
.mde	Microsoft Access MDE database
.msc	Microsoft Common Console document
.msi	Microsoft Windows Installer package
.msp	Microsoft Windows Installer patch
.mst	Microsoft Visual Test source files
.pcd	Photo CD image, Microsoft Visual compiled script
.pif	Shortcut to MS-DOS program
.reg	Registration entries
.scr	Screen saver
.sct	Windows Script Component
.shb	Shell Scrap object
.shs	Shell Scrap object
.url	Internet shortcut
.vb	VBScript file
.vbe	VBScript Encoded script file
.vbs	VBScript file
.wsc	Windows Script Component
.wsf	Windows Script file
.wsh	Windows Script Host Settings file

A Level 1 file attachment cannot be opened, saved, printed, or in any way manipulated by Outlook. If the patch is installed and you receive a Level 1 attachment, it's still physically present within the message. You simply cannot see or access it. The Save Attachments command is still present on the File menu, but it does nothing. The paperclip attachment icon on the message form is gone, and the information field above the header fields warns that access to the attachment has been blocked.

NOTE: The information field is limited to four lines. If an email contains more than four information fields (Confidential, Flagged for Follow-up, Sensitivity, etc.), you may not see the "unsafe" warning. In this case, the only remaining visual clue that the message contains an attachment is the presence of a paperclip in the attachment column of the folder containing the message.

Figure 1 shows an .exe attachment received by Outlook with the update installed.

Figure 1: A message containing a blocked file attachment

You can send a Level 1 attachment to someone from a patched version of Outlook. A warning dialog is displayed when you do (see Figure 2), and you must click Yes before the message is dispatched. If the recipient has the Outlook SR-1 update installed, they will not be able to access the attachment. If they do not have the patch installed, no access restrictions are enforced. Recall that it's the client controlling attachment access. In most cases (Forwarded messages aside; see below.), the attachment is not physically stripped from the message, only blocked from view.

Figure 2: Warning dialog displayed when a Level 1 attachment is sent

Here are some other points to be aware of when sending and receiving attachments under Outlook SR-1:

If you forward an existing message containing a Level 1 attachment, the attachment is stripped before it is sent. In other words, you have no way of getting at a Level 1 attachment. Forwarding it to someone else to place in a zip file for you doesn't fly.
Journal, Meeting, Task items, and some custom forms do not have an information field. If a Level 1 file is saved using one of these forms, no visual indication will be present to alert you that there is a blocked file attached. It's there, hidden, and simply consuming disk space.

TIP: If you receive a message that contains little text and is disproportionately large in size, this might indicate the presence of a blocked attachment.

When your message format is Microsoft Rich Text, attachments are displayed in the message body itself. In this case, blocked attachments are "shown" as empty space in the text.
If you attach a Level 1 file to a Meeting or Task Request, it is also inaccessible but no warning message is displayed in the information field. Microsoft also advises that you should expect "inconsistent behavior" when attaching "unsafe" files to Meeting and Task Requests. This is not surprising since these two Outlook items were notoriously buggy even before this update came along.
Note that the .url extension is on the Level 1 list. This means that attached links are blocked; links embedded in a message, however, are not. The former is a physical attachment, while the later is text surrounded by requisite tags.
There are reports circulating that with the patch installed synchronization between Outlook and Exchange is no longer a background process; it's now a foreground activity. While our own tests did not show this to be the case, that does not necessarily translate into a generic rebuttal.

You may have noticed that Office documents are strangely absent from Microsoft's Level 1 list, which is hugely remiss considering the ease with which a macro or script can be attached to one of these files. (Anyone remember Melissa?) The folks at Redmond explain this away by pointing out that scripting functionality can be easily disabled via the so-called "Macro Virus Protection" feature.

I won't spend time arguing the pros and cons of this logic. Instead, I simply recommend that you enforce an Open/Save dialog on all attachments whether you choose to install the security patch or not. You can do this by going to Explorer and editing the default Open behavior for .ppt, .xls, .doc, etc. files (Tools -> Options -> File Types tab; select a file type and click the Advanced button) or by downloading a program that does this for you. (See Online Resources at the end of this article).

Level 2 File Attachments

Level 2 attachment security is--at this time--only applicable to Exchange Server message stores and the list is initially empty. File associations are added by the system administrator, and again enforced globally or for specific Exchange groups. Clicking on a Level 2 file attachment produces a dialog box with only two options: Save to Disk or Cancel.

Other Attachments

The Other attachment group is a fall-through that contains all attachments not included in Level 1 and 2. When you open an Other attachment, the standard "What do you want to do? Open the file or save it to disk?" dialog is presented (see Figure 3).

Figure 3: Mail attachment Open/Save dialog

In summary:

Attachments on the Level 1 list cannot be seen or manipulated, period. If your data is stored in a PST, all files listed in Table 1 are blocked. If your data resides on an Exchange Server, the system administrator determines which file extensions are categorized as Level 1.
Level 2 restrictions apply only to data stored on an Exchange Server (or synchronized from an Exchange mailbox to a local OST). Attachments are accessible but can only be saved to disk.
Other attachments can be opened directly or saved to disk. This is the default for any files not categorized as Level 1 or 2.

Managing Level 1 Attachments, ATP (After The Patch)

The restrictions the Outlook update imposes on Level 1 files will undoubtedly force many people to rethink the way they manage email attachments. And in many ways, this is a good thing. The general computing populace is typically either lazy or sloppy when it comes to handling attachments with the respect they deserve. So, while Microsoft's implementation of attachment security can be criticized as heavy-handed and autocratic, it does get the job done and in a way that's going to compel people to "think before they click."

Indirectly and over time, the patch is also going to prompt people to rethink how they send email attachments. Even if you do not use Outlook, do the recipients of your message use it? And are they using the update?

The best way to send anyone a file over the Internet--whether it's attached to an email or not--is by compressing it first with a program like WinZip. Not only does this reduce the file size, sometime significantly, is also keeps files safe in transit. A virus has yet to be written that can penetrate a zip. (Providing, of course, you take the necessary precautions to ensure that the file(s) you enclose in the zip are "clean" and virus-free)

The other alternative is to change the file's extension before sending it. Outlook doesn't care what's in the file itself, as long as the extension is not on the Level 1 list. Renaming file.exe to file.exe.nuts would allow it to get by the attachment police. Just don't forget to send instructions to the recipient detailing how to return the file to an executable state.

So you've installed the patch (or had the patch installed for you), and you either receive an attachment from someone who doesn't practice "safe computing" or you discover an archived message you need to get. Are you dead in the water? No, you're not. There are several ways around Outlook's attachment security. Keep in mind--forwarded messages aside--the attachment is still there, just not accessible from Outlook.

Most people who are running Outlook, also have a copy of Outlook Express kicking around on their system. Import the folder containing the attachment from Outlook into Outlook Express. You can then access the attachment without restrictions.
If your mail account is on an Exchange Server, and your administrator has it configured, you can log into Exchange and use Outlook Web Access (OWA) to gain access to a message attachment. For those of you unfamiliar with OWA, it's a server-side program that allows users to access their mail accounts using any web browser.
Use Chilton Preview. Chilton Preview is a replacement add-in for Outlook's Preview Pane and works on any version of Outlook from '97 thru 2000. It does not block file access, and provides a context menu option to save the file to disk.

Don't miss parts 3 and 4 of Tom Syroid's series, "Beware the Briar Patch."

In Part 3 Tom covers "The Object Model Guard" and "Security."