Attachment Insecurity Revealed in Outlook Express

Even if the user picks an option in Outlook Express 6 that says, "Do not allow attachments to be saved or opened that could potentially be a virus," using "forward" could still launch such attachments.

Outlook Express 6 includes a configuration setting awkwardly titled "Do not allow attachments to be saved or opened that could potentially be a virus." When this option is checked, OE blocks the user from opening a wide variety of attachment types that have the potential to execute some kind of code.

Clicking the paperclip icon in preview mode shows the attachment names, but the menu options to save or open them are grayed out. When the message is opened, OE displays a banner stating, "OE removed access to the following unsafe attachments in your mail:."

Windows XP Professional administrators can lock down this setting using the Group Policy Editor, so it might seem a useful way to prevent children or employees from inadvertently releasing potential viruses.

But theres a gaping hole in the security provided by this setting. If the user clicks Forward, the attachment is displayed in the forwarded message, and a double click will launch it.

28571.gif

To read the full story at PCMag.com,

click here.