Re: [OT] Re: Unicode-compliant email manager on XP system

From: Philippe Verdy (verdy_p@wanadoo.fr)
Date: Sun May 25 2003 - 05:30:44 EDT

  • Next message: Michael Everson: "Re: Persian or Farsi?"

    From: "Carl W. Brown" <cbrown@xnetinc.com>
    > I do not understand why you consider Outlook Express to be more secure for
    > Internet mail. I think that Outlook Express is even more heavily targeted
    > than Outlook by hackers. Because of the popularity virus developers find it
    > more productive to target these products.

    A virus will target any email reader. That's not the problem as it targets a OS, not really a particular app which has numerous versions. The prolem with Outlook is that it is a door wide open to critical business apps and databases and all Office documents, and it offers automation that enables it access to a whole system, something that Outlook Express does not implement.

    Of course there are security issues associated to the HTML component, but it is the same as Internet Explorer and also used in Outlook. The fact that you use Outlook instead of OE will not give you more or less protection for this common component.

    So the security of OE mostly depends on the security of Internet Explorer, but the security of Outlook also depends on the security of Office and automation components that have a high business value, that's why I think it should not be used for Internet emails. In OE, the risk is mostly limited to the data of one user on one host, but hardly extends to a whole system.

    If a virus writer really wants to target OE users, he will write an attack against Internet Explorer's security zones, in order to activate some malicious javascript, however the javascript engine in OE has no binding to system automation components. In addition, Outlook users need to leae automation and ActiveX components enabled for their business apps. This can be safely disabled in OE, where such support of ActiveX is really not needed and can be permanently disabled.

    I don't say the Outlook is unneeded, just that it should be used separately only for internal enterprise applications or personal productivity, simultaneously with OE. Managing Internet emails in Outlook is too dangerous. This is a common security advice: separate usages and do not expose in the same application private data and potentially dangerous and unsecured Internet data. OE allows to improve such separation even for Outlook users.



    This archive was generated by hypermail 2.1.5 : Sun May 25 2003 - 06:02:33 EDT