Feeds

Microsoft tells US Air Force to bug off

Outlook patch is patchy

  • alert
  • submit to reddit

3 Big data security analytics techniques

Microsoft's security patch for Outlook, which is designed to protect users from the effects of another Love Bug-style virus, has come under fire from no less a body than the US Air Force.

In a paper to be presented at a security workshop in June, an assistant professor of computer science at the US Air Force Academy will deliver a devastating critique of Microsoft's approach to security in general and Outlook in particular.

Martin Carlisle will tell an audience of security experts that a security patch to Outlook, which is designed to stop viruses spreading via automated messages through requiring user's authorisation via a dialog box, can be easily circumvented.

This "Object Model Guard" prompts a user with a dialogue box when an external program tries to access a user's Outlook address book, a trick used by the Love Bug and other similar viruses.

Carlisle said this idea has promise but Microsoft's implementation is flawed.

"It is possible, with a small amount of code, to create a program that hides and answers the dialog box automatically," said Carlisle.

In a paper to be presented at the workshop Carlisle explains how Microsoft dismissed the significance of the potential vulnerability. Its security team argues that to get around the dialog box they would have to get executable code running on a victims machine, and if an attacker could do that getting around the dialog box would be "the least of your worries".

This, frankly astonishingly arrogant response, is given short shrift by Carlisle: "The Microsoft Security Team seem to have missed the significance of their own security patch because their view neglects the ability of viruses of this class to replicate."

Carlisle and colleague (and co-author) Scott Studer have produced a detailed rebuttal of Microsoft's argument and suggestions of improvement to the dialogue box security, which involve protecting the lowest level of an application.

In a statement we find hard to disagree with the researchers state that reinforcing dialogs based security in Windows can only go so far.

"Given the current limitations of the Windows operating system, this [improving dialogue box security] turns to be similar to trying to secure a parked car at an airport. You can make it harder to break in but you can never make you car totally secure."

The researchers said that Microsoft should consider modifying its operating system in order to verify that messages received come from users rather than other programs. Carlisle and Studer also cover a variety of other ideas for dealing with Love Bug-style viruses (such as blocking Visual Basic Scripting) and their paper is well worth a read. ®

External links

USAF paper: Reinforcing Dialog-Based Security

Related Stories

Reports of death of email viruses greatly exaggerated?
No more I Love You viruses
Rise in viruses within emails outpacing growth of email
Users haven't learned any lessons from the Love Bug

3 Big data security analytics techniques

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.