HOME
TOPICS
ABOUT ME
MAIL

 
Microsoft designed Outlook Express to allow someone else to control what your mail software does. Think about that long and hard.
  technofile
Al Fasoldt's reviews and commentaries, continuously available online since 1983

How Microsoft designed an entryway for viruses in Outlook Express


May 8, 2002


By Al Fasoldt
Copyright © 2002, Al Fasoldt
Copyright © 2002, The Post-Standard

   Outlook Express is the most common e-mail program on Earth. But, as Windows users are increasingly aware, it could well be the most unsafe program on the planet as well. This week I'll tell you why it's so dangerous, and I'll offer some help making it safer.
   Outlook Express is distributed with Windows. It's not free, although most Windows users probably think of it that way. (You pay a lot for Windows when you buy a PC or when you buy a separate copy of Windows, and part of that expense covers the cost of Outlook Express. And you pay more than the upfront cost; considering the high cost in time and money of blocking and cleaning viruses from your Windows PC and reinstalling Windows periodically.)
   Outlook Express is an open door to computer viruses and worms. Outlook Express looks for instructions ñ for special Windows scripts, in other words ñ in mail that arrives and blithely executes them. You do not have to open the mail for Outlook Express to do this. Outlook will do it for you any time you preview a message in the preview pane. Outlook Express will even do it for you if your Inbox is empty. (The first letter to arrive in an empty Inbox is scanned for script instructions, and they are executed automatically.)
   Keep in mind that Microsoft designed Outlook Express to do this intentionally. The idea, apparently, is to allow someone else to control what your mail software does. That's the sole reason for this kind of programming code. Scripting exists solely to provide functions that could not be performed by Outlook Express alone.
   The trouble with that is obvious once you think of what we do with our mail software. We read mail and write mail. That's all we do. We don't need scripts that run programs.
   If this isn't absurd, we are all turkeys. E-mail is the most common Internet-related activity by far. Software for home use should never be designed to execute script commands planted by miscreants and wackos half a world away.
   We write e-mail letters to each other. We don't send out snippets of code.
   But virus writers do. That's the only known use of this scripting code in typical home e-mail. Microsoft created a way for virus writers to embed instructions in mail. Note that I made no mention of attachments. Scripts can be (and usually are) embedded right in the message.
   This crazy design should never have made it out the door, but Microsoft does things its own way. The company has patched the way its software works to cut down at least some of the danger, but trusting Microsoft to do things right the second time around is a little far-fetched. You do, indeed, need to go to the Windows Update site and apply all the updates that deal with security, but you absolutely must do four other things, too:
   First, Install a script blocker to keep scripts from running unless they are both useful and friendly. The best script blocker I know of is Script Sentry. It's free. Get it here: www.jasons-toolbox.com. Click the Script Sentry link.
   Second, turn off the Outlook Express preview pane. That way you can delete suspicious messages without letting Outlook Express open them. (It can't preview them unless it opens them.) Use the View menu or the Layout menu. You'll see the option listed.
   Third, be sure you have good antivirus software and keep it up to date. If you don't do that, you are crazy. The best is free. It's AVG, from www.grisoft.com.
   Fourth, stop letting the brats who write viruses ruin your life. Trash all messages that seem suspicious. Don't even pause to wonder why your sister-in-law is sending you a message asking you to "Please to play game I wrote," or something stupid like that. She didn't send the message. The Klez Worm sent it and faked her address. Give it the heave-ho.