The Inside Track on Firefox Development.

« Prefwindow V | Main | Bill Gates on Browser Development »

December 28, 2004

The Unsung Security Hole

After numerous attempts to save my personal email address ben at bengoodger dot com (after my initial posting last month), it finally became too much of a burden on Pair's servers and my time and it was disabled.

I've set up a new personal email address, and as soon as I can figure out how, I will make it so that it cannot receive email from Microsoft Outlook users. Why? Because Microsoft Outlook and Outlook Express are the unsung security hole in most people's systems.

Surrounding the Thunderbird 1.0 release, many media outlets said that there seemed little reason to switch to Thunderbird given the lack of a security threat like there has been affecting IE this year. This analysis unfortunately shows a lack of appreciation of the type of problems affecting the Internet today.

Every few months a new worm makes the rounds, Sobig, Sober (the 77KB worm which ultimately destroyed my email account) and others. These worms usually travel using Microsoft Outlook as the hook onto people's systems. Creating an email with an attachment that appears inocuous and beckons the user to open it but which is really a malicious piece of executable code, these emails scan addressbooks and propagate rapidly. Sophisticated worms like Sober even contain their own SMTP engine.

People get infected with these worms because they are a) do not understand internet security (probably an impossible problem to solve) and b) their email client software makes it too easy to execute such attachments.

Antivirus companies are quick to advise corporate users how to their clean systems of worms, but enough people (probably home users) don't do this and since the worms don't necessarily have a noticable effect on infected systems, they don't have any motivation to do so. There is nothing that can be done for people (like myself with ben@bengoodger.com) whose email addresses are discovered by these virus programs during their operation. The only solution appears to be to use a large ISP for email (such as AOL) which has its own problems, or invest in a corporate grade email filtering solution, which is not really an option for the independent me@mydomain.com user.

So this is what I consider to be the unsung security hole. I hope that by blogging about this other people might pick up on it. One of the reasons people should consider email solutions like Thunderbird is that like all Mozilla software, it is designed not to allow one click execution of potentially hazardous code.

It's only a matter of time. Microsoft would like you to continue not to think about your software and continue to use theirs, paying what amounts to extortion fees on ISP filtering solutions. Much of Microsoft's marketing and propaganda is based on encouraging people not to think, both through the use of FUD - ranging from subtle manipulations to bald faced lies. The sad thing is that much of the MCSE trained world is too lazy to care.

Well, I do. I'm a victim of Microsoft's poor quality software without actually having used it. I'm glad we have talented and concerned people like Scott and David working on Thunderbird, and the Mozilla Security Group. Thanks guys, your work may not be as widely appreciated, but you have a fan in me.

Posted by ben at December 28, 2004 7:43 PM

©1997-2006 Ben Goodger. All Rights Reserved.
Opinions expressed here are my own, and not those of any organization that I may be affiliated with.
Reload icon is © Stephen Horlander;
Firefox logo is by Jon Hicks, and is a trademark of The Mozilla Foundation.
GetFirefox buttons are from rakaz

eXTReMe Tracker