By GREG WYCHERLEY
An independent IT security company has verified a security flaw in Microsoft's e-mail software discovered by an Auckland software designer.
Arjen de Landgraaf, director of E-Secure-IT (a division of Co-Logic) said his company had tested the alleged vulnerability and found that it posed a significant security threat to users of Microsoft's Outlook Express program.
But he said a Microsoft security update, released on June 8, closed the loophole discovered by Phil Saleh, creative director of Arabesque Multimedia.
"We are not advocating for Microsoft, Phil Saleh or anyone else," he said.
"Our only interest is in safeguarding computer users from viruses, hackers or any other security threat."
The Herald reported Mr Saleh's claim that he had discovered a security flaw that could allow hackers to create devastating new "hell viruses."
Mr Saleh e-mailed samples of the code to the Microsoft Security Response Centre in California. The centre said its staff were "unable to reproduce the full scope of effects and problems described."
He also demonstrated his find to John Thackray, operations manager of the police Electronic Crime Unit, who agreed that it presented a threat if released "in the wild."
However, Craig Dewar, Microsoft New Zealand's technical marketing manager, said after visiting Mr Saleh, that the claims were invalid because Mr Saleh's computer was "broken" and his exploit could present no threat if "active scripting," which allows the transmission of executable files, was disabled.
Marius van Niekerk, the E-Secure-IT technician who tested Mr Saleh's exploit, disagreed.
"We set the security to the highest levels as recommended by Microsoft and it still infected the computer," he said.
"The only way to stop it was a combination of three different security updates downloaded from the Microsoft website."
Mr van Niekerk said disabling active scripting would work for users of Outlook Express 5 but people who operated Outlook 2000 could safeguard themselves only by downloading the Microsoft office update.
"Disabling active scripting is not part of the standard security for Outlook Express and the average computer user would have no idea how to do it," he said.
Active scripting can be disabled from Internet Explorer 5 from the tools menu under internet options. Select the security tab, then custom level for internet. Scroll down the options, and select "disable" for both active scripting and Java Applet scripting.
"Besides, a lot of people rely on active scripting - if you disable it at least 20 per cent of websites won't work properly."
He said the vulnerability was particularly worrying because it created a loophole that could be used by hackers to create viruses capable of spreading quickly.
"The fact that it needs no attachment and you don't even need to open the e-mail for it to infect your computer makes it very dangerous," he said.
"If it comes in as your last e-mail it would be automatically highlighted and would infect your computer instantly. If someone comes up with a virus like this it would be a huge problem."
Mr van Niekerk said downloading the security updates for Outlook 2000 from the Microsoft website was difficult and time-consuming.
"It took us half a day to find the patches and one of them is a massive 52 megabyte download," he said. "For the average person, or a company that doesn't have a dedicated IT staff it would be a real problem."
Since the recent spate of script viruses hitting Outlook Express, many users have questioned whether features such as active scripting should be allowed as default behaviour, or functions which allow access to address books without a prompt.
Mr van Niekerk said the Microsoft security update addresses these problems but disables many of the functions that Microsoft uses to market Outlook.
"They were the people who created this technology - now they are telling us not to use it because it's not safe," he said.
He was also critical of the lack of information on the update.
"Microsoft need to get the message out more effectively. Most people don't even know how to find the Microsoft website, let alone use it," he said.
The updates can be downloaded from Microsoft's office update website.
Links
Microsoft
AdvertisementAdvertise with NZME.
Latest from Technology
Big tech names seek meeting with Judith Collins as millions in funding set to expire
'Time is against us' in the cloud software sector's funding quest, tech leaders say.