Tricks of the Microsoft Office Gurus
Until just a few years ago, the primary method that computer viruses used to propagate themselves was the floppy disk. A user with an infected machine would copy some files to a floppy, and the virus would surreptitiously add itself to the disk. When the recipient inserted the disk, the virus copy would come to life and infect yet another computer. When the Internet became a big deal, viruses adapted and began propagating either via malicious websites or via infected program files downloaded to users' machines. Over the past few years, however, by far the most productive method for viruses to replicate has been the humble email message. Melissa, I Love You, BadTrans, Sircam, Klez. The list of email viruses and Trojan horses is a long one, but they all operate more or less the same way: they arrive as a message attachment, often from someone you know. When you open the attachment, the virus infects your computer and then, without your knowledge, uses Outlook and your address book to ship out messages with more copies of itself attached. The nastier versions will also mess with your computer, including deleting data and corrupting files. You can avoid getting infected by one of these viruses by implementing a few common-sense procedures:
Besides these general procedures, Outlook also comes with its own set of virus-protection features. The next few sections show you how to use them. Working with Security Zones
When implementing security for Internet Explorer, Microsoft realized that different sites have different security needs. For example, it makes sense to have fairly stringent security for Internet sites, but you can probably scale the security back a bit when browsing pages on your corporate intranet. The way Internet Explorer handles security is to classify web pages according to different security zones. Each zone is a collection of web pages that implements a common security level. From the perspective of Outlook, you use the security zones to determine whether active content inside a HTML-format message is allowed to run. Checking the Outlook Security Zone
To check your Outlook security zone setting, follow these steps:
Viewing a Restricted Message Using the Internet Zone
The Restricted Sites zone blocks ActiveX controls, scripts, and other potentially unsafe content in HTML messages. Considering that such content is rarely required in an email message, you shouldn't feel like you're missing much when you use the Restricted Sites zone with Outlook. However, that doesn't mean that ActiveX controls and scripts are never useful in an email. Some data require active content, so you may occasionally get an email that doesn't display properly because of the Restricted Sites zone's proscriptions. Fortunately, you don't have to abandon the security of the Restricted Sites zone to view the active content of the occasional message. Instead, you can ask Outlook to view the message using the Internet Zone, which does allow active content. Here's how you do this:
Disabling HTML and Rich Text
Using the Restricted Sites zone gives you a high level of email security, but does it make email completely safe? I'd really like to be able to tell you that it does, but if the Internet's relatively short history tells us anything, it's that virus writers and other online miscreants always find a way around even the toughest restrictions. So even though I can't even imagine how someone would break through the Restricted Sites zone's barriers, I'm paranoid enough to believe that someday someone will do it. If you're as paranoid as I am, you need to augment the Restricted Sites settings with the highest level of protection possible: plain text. That is, you need to tell Outlook to eschew HTML and Rich Text formatting and, instead, display all your messages using plain text: no fancy fonts, no colors, no HTML tags, no images, no sounds: just simple, unadorned text where no virus or other malicious content can hide. Here are the steps to follow:
When you receive an HTML or Rich Text message, Outlook converts the message to plain text when you view it either in the Reading pane or in its own window, as shown in Figure 15.2. Notice that the Information pane includes the following message: This message was converted to plain text.
Figure 15.2. When you view an HTML or Rich Text message, Outlook converts it to plain text.
Note that this conversion is for display purposes only. The original message remains in its original format in your Inbox. To prove this for yourself, you can easily view the original formatting by clicking the Information pane and then clicking Display as HTML (refer to Figure 15.2). Outlook converts the message to its original format, as shown in Figure 15.3. Figure 15.3. Click the Information pane and then click Display as HTML to view the message using its original formatting.
Handling Attachments
It is sobering to contemplate the billions of dollars and hundreds of thousands of man-hours lost because of major virus outbreaks over the past few years. It is saddening to realize that almost all of those outbreaks were started and escalated by a simple action repeated thousands of times: opening an email attachment. For Microsoft, it was no doubt frightening to realize that most of the damage was caused by Outlook users because, in most cases, these viruses took advantage of security holes to not only infect each user's PC, but also to pass along copies of the virus to other users. Chastened by all of this, Microsoft designed Outlook 2003 with a grim determination to avoid similar problems. Most drastically, Microsoft identified around 70 file types that could potentially cause problems as attachments, and then simply disallowed the opening of those file types. Note that Microsoft didn't merely make it inconvenient to open these file types; no, they made it impossible without high-level tweaks (that I'll show you a bit later). If someone sends you, for instance, a file with the .exe extension (an executable file), Outlook displays the following message in the Information pane: Outlook blocked access to the following potentially unsafe attachments: filename Here, filename is the name of the blocked file. If you select the File, Save Attachments command, the blocked file does not appear in the submenu. There is, in short, no way to view, open, or save the attachment. Table 15.1 runs through all the file types and their associated extensions that Outlook 2003 blocks.
There is, to be sure, much that is potentially dangerous in Table 15.1, but also much that is potentially useful: Registry files, screen savers, Access databases, and batch files, to name just a few. How do you sneak such files past Outlook in cases where you know the files are safe? Here are some ideas:
If you regularly get attachments of a certain file type, the preceding solutions may be more of a hassle than they're worth. Fortunately, there is a Registry tweak you can perform that enables you to specify one or more extensions that Outlook should open with less paranoia. Notice that I didn't say with no paranoia; even with the tweak, you still have a hurdle or two to jump through. To see why, first understand that the file types in Table 15.1 are what Microsoft calls Level 1 file types. With Level 1, you don't get access to the files, period. However, Microsoft also defines Level 2 file types. With these file types, you can access them as attachments, but only by first saving the files to your hard disk. That is, you can't open the files directly from the message. The assumption here is that saving the files to your hard disk gives you the opportunity to virus-check the files before opening them. To specify a file type as Level 2 (there are no default Level 2 file types in Outlook 2003), follow these steps:
When you attempt to open a Level 2 file type attachment from a message, Outlook displays the warning dialog box shown in Figure 15.4. You need to click the Save to Disk button to save the attachment to your hard disk before you can open it. Figure 15.4. You can work with Level 2 file types, but you must save them to your hard disk before you can open them.
Controlling Third-Party Access to Your Contacts
One of the biggest reasons that some recent email viruses have done such damage is that they've found a powerful new way to propagate themselves: they access the user's Contacts list and use it to send out dozens of new messages, each with its own infected file attached. In fact, it's not at all hard to access the Contacts list programmatically. Listing 15.1 shows a short bit of VBA code that does just that.
Listing 15.1. A Procedure That Accesses the Outlook Contacts List from Another Application
Sub AccessOutlookAddressBook() Dim ol As Outlook.Application ' Outlook Automation object Dim ns As Namespace ' Outlook NameSpace object Dim addr As AddressEntry ' Outlook AddressEntry object ' ' Establish a connection and log on to Outlook ' Set ol = CreateObject("Outlook.Application") Set ns = ol.GetNamespace("MAPI") ns.Logon ' ' Grab the first Contacts address ' This is where the Address Book security kicks in ' Set addr = ns.AddressLists("Contacts").AddressEntries(1) ' ' Display the name and address ' MsgBox "The first Contacts entry is " & _ addr.name & " <" & addr.Address & ">" ' ' Log off the session and clear the objects ' ns.Logoff Set addr = Nothing Set ns = Nothing Set ol = Nothing End Sub
In Outlook 2003 (as well as older versions of Outlook with the E-mail Security Update installed), programmatic access to Contacts isn't forbidden (many legitimate applications require it), but it is monitored. When Outlook detects a script accessing any AddressList object, it immediately displays the dialog box shown in Figure 15.5. You now have two choices:
Figure 15.5. Outlook enables you to control whether a script can access your Contacts list.
Controlling Third-Party Access to Sending Messages
It's still possible for a virus or script to propagate itself without accessing your Contacts list. For example, it might have its own database of addresses. For that reason, Outlook also guards against third-party scripts that send messages. Listing 15.2 shows such a procedure, which you can run from Word, Excel, or PowerPoint. Listing 15.2. A Procedure That Sends an Email Message from Another Application
Sub SendMessage() Dim ol As Outlook.Application ' Outlook Automation object Dim ns As Namespace ' Outlook NameSpace object Dim mi As MailItem ' Outlook Mailitem object ' ' Establish a connection and log on to Outlook ' Set ol = CreateObject("Outlook.Application") Set ns = ol.GetNamespace("MAPI") ns.Logon ' ' Create a new message ' Set mi = ol.CreateItem(olMailItem) ' ' Add a recipient without using Contacts ' mi.To = "blah@yadda.com" mi.Subject = "Just Testing" ' ' Send it ' This is where the Send security kicks in ' mi.Send ' ' Log off the session ' ns.Logoff Set mi = Nothing Set ns = Nothing Set ol = Nothing End Sub
As with access to the Contacts list, third-party sending requires your permission, so Outlook displays the dialog box shown in Figure 15.6. Again, click Yes to allow the send or click No to block it. Figure 15.6. Outlook enables you to control whether a third-party script can send a message.
|