-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Ansgar and the security-basics list,
Tuesday, July 1, 2003, 9:52:23 AM, you wrote: AW> I beg to differ on this one. Outlook is a groupware client and is AW> therefore *designed* to be insecure. It's a behaviour I would AW> expect from a groupware client. Of course one should *not* use AW> Outlook as an internet mail client (at least not without taking AW> further precautions). Beg to differ all you like. But that doesn't mean that Outlook isn't insecure. And worse, it also doesn't excuse it. Lotus Notes is a groupware client. Within the groupware market, it's the main competitor of Outlook. Its capabilities are at least similar, although I'd personally rank it as superior in almost all areas. Now, Lotus Notes isn't a panacea. But it does have a code-signing system which allows administrators within an organisation to restrict who can run scripts, and what those scripts can or cannot do when they're running. It also has sensible defaults, like saving attachments rather than opening them immediately. If Outlook had this kind of responsible system - forcing scripted code to be signed and recognised before execution - then Outlook's reputation would be far less tarnished than it is today. In the interests of fairness, I should point out that Lotus Notes is not invulnerable. Although its internal scripting environment is secure, it offers a COM interface too - and that has no such code signing and sandboxing system. Lotus can hardly be blamed for this - COM is insecure by design in this regard - but it does mean that you could send a Win32 executable to a Lotus Notes user and have it do almost anything it wanted too (Within the per-user permissions assigned to the "target" user - e.g. abilities to send mail, write to certain databases etc. may be limited at the server-side). AW> Also I would like to mention that AFAIR all vulnerabilities in AW> Outlook are vulnerabilities of the Internet Explorer (which I AW> suggest to put on this list instead). Now that is a point on which I would agree - the willingness of Outlook to hand over the reigns to Internet Explorer when viewing a message is somewhat worrying, from a security perspective. It may have saved Microsoft some time in development, but that's about the only good thing I can say about it. ;-) Oh, and you started your email with this wonderful comment: AW> I'm not sure if this discussion will be productive in any way, AW> since you seem to concentrate too much on the software and ignore AW> layer 8, which is (IMHO) the major problem. I agree wholeheartedly with that. Well said. :-) - -- Best regards, Philip mailto:[EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: PGP 6.5i iQA/AwUBPwMmOP5iYgfYHvp6EQIzbgCfS4J/vs9AYXERZCiVI4eC/xgQiz8AoJkY IdsdZBlbjTlQfenxvt3i9RSK =ZP+3 -----END PGP SIGNATURE----- --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
