Join 3,561 readers in helping fund MetaFilter (Hide)


October 11, 2002
3:02 PM   Subscribe

While MS-bashing is often too easy, this statement about recent security holes seemed especially astounding: "Outlook Express ships with every Windows system, or rather as part of IE, so it's on every system. But unless it is configured to receive mail, you are not at risk," said Scott Culp, manager for Microsoft security response. Interesting. Unless it is configured to receive mail, like, you know, an email program.
posted by judith (30 comments total)

 
Uh, yeah, you know, like an email program that has been told what my mail server name, user id and password are. Unless Microsoft has started shipping Windows with all of that stuff psychically pre-configured to match my ISP account? MS bashing is all in good fun, but let's try to limit ourselves to legitimate errors.
posted by jacquilynne at 3:10 PM on October 11, 2002


Perhaps I wasn't making my point clearly, jacquilynne.

Outlook Express is an email program. It is designed to be used to receive email. It is disingenuous for a Microsoft spokesperson to say "unless it is configured to receive email" as if you might be using the software for some other more common purpose but in some rare exception might possibly find yourself receiving email.

I wasn't commenting on a "legitimate error", though this security bulletin is the 58th this year. I was commenting on the particular hubris of the way the company talks about their security flaws.
posted by judith at 3:19 PM on October 11, 2002


is bill gates your honey, jacquilynne? MS distributes an email client which, when configured as an email client, exposes your data to danger. and an MS talking head says "it's ok, as long as you don't use our email client for email." how can you excuse that? why are these people not in jail?
posted by quonsar at 3:21 PM on October 11, 2002


Then I've misunderstood your point, for which I apologize. But I think you've misunderstood his point, as well.
posted by jacquilynne at 3:22 PM on October 11, 2002


This is stupid... MS is just trying to make the point that those who have not configured Outlook yet use Windows (a vast majority) do not need to worry about the near-daily Outlook virus warnings.

This sort of knee-jerk MS bashing is better suited to Slashdot.
posted by xmutex at 3:25 PM on October 11, 2002


but that point does not need making. the point is, MS always makes the points that do not need making. what kind of frigging moron needs that point made? obviously, if i have no legs i am in no danger of walking.
posted by quonsar at 3:29 PM on October 11, 2002


and i'd like to see your source for the statement that a vast majority of windows users actually use other mail clients. vast majority - that means "vastly more than 50%". show me the stats!
posted by quonsar at 3:31 PM on October 11, 2002


Actually, it does need to be made, at least to Joe Computer User. Microsoft makes a strong point of making Windows applications share common components, and a large part of the user base knows that IE/Windows/Outlook are all hooked together. Therefore, a somewhat reasonable concern is that they could be prone to Outlook virii without actually making use of Outlook.
posted by xmutex at 3:31 PM on October 11, 2002


This is a lot like Microsoft's claim several years ago, in response to comments about NT 4's remote security, that it was officially designated C4 secure by the government -- and neglected to mention that this particular government designation was for machines not necessarily attached to a network.

It's true. And it's true that non-outlook users don't have to worry about outlook viruses. It's also true that Microsoft's approach to addressing flaws in their products is about as disingenuous as it gets. When they tell the truth, they do it the way any good* dark mythic figure who is the embodiment of evil and keeper of some burning netherworld would: just enough to misdirect you from apprehending the larger truths.

* by which I mean, evil, of course
posted by namespan at 3:40 PM on October 11, 2002


I did click on it. Please don't do that.
posted by languagehat at 3:41 PM on October 11, 2002


Judith, you're missing the point of what he said. Outlook Express as installed by default, sitting unused, is harmless. "But unless it is configured to receive mail" means that until you give it your POP information, etc., it's not going to do a darned thing. An e-mail client is not "configured" to receive e-mail by default.
posted by oissubke at 3:41 PM on October 11, 2002


addendum to my points:

i wasn't trying to defend microsoft or make them out to be a force of goodness in a wicked, wretched world.

i was just trying to put that one actually comment referred to in the post into what i think is the correct context.
posted by xmutex at 3:41 PM on October 11, 2002


Quonsar: My mother religiously installs Outlook Express (and other) security patches whenever she hears about them. She reads her mail in Netscape.

Naturally, I can't map one anecdote to the 'vast majority' of xmutex's post, but there are users out there who don't understand that a security flaw in OE isn't a problem for them if they don't use it, even if they have it installed on their systems. It's a valid and useful point for MS to make.

I think MS is the evil empire. I think their approach to security is pitiful. I think OE is more useful as a viral vector than an email program. I think calling attention to a reasonable and valid statement makes MS-bashers look silly and in turn makes all the other, more important things they have to say about MS idiocy look silly, as well.
posted by jacquilynne at 3:45 PM on October 11, 2002


"But unless it is configured to receive mail" means that until you give it your POP information, etc., it's not going to do a darned thing. An e-mail client is not "configured" to receive e-mail by default.

but hundreds of thousands of people DO configure it. that's what the software is designed for. that's why it is included with every shipment of windows. of course it's not configured by default; it's configured by design. microsoft wants windows customers to use the tools - that's why they ship them. to suddenly backpedal on that and say "well, as long as you're ot actually *using* those tools we released onto the marketplace as perfectly safe tools, you should be fine" is absurd.
posted by judith at 3:50 PM on October 11, 2002


I don't think it is a valid point, because as long as Outlook Express is on the computer, it could be set up to receive e-mail and make the system vulnerable to the security holes Microsoft convinced a user not to install.

If this was about serving users rather than the company, Microsoft would advise people to deinstall Outlook Express if they are not using it. Linux security advisories often suggest exactly that when a program is involved in a security report so users will reduce their unnecessary exposure to crackers.
posted by rcade at 3:50 PM on October 11, 2002


Users should remain calm. This vulnerability will affect only the people who have configured Outlook to accept email, applied 110 volts (offer void outside U.S.) across the power receptacle of their computer, and configured their networking subsystem to pass TCP segments. Moreover, those users whose Windows computer is displaying a so-called "blue screen" diagnostic message (which covers a significant number of Windows users) are also likely immune from this defect.

Users who remain vulnerable to this issue (never a "bug" or a "problem", always an "issue") are advised to upgrade their software.
posted by chipr at 3:56 PM on October 11, 2002


This just in, a quote from the retro-future, where Word viruses have run amok once again...
"Microsoft Word ships with every Windows system, or rather as part of Office, or as part of a bundle, or whatever, so it's on pretty much every system. Unless you're using one of those free office suites, in which case you get what you pay for. Whatever. Everyone uses it. But as long as you're not using Word to actually edit Word documents, you are not at risk," said Bill Smith, manager for Microsoft security response
Remember folks, guns don't kill people. People kill people.
posted by msippey at 4:03 PM on October 11, 2002


I don't think it is a valid point, because as long as Outlook Express is on the computer, it could be set up to receive e-mail....

Not so. Outlook Express is installed on all our computers at work, but we use Outlook for email, so Express isn't configured. This has been the case at the three most recent places where I've worked.

Not to apologize for Microsoft's crappy software, but I think what Culp is trying to say is "there's a problem with Outlook Express, but there's no need to uninstall it if you don't use it."

On preview: chipr, Outlook and Outlook Express are (perhaps confusingly) two separate products.
posted by hyperizer at 4:04 PM on October 11, 2002


All I know is that my husband has spent the greater part of two days trying to get his computer at work virus-free (the viruses having hitched in on Outlook Express-his WORK email he is REQUIRED to use.) The last two times my computer here at home has been attacked it has been thru Outlook. The first thing the first virus did is dismantle my Norton Antivirus protection.

Okay, I am not the biggest geek on the planet but I do know that the alternate email I use has never done that to me. Any viruses were caught by the email itself or I was able to delete before clicking on the attachment.

I hate Microsoft. And I think I speak for the common (wo)man.
posted by konolia at 4:10 PM on October 11, 2002


It's days like this that I'm glad I run Linux.
posted by entropy at 4:31 PM on October 11, 2002


I've been running Linux as my main OS for years, and while it has rarely crashed and never been infected with a virus, it certainly sucks in its own special way.

I think these programs suck because there's no reason for them not to. People who sell copies of software need a reason for you to upgrade; if this year's model doesn't suck, next year's won't sell. Besides, after you've bought a copy, they already have your money, so it only needs to look good until you actually have it. Also, they have all sorts of motives to be deliberately incompatible, and lock you in, which would screw up subscription software, too.

Free software, on the other hand, is largely written by people who want it for their own use... as a programmer I can testify to how easy it is to work around bugs and a terrible, poorly-documented interface when you wrote it yourself. The people making money are making it through selling documentation and support... not exactly a great profit motive for easy-to-use software. The rest are perfectly justified in taking the attitude that if you want something better, you can write it yourself.

I think that the ideal system would be to make small donations to reward good free software, gaining you the duel benefits of free software and the profit motive. If someone tries to lock you in through incompatibility, you can just say, "Well screw you, I may have to use it but I won't pay for it." If someone writes a sloppy, unusable program, you just say, "If you want my money, you have to do better than that." If they don't want your money, someone else who can do the job probably does.

Sorry for babbling on, but the current state of software economics drives me nuts.
posted by buskpay at 4:51 PM on October 11, 2002


"All copies of Windows ship with a rabid weasel. As long as you don't taunt the weasel, you are not at risk."
posted by RylandDotNet at 6:00 PM on October 11, 2002


Remember, this problem would exist on Macs and on Linux if they were the majority, since bad programmers would focus on those OS's to dump their crappy software on. Right?

Hm, that argument just doesn't work when you're talking about criminally insecure default applications.
posted by jragon at 6:15 PM on October 11, 2002


In any case, this is a not-even-news MicrosoftFilter thread. Why was this even posted?
posted by oissubke at 6:47 PM on October 11, 2002


RylandDotNet that Pepsiā„¢ was a lot better going down my throat than it was coming up my nose.
[reaches for paper towel]
posted by quonsar at 7:27 PM on October 11, 2002


Eudora?
posted by matteo at 7:42 AM on October 12, 2002


Why is it we never talk about the people who actually write viruses? Who are they? Is writing a successful virus a badge of honor? Or is the desire to wreck havoc upon the world something only a sociopath would consider? What sort of punishment is deserved for setting a worm free into the world?
posted by pejamo at 9:03 AM on October 12, 2002


"We make cigarettes. Millions of people buy them. As long as you don't actually *smoke* the cigarettes, you are not at risk."
posted by laz-e-boy at 1:38 PM on October 12, 2002


I'm anticipating a virus that will kindly set up Outlook Express for you using settings from other e-mail clients. Besides, virus creators have tried creating their own e-mail launchpads and have failed one way or another. However, the developers of Outlook Express achieved perfection.
posted by samsara at 6:56 PM on October 12, 2002


Yes. Eudora.
posted by deadcowdan at 6:58 AM on October 14, 2002


« Older HEY! That's illegal!...  |  Happy Thanksgiving Long-weeken... Newer »


This thread has been archived and is closed to new comments