Talk:Microsoft Outlook

From Wikipedia, the free encyclopedia

	This article is within the scope of Computing WikiProject, an attempt to build a comprehensive and detailed guide to computers and computing. If you would like to participate, you can edit the article attached to this page, or visit the project page, where you can join the project and/or contribute to the discussion.
???	This article has not yet received a rating on the quality scale.
???	This article has not yet received an rating on the importance scale.

Removed "His views are shared by many leading IT professionals." from the already questionnable Bill Joy section -- see Weasel Words... User:mattsday

This reads very defensively, not quite MS PR, but close.

Can somebody with enough power not to get slammed *rewrite* this article?

Power? Nobody has any power here. :-) Seriously, as long as an article is NPOV nobody will get "slammed". Evercat 22:13 9 Jun 2003 (UTC)

Close to MS PR? Which paragraph do you have a problem with? Maybe "Microsoft took some corrective steps" should be expanded? User:Elliot100

Well, let's see- pretty much the whole thing. It's written like a Microsoft ad.

"Although often used mainly as an e-mail application, it also provides calendar, task and contact management." Just say: "People use Outlook to read their e-mail, and keep track of a calendar, their tasks, and their contacts."

Say: "Outlook works with Microsoft Exchange Server." None of this "provide enhanced functions" nonsense. Just say: "When Outlook hooks up with an Exchange server, mailboxes, folders, and calendars can be shared. People can arrange meetings automatically."

See? Speak English, baka-boy.

NPOV means Neutral Point of View, not Microsoft Point of View. User:LionKimbro

Shouldn't this article be at Microsoft Office Outlook?

--Szajd 15:44, 2004 May 19 (UTC)

1 NPOV
2 Security Concerns
3 C
4 security concerns
5 Linkspam??
6 Bill Joy
7 Convert top-posted email to bottom-posted
8 HTML Rendering
9 Is Outlook 2007 included in Office
10 Outlook Express

[edit] NPOV

I'm going to change the 'improperly Office x' part to 'also known as office x' as it is a bit of a NPOV violation. --Spe88 19:36, 11 Jul 2004 (UTC)

[edit] Security Concerns

"omitted to avoid inconveniencing unsophisticated users" <-- Seems a bit subjective to me.. -- mattsday

I think Outlook Express is not related aside from name. Two different teams handle the two Mail clients. Outlook Express is part of the Internet Explorer team (which was dismentled but now regrouped), Outlook is part of the Office team. AFAIK there are no common code shared between the two mail clients.

That is not strictly true. Outlook 97 and Internet Mail and News were written by separate teams and share no common code. The first version of Outlook Express shipped with IE 5.0 and also had no shared code with Outlook, but shortly thereafter the teams merged. Outlook 98 (and subsequent versions of Outlook) have a good deal of common code with Outlook Express -- for example: HTML email, MIME attachment handling, SMTP connectivity, and email account management, to name a few. BillBl

Of an interesting note, Outlook has no build-in Newsgroup/Newsreader functionality, Outlook Express is the Newsreader application. Users on Outlook/Exchange systems can setup Exchange server to download a newsgroup, and then Outlook can view it as a public folder. - JL

Outlook express and Outlook < 2007 both share IE as their HTML rendering engine. So even if there is little around the application in common, they are bug-for-bug compatible when it comes to IE-security issues.

I have added a mention of IE on the security concerns, but not put in any citations. Presumably every windows security update where the issue is marked critical and the workaround "dont use HTML mail" mentioned would do, but I'd really like to see something formal like a paper analysing what percentage of outlook security fixes were down to IE. SteveLoughran 14:53, 3 October 2007 (UTC)

[edit] C

network insecurity because—due to its being written in C—viruses propagate so easily with it

I'm not sure that I understand. Is there something inherently unsafe about a program written in C? func(talk) 22:16, 29 Nov 2004 (UTC)

Not really just a reason to criticize it. PPGMD

[edit] security concerns

The section on security concerns is inaccurate. The vulnerabilities exploited had nothing to do with "automation" features. They were almost all either of the form of a) the user running an attachment or b) some buffer overflow in code that processesed the e-mail.

No, some of the earliest ones did simply use automation features. It was literally possible for an email to access automation features to start spreading itself as soon as the email was opened, without the user doing anything at all and without the application (Outlook) doing anything it wasn't designed for. It simply never occurred to the designers that bad people might abuse these features! Such simple exploits were corrected years ago, of course. -- Securiger

"Lack of security features compared to other software" is questionable, since other popular software allows execution of attachments too

Not at the time, they didn't. -- Securiger

Securiger, you are absolutely correct. I was a member of the original Outlook team. When we discussed adding the ability to access the underlying MAPI Address Book API's via OLE Automation -- the mechanism used to spread viruses -- we DID discuss the possibility that these API's could be used to spread viruses. We knew there was a risk. At the end of the day, we decided to expose it, under the assumption that "no one would ever open an attachment from someone they didn't know or that they didn't know was safe." Which, at the time (1994/1995) was absolutely true -- email was predominantly a power user application. In hindsight, you can say it's moronic, and with the benefit of hindsight, it was stupid. But the API's were tremendously useful, and locking them down would make them less useful and more intrusive: as successive security updates and later versions of Outlook proved -- that's why you get an alert when an add-in that you installed attempts to access your address book. Of course it's impossible to know, but I would bet $100 that if we had made access to those API's as intrusive as they are now, back in 1996/1997, MS would have been accused of being paranoid. -- BillBl

and "windows update" added a patch to disable that a few years back. You might argue it wasn't well written, which was what led to the buffer overflows, but that's not a "lack of security features" issue. It's also misleading to say that they exploited the "HTML capabilities" when really they exploited flaws in the implementation. THe current phrasing implies that there's some kind of intrinsic insecurity (in terms of being able to execute code locally) about viewing html in e-mail.

There are intrinsic insecurites in HTML email. See [1] and [2] for some general discussions of the evilness of HTML email, but at a more fundamental level, the problem is that HTML is an extremely complex, evolving specification that is designed for a total different application domain. Offer something like that to any security guy and he will beat you to death with the closest available weighty tome of Schneier. Plus, it was totally unneccessary; we already had rich text email as an actual standard. HTML email was an awful, awful idea and it is just a pity that it is probably now too late to reverse it -- although I know a couple of large organisations that get by just fine with a total prohibition on HTML email, and random sampling indicates that over 90% of non-spammer HTML emails just use the Outlook's default settings (i.e. the user isn't doing it intentionally, he just doesn't know how to turn it off). -- Securiger

I'm not sure why Bill Joy's speculation was inserted into the article, that kind of speculation can be applied to any C program with vulnerabilities. That seems more like an attempt to insert some bias against C for no apparent reason. I'd also like to see the claim about "many leading IT professionals" sourced.

I agree with that completely. -- Securiger

Outlook vulnerabilities have absolutely nothing to do with being written in C. There are plenty of vulnerabilities, but name one Outlook virus caused by buffer overflow (a typical vulnerability of apps written in C/C++). I'm not saying there aren't any, but there are far more issues caused by attachment handling, easy access to the address book via scripting / OLE Automation, and of course HTML email (scripting and image URL's). -- Billbl, a member of the original Outlook team

Lastly, I'm not sure that default non-loading of images in HTML should be called a "security feature" rather than an anti-spam feature. THe reason you don't auto-load images is because those image urls are specially constructed "spammy urls" that are used to confirm (for the spammer) that your e-mail address is active and that you read the spam message.

No, it's much broader than that. While that is the most common abuse of loading foreign images, there are plenty of others. Other examples include any creepy person (not just a spammer) using such a web-bug to track where, when and how often you read an email, and to whom you forward it; a denial-of-service attack where the image link actually points to a script which just spews out random packets until your email client crashes (and if the victim has message previewing turned on, just watch him try to recover...); and forms of fraud where the email is made to have totally different meanings to different viewers, by the webserver serving up a different image according to the requester's IP. There are many others, those are just a couple that I have heard of. Essentially, foreign images in email create security issues by violating the semantics of email; it ceases to be a document, and becomes an application under the sender's control. Since, in email, the sender can be anyone who hasn't been actively blacklisted, this is very bad. -- Securiger 02:13, 31 May 2006 (UTC)

Using an image to validate an email address or use is called a Web_beacon and is certainly a security and privacy issue. DaveGray 22:00, 4 February 2007 (UTC)

Exploits of image files have occurred in the past and you can expect them to occur in the future. An image is essentially a binary format document, and as such is vulnerable to file fuzzing, buffer overflows, etc. In 2004 Microsoft released a security alert titled 'Microsoft Windows JPEG component buffer overflow', see [3] and[4]. This exploit demonstrates the ability of viewing an image to take complete control of the affected system. From the article - "Microsoft's Graphic Device Interface Plus (GDI+) contains a vulnerability in the processing of JPEG images. This vulnerability may allow attackers to remotely execute arbitrary code on the affected system. Exploitation may occur as the result of viewing a malicious web site, reading an HTML-rendered email message, or opening a crafted JPEG image in any vulnerable application. The privileges gained by a remote attacker depend on the software component being attacked." This security issue was fixed and updates released to address the issue.DaveGray 22:00, 4 February 2007 (UTC)

Nathan J. Yoder 11:36, 8 October 2005 (UTC)

[edit] Linkspam??

In the last few days there's a link that was added, deleted as linkspam, and re-added. Question: What about most of the external links? Don't 3/4 of them qualify, as ads for add-on products?

[edit] Bill Joy

Who is that guy and why is his opinion on Outlook so important it deserves to be mentionned here?

Bill Joy is an important figure, but not remotely neutral on this issue; he's a major evangelist for the Java programming language. We could certainly quote him, but his possible bias should be indicated. And I would definitely like to see a citation for the claim that "His views are shared by many leading IT professionals." I have heard a lot of IT professionals discuss the endless security failures in Outlook and I haven't heard anyone else blame the implementation language; most folks I talk to agree that the software architecture is fundamentally insecure, in that Outlook uses the MSHTML engine to render HTML email, thereby tightly coupling it to Windows. (Of course, a lot of the early problems were caused by sheer bloody carelessness.) -- Securiger 08:24, 23 May 2006 (UTC)

[edit] Convert top-posted email to bottom-posted

Are there any tools out there to convert top-posted email chains to bottom-posted style? I'm thinking it shouldn't be too hard to write a new program from scratch to do that, but I also didn't want to reinvent the wheel if it had already been done. If there are such tools, their existence should probably be briefly mentioned in the article. 71.63.88.166 20:01, 28 October 2007 (UTC)

[edit] HTML Rendering

The previous edition of HTML Rendering went on and on and seemed VERY anti-MS to me. Code samples and long lists of elements seem unnecessary, especially when this small issue occupies more than half the original page.

I have trimmed it down and attempted to give it a less scathing tone (previously, it said thigns like: "Outlook 2007 is EVEN less standards compliant than before" etc), and instead focussed more on the fact that HTML rendering was intentionally crippled.

If anyone disagrees, feel free to revert and put an NPOV flag in so that it can be discussed. --86.150.2.71 (talk) 14:32, 24 December 2007 (UTC)

[edit] Is Outlook 2007 included in Office

The article says: "Office Outlook 2007 (version 12) included in Office 2007, except Office Home and Student edition"

However, the Microsoft article at http://office.microsoft.com/en-us/products/FX101635841033.aspx says that it's included with Basic, Standard, Professional Plus, and Enterprise, but not with Home & Student, Small Business, Professional, or Ultimate.

205.154.230.126 (talk) 23:09, 15 April 2008 (UTC)

It is included in Ultimate. http://office.microsoft.com/en-ca/suites/FX101674121033.aspx 99.236.193.207 (talk) 01:57, 24 April 2008 (UTC)

[edit] Outlook Express

Someone wrote that Outlook 98 "freely distributed with books and magazines for coping with newest Internet standard such as HTML mail", it's even marked with an [^{citation needed}]. Wasn't it the free Outlook Express that was freely distributed with books and magazines ?. Regards, Necessary Evil (talk) 16:16, 4 June 2008 (UTC)

No, it was the full version of Outlook 98. See here. :-) - xpclient ^Talk 18:50, 4 June 2008 (UTC)

Fair enough, I was just wondering why the "Versions" section still has ^{[citation needed]} at Outlook 98. Regards, Necessary Evil (talk) 00:02, 5 June 2008 (UTC)