Why I’ll Never Use Outlook
Why I will never use Outlook as my personal email client. Ever:
Last night I was at dinner with Andre, Andy, and Leonard. We were talking about content aggregators. Andy is using Syndirella to collect weblog posts and quickly read them, while Andre is using Newsgator to do the same.
Newsgator plugs into Outlook, and treats posts like emails, filtering them into folders. It’s certainly convenient, particularly for someone who uses Outlook all day at work. We joked around about how insecure Outlook is, and wondered when someone would write the first weblog-borne virus. It was decided that it was all plain-text, and that Newsgator would strip out any offending code.
Today I played around a little bit with Newsgator, and decided to see what was possible in the RSS feed. I was able to write a little VBScript app/worm that emails from Outlook, can read your address book, etc. It wasn’t very hard, it didn’t take very long. All it takes is VBScript in the <description> tags of the RSS feed. While there isn’t the same possibility for self-replication (since there’s no way to script outlook to publish the same code to someone else’s RSS feed), this is pretty dangerous because newsgator traffic won’t be checked by corporate virus scanning software before it reaches Outlook like incoming email would.
7 Comments, Comment or Ping
spivey
um… that’s not so good.
Feb 28th, 2003
Andy
Brilliant and EVIL!
Feb 28th, 2003
leonard
watch out andre! >;)
Feb 28th, 2003
Greg Reinacker
I have posted comments related to NewsGator and this issue at http://www.newsgator.com/news/archive.aspx?post=3.
Feb 28th, 2003
Bill Kearney
This is not a new issue. It’s been raised many times in the past. Putting scripting inside RSS items it evil. Anything that handles RSS should attempt to neuter said scripts if it finds it. This is an extra, and possibly tedious, step but one that cannot be reasonably argued against. The one argument being a customized channel that has legitimate intentions. This isn’t an unreasonable idea. But it seems like it’d be something that required a per-feed preference setting of some kind that allowed that channel to get away with that sort of stuff.
This opens the can of worms about digitally signed scripts and embedded code. If a feed intended to have such wonderful things done that it required scripting then it aught then take the bigger step up to using PKI. An ugly analogy, perhaps, is if you want promiscuity then bring protection.
Mar 1st, 2003
andy
Still, the problem seems to me to rest solely with outlook. Why should any ‘foreign’ script be allowed to perform operations like reading the address book or sending email without the user’s permission.
Seems to me that applying some logical security ideas in the development of Outlook would save everyone a lot of time and effort. I understand MS wants there to be the possibility of ‘active content’, but that is an issue web browsers have been dealing with for years. Why not use some of the same frameworks in Outlook?
Mar 2nd, 2003
Jason
post more often!!!!
Mar 14th, 2003
Reply to “Why I’ll Never Use Outlook”