[28590] in North American Network Operators' Group
product liability (was: Virus Update)
daemon@ATHENA.MIT.EDU (William Allen Simpson)
Tue May 9 10:58:31 2000
Message-ID: <3918271B.9BF54BF4@greendragon.com>
Date: Tue, 09 May 2000 10:56:33 -0400
From: William Allen Simpson <wsimpson@greendragon.com>
MIME-Version: 1.0
To: nanog@merit.edu
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
Apparently, this is just another example where M$ ignored reports of
the security vulnerability for years, and now everyone else has to pay.
Lloyd's of London is estimating the cost at $8,000,000,000 and rising.
There's a report of another security hole that Netscape fixed years ago,
but still exists in Outlook:
http://news.cnet.com/news/0-1005-200-1820959.html
Are any of our bigger ISPs willing to initiate a class action to recover
the costs?
Dean Robb wrote:
>
> At 06:56 PM 5/4/00 -0400, David Charlap wrote:
> >
> >One of them (I think Outlook) can also auto-launch attachments when the
> >message is selected (and displayed in the preview window) and not even
> >opened. This is a _BIG_ security hole that Microsoft has not fixed,
> >despite other virusses (like Melissa) which have already taken advantage
> >of it.
> >
>
> There are instructions for disabling ActiveScripting in Outlook on the MS
> website. It's enabled by default. That'll stop the attachements from being
> auto-executed. Remember, according to their TV ads, MS exists to help the
> consumer!
>
WSimpson@UMich.edu
Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
