SecureMac Company Press

Stay up-to-date with SecureMac’s latest company related news and press releases. View all past press releases and news articles. – Sonata – Outlook Express 4.5 Security Bug

Posted on June 2, 2001

Email encryption problems should be solved in Sonata

by Dennis Sellers,
June 15, 1999, 9:45 am ET

If you’re using a free Mac email application, you inherently have a lack of secure encryption as Andrew Jung, a computer science student at Camosun College (Victoria BC, Canada), recently discovered. Jung was using Outlook Express 4.5 on the family iMac when he came upon what he described a “disturbing bug.”

Jung attempted to use the “Change Current User” menu item of Outlook Express to access his personal email account (three separate email accounts were on the family Mac) when he realized he’d forgotten his password. He clicked “Cancel” was returned to the account selection dialog.

“I selected my step father’s account, typed in his password, and got a message saying that his password was incorrect,” Jung says. “I tried again and again. No go. Then for the heck of it I looked up my password for my account, tried it, and got it. I did the procedure repeatedly, and I can reproduce it every time. Whatever account I click and then cancel, that is the password for all the accounts.”

The situation can be reproduced this way:

Open Outlook Express and at the user account dialog select “New User.” In the settings type in any password you want.

  1.     Select change user from File.
  2.     Select the newly created account, then click “OK.”
  3.     Click cancel at the password prompt.
  4.     Select the user’s account you would like to break into, and click “OK.”
  5.     Type in YOUR password for the new account and you’re in.

DON’T try this at work or to access anyone’s email account without permission. This notice is for “demonstration purposes” only.

MacCentral contacted the Microsoft Macintosh Business Unit at Microsoft, and Product Manager Irving Kwong confirmed the problem. He says Outlook Express doesn’t encrypt mail data stored in the application – but that the problem isn’t unique to Microsoft’s free email application.

“Encryption functionality of mail data does not exist in any free Macintosh email application, as this level of security is best executed at the operating system level,” Kwong says. “Outlook Express’ password protection between multiple users on the same computer is not secure. The password merely acts as a padlock on users’ personal preferences.”

So what is a secure solution? Kwong says it’s coming with the next ramp of the Mac OS, codenamed Sonata.

“You may remember Sonata’s new multiple user environment being demonstrated at the WWDC,” Kwong says (check out our story at “We have been working on support for Sonata’s multi-user functionality for Outlook Express and demonstrated this technology at the WWDC. This is the first offering of system-level security for multiple users sharing a Macintosh and is the best solution for true support, as it ensures password and data security. For Outlook Express customers and Macintosh users looking for a password secure solution for multiple users sharing a computer, we suggest using the upcoming version of Outlook Express with Sonata. The combination of Outlook Express and Sonata is a secure solution for Macintosh users doing email from the same computer. ”

Sonata is due in the second half of the year.

Fixes and more security Issues Snippet from MacFixit

John Mackay offers a way to block the security breach:

Go to the “Startup & Quit” Preferences panel of Outlook Express
Enable “Require Password” and enter a password.
This would appear to prevent anyone from accessing your account at all.  However, Bruce Austin writes of way to potentially breach even this security protection:  Delete the Outlook Express Prefs file for the protected account. He writes: “Outlook opened right up — without requesting any password whatsoever — and there was all my email on display, as per usual.”

Share on Facebook0Tweet about this on TwitterShare on Reddit0Share on Google+0Email this to someone