SecureMac.com
About SecureMac Advertise Security Consulting Mac Security Store Send Feedback

Site Information
Site Background
Who runs the site
Advertising
Security Consulting
Employment/Jobs
Feedback Form

SecureMac Software
PrivacyScan

 

Mac OS X Security
sudo buffer overflow exploit + fix
Disable Single User Boot Mode
Malevolence - Dumping Passwords
nidump security
Startup Security - Open Firmware Password Protection

Mac OS X Network Security
SAINT
Secure FTP Wrapper
Ettercap - sniffer interceptor logger
Snort - Network Intrusion Detection System
SSH Admin
SSH Helper
xnu - enable MAC Address spoofing


Mac OS X Virus

Mac OS X Firewalls
Firewalk Firewall Utility
NetBarrier X

Mac OS X App Sec.

Mac OS X Encryption
LittleSecrets
GPGMail - PGP Functionality

Mac OS X DoS

SecureMac Library
Mac Cable Modem Security
Mac Security Auditing
Mac OS X Security Understanding
Mac OS X Security Second Lessons
Mac OS X Security Third Lesson
Mac OS X Single User Mode Root Access
Mac OS X Shareware Firewalls
Mac OS X Secure Installation
Cable & DSL Connections - Security Measures
Better Safe than Sorry
Apple.com Security Resources
Marketing Macintosh Security Programs

Outlook Express Sonata Security

rate rate rate rate rate
info, views, download, rating, security, insecure



Included in this page is a fix and another bug, read below for the other bug and fix This is a neato bug, and you can only find it in microsoft products -=) This story was first reported on MacCentral.com's Website when computer student Andrew Jung found this hole. It will not phase most people, but if you are on work or school machines running Outlook Express 4.5 with multiple profiles you should read below.

The following is a Maccentral.com article:
Email encryption problems should be solved in Sonata
by Dennis Sellers, dsellers@maccentral.com
June 15, 1999, 9:45 am ET


If you're using a free Mac email application, you inherently have a lack of secure encryption as Andrew Jung, a computer science student at Camosun College (Victoria BC, Canada), recently discovered. Jung was using Outlook Express 4.5 on the family iMac when he came upon what he described a "disturbing bug."

Jung attempted to use the "Change Current User" menu item of Outlook Express to access his personal email account (three separate email accounts were on the family Mac) when he realized he'd forgotten his password. He clicked "Cancel" was returned to the account selection dialog.

"I selected my step father's account, typed in his password, and got a message saying that his password was incorrect," Jung says. "I tried again and again. No go. Then for the heck of it I looked up my password for my account, tried it, and got it. I did the procedure repeatedly, and I can reproduce it every time. Whatever account I click and then cancel, that is the password for all the accounts."

The situation can be reproduced this way:

  • Open Outlook Express and at the user account dialog select "New User." In the settings type in any password you want.

  • Select change user from File.

  • Select the newly created account, then click "OK."

  • Click cancel at the password prompt.

  • Select the user's account you would like to break into, and click "OK."

  • Type in YOUR password for the new account and you're in.

DON'T try this at work or to access anyone's email account without permission. This notice is for "demonstration purposes" only.

MacCentral contacted the Microsoft Macintosh Business Unit at Microsoft, and Product Manager Irving Kwong confirmed the problem. He says Outlook Express doesn't encrypt mail data stored in the application - but that the problem isn't unique to Microsoft's free email application.

"Encryption functionality of mail data does not exist in any free Macintosh email application, as this level of security is best executed at the operating system level," Kwong says. "Outlook Express' password protection between multiple users on the same computer is not secure. The password merely acts as a padlock on users' personal preferences."

So what is a secure solution? Kwong says it's coming with the next ramp of the Mac OS, codenamed Sonata.

"You may remember Sonata's new multiple user environment being demonstrated at the WWDC," Kwong says (check out our story at http://www.maccentral.com/news/9905/10.sherlock.shtml). "We have been working on support for Sonata's multi-user functionality for Outlook Express and demonstrated this technology at the WWDC. This is the first offering of system-level security for multiple users sharing a Macintosh and is the best solution for true support, as it ensures password and data security. For Outlook Express customers and Macintosh users looking for a password secure solution for multiple users sharing a computer, we suggest using the upcoming version of Outlook Express with Sonata. The combination of Outlook Express and Sonata is a secure solution for Macintosh users doing email from the same computer. "

Sonata is due in the second half of the year.





Fixes and more security Issues Snippet from MacFixit
John Mackay offers a way to block the security breach:

Go to the "Startup & Quit" Preferences panel of Outlook Express
Enable "Require Password" and enter a password.
This would appear to prevent anyone from accessing your account at all. However, Bruce Austin writes of way to potentially breach even this security protection: Delete the Outlook Express Prefs file for the protected account. He writes: "Outlook opened right up -- without requesting any password whatsoever -- and there was all my email on display, as per usual."



Enter Email Address:

Enter your message:


Select Either of These Two Buttons


Security + OS
DiskLock
PowerBook Security Control Panel
Empower Pro
FileGuard
FreeGuard
FoolProof
Deus Lock Master
OnGuard
Keys Off
LockOut
MacOS Algorithm
Modem Security
Password Key
PGPuam
PPF
Shift Key Suite
Stealth Signal
SuperLock Lite
SuperLock Pro
Web-Confidential


Macintosh Viruses
Disinfectant
Sophos Anti-Virus
Norton AntiVirus
Nav 7 Nav 6 Nav X
Virex - Oct
VirusBarrier - Netupdate
vScan - Discontinued.

Mac Physical Security


Macintosh Firewalls
DoorStop Firewall
Firewall Q & A
IPNetSentry
NetBarrier
Norton Personal Firewall

Mac Spyware & Privacy
Monitorer
NetShred - Delete Files Safely

Network Security
MacAnalysis
Oyabun Tools
WDTech RAE
ToolDaemon

Application Security Issues
AIM - AOL Instant Messenger
Back Orifice
Eudora E-Mail Client
Internet Configure
IE 5.1, OE 5.1, Powerpoint, Excel Vulnerability
MS Personal webServer
NetBus
Outlook Express 4.5 Password Flaw
SubSeven
Sub7ME Server

Resource Info
AppleShare Server Info

Mac OS Encryption
EnScript
FGP
FileTwister
ForgotIt?
GenPass
MacLockSmith
My-Privacy
My Secret
PGPi
PGPhone
PGP Personal
PGP Freeware
PowerCrypt-dev
Private File
Quick Encrypt
SubRosa Utilities
Tresor

Deleting Files
Eraser Pro
ShredIt

Backups

Apple Hardware

MacOS DoS
Mac Attack


All material (c) 2014 SecureMac.com and respected owners