Prev: Stop certificates showing as attachments in Inbox (OL2007)
Next: Clients see embedded images as attachments but we don't see ones a
From: Keith on 24 Mar 2010 09:18
Having just lost a day because the Access database someone tried to send me
got blocked by Outlook, I finally came across William Kennedy's article
"Blocked attachments: The Outlook feature you love to hate."

Well I agree with you in one respect, Mr Kennedy. I certainly hate this
feature. It has that sort of "nanny state" feel about it ("nanny state" is a
common derogatory phrase in the UK for when government or officialdom impose
unnecessary restrictions on people, supposedly for their own good).

There are two things that mystify me. Firstly, in what way is an Access
database more dangerous than, say, a Word document, which Outlook does allow
through? Both are capable of carrying malicious software and both are
perfectly safe when received from a trusted source or by a user who knows how
to look after himself.

Secondly, why the intransigence with regard to allowing expert users at
least some leeway in overriding this? I accept, and even approve of, blocking
such attachments by default so that unwary or novice users are protected. I
could even accept not allowing any user to download such attachments
automatically, or even to run them implicitly, thus protecting the self
proclaimed experts from accidentally executing something they shouldn't. But
please allow us the means to explicitly state we wish to save a specific
attachment on our computer if we are confident it comes from a trusted
source. This could be done by means of a warning prompt to check the safety
of individual attachments. Note that I am only advocating "Save" should be
enabled, not "Run", and even then only for users who have explicitly stated
they understand the risks.

In my view, the extra security in not allowing such files through at all,
under any circumstances, is an illusion. As previously mentioned, evil folk
could still send malicious code in Word documents. If someone really wanted
to send a virus in an Access database they can wrap it in a zip file. This
can be save on your disk where, these days, it looks a bit like a folder so
could easily be opened and the contents run, possibly even accidentally. What
extra security is this annoying feature actually buying us?

A while back I wrote my own spam mail filter that removes unwanted items
from my POP3 mailbox before Outlook even gets to look at it. I am seriously
considering enhancing this to download trusted attachments before Outlook has
a chance to throw them away.

Regards
Keith
From: dlw on 24 Mar 2010 10:06
or, edit the registry to let them through...

"Keith" wrote:

> Having just lost a day because the Access database someone tried to send me
> got blocked by Outlook, I finally came across William Kennedy's article
> "Blocked attachments: The Outlook feature you love to hate."
>
> Well I agree with you in one respect, Mr Kennedy. I certainly hate this
> feature. It has that sort of "nanny state" feel about it ("nanny state" is a
> common derogatory phrase in the UK for when government or officialdom impose
> unnecessary restrictions on people, supposedly for their own good).
>
> There are two things that mystify me. Firstly, in what way is an Access
> database more dangerous than, say, a Word document, which Outlook does allow
> through? Both are capable of carrying malicious software and both are
> perfectly safe when received from a trusted source or by a user who knows how
> to look after himself.
>
> Secondly, why the intransigence with regard to allowing expert users at
> least some leeway in overriding this? I accept, and even approve of, blocking
> such attachments by default so that unwary or novice users are protected. I
> could even accept not allowing any user to download such attachments
> automatically, or even to run them implicitly, thus protecting the self
> proclaimed experts from accidentally executing something they shouldn't. But
> please allow us the means to explicitly state we wish to save a specific
> attachment on our computer if we are confident it comes from a trusted
> source. This could be done by means of a warning prompt to check the safety
> of individual attachments. Note that I am only advocating "Save" should be
> enabled, not "Run", and even then only for users who have explicitly stated
> they understand the risks.
>
> In my view, the extra security in not allowing such files through at all,
> under any circumstances, is an illusion. As previously mentioned, evil folk
> could still send malicious code in Word documents. If someone really wanted
> to send a virus in an Access database they can wrap it in a zip file. This
> can be save on your disk where, these days, it looks a bit like a folder so
> could easily be opened and the contents run, possibly even accidentally. What
> extra security is this annoying feature actually buying us?
>
> A while back I wrote my own spam mail filter that removes unwanted items
> from my POP3 mailbox before Outlook even gets to look at it. I am seriously
> considering enhancing this to download trusted attachments before Outlook has
> a chance to throw them away.
>
> Regards
> Keith
 | 
Pages: 1
Prev: Stop certificates showing as attachments in Inbox (OL2007)
Next: Clients see embedded images as attachments but we don't see ones a