Homepage   Open Systems 
 Weblog   What is FLOSS? 

Digital Copyright Canada

 Clients, Associates   Services 
 PDF and other Viewers   Network Status 

Why we do not accept attachments from Microsoft Outlook or Microsoft Office

Due to the proliferation of Microsoft Outlook based viruses, I no longer accept messages from Microsoft Outlook which contain attachments of any type. This includes messages which have HTML or Rich Text.

If you need to get an attachment to me, please send it via some other email software or write to me (without attachment of any type) to ask about alternatives.

If you did not intend to send an attachment, please read the instructions on how to configure your email packages to send plain text email.

Please avoid sending me Microsoft Office file attachments. If you must send me word-processor or presentation files, please convert to an open vendor-neutral royalty-free file format such as the one used by OpenOffice.org.

If you are unaware of the OASIS open office XML file format, I can make a presentation to your organization such as the one I prepared for Real World Linux 2003.

While it is possible for me to open and save-as Microsoft Office file formats using OpenOffice.org, as you will note in the documents from the Free Software Foundation discussing Palladium or some other "treacherous computing", this may not apply to future versions of these file formats. It is best for all computer users if we work together to migrate entirely away from file formats that are controlled by single vendors and instead switch to open vendor-neutral royalty-free file formats.

Note: Sometimes I make exceptions and accept Microsoft Office files, import them to OpenOffice.org, make changes, and send back in the OASIS open office XML standard format. If the recipient can't read this open vendor-neutral royalty-free file format then it is obviously a deficiency of their inferior office productivity software. Unlike Microsoft Office files which only work well with specific versions of specific brands of tools, the OASIS open office XML format is well documented and you can even download the reference implementation (OpenOffice.org) for free!


Famous People

Sometimes it takes a famous person saying something before people will take notice. For the Internet the most well-known part is the World Wide Web. Tim Berners-Lee , the person most often credited as the inventor of the World Wide Web, has this to say on his personal website (Copied January 6, 2003):

What not to email

Email is safe unless it contains programs. (Data and documents are fine, programs are not). If you send me a program, I will not run it, as it could damage my system and could be a virus.


Further reading about the Microsoft Outlook/Office virus issue

It needs to be remembered that the viruses that attack various email packages, primarily those from Microsoft, are not the result of accidents. They are the result of deliberate design flaws, where adequate security warnings were provided by the standards bodies that documented the Email standards.

Nor should the blame be put only onto the authors of the malware who make use of these design flaws. If someone put a sign on their own unlocked door saying "please walk in and steal from me", would you put all the blame for this crime on the person that commits the theft? For more on this idea, please read: Opinion: Idiocy Imperils the Web by Jim Rapoza of e-Week.

The relevant standards document that Microsoft needed to read in order to implement file attachments are as follows:

RFC 1341 , dated June 1992. This was was updated by RFC 1521, dated September 1993. This was further updated by Multipurpose Internet Mail Extensions (MIME) Part Two: Media Types RFC 2046 , dated November 1996.

See: 4.5.2. PostScript Subtype

Postscript is given as a popular file format at the time which contained a rich enough language to contain scriptability. The same security warnings apply to HTML, PDF and especially Microsoft Office files which also contain scripting feature. These file types were not mentioned as they were not yet popular to be transmitted by email at the time the documents were authored.

Pretty much all the high profile (those that are bad enough that they show up in the mainstream media) viruses make use of this design flaw where Microsoft Outlook will automatically view an attachment, and the attachment viewer automatically executes scripts that are contained in the attachment.

Microsoft Outlook was first released as part of Microsoft Office 97, released late 1996. Outlook replaces Microsoft Exchange client, which replaced Microsoft Mail in 1996.

To the question "Does Microsoft Mail support MIME?", the comp.mail.mime FAQ said "almost--maybe".

The important part to remember is that Microsoft was warned before they wrote or released the relevant software, and they deliberately ignored the security warnings contained in the standards documents. These critical security related design flaws have still not been fixed almost a decade later.

Negligence

Some members of the Internet Engineering Task Force (IETF), the body that defines standards for the Internet, believe that Microsoft should be held accountable as criminally negligent for the proliferation of these viruses. Keith Moore, author or co-author of many RFC's, posted a message to the ietf@ietf.org mailing list (local copy) about this issue.

This decision has cost the network billions of dollars, including significant costs to people who do not use that company's software products (and who therefore aren't bound by its EULAs).

Words that come to mind to describe this include: Willful, Criminal, and Negligence. Another word that comes to mind: Prison. As in "some people need to spend a lot of time there".


Last updated: $Date: 2005/01/18 00:24:58 $ UTC

Get Firefox! hacker 
emblem