Using Redemption is not any different from rewriting your code in
C++/Delphi to directly use Extended MAPI. While not exactly a rocket
science, that does take time and money. Redemption does not use any
black magic (like modifying Outlook code in memory at runtime), it uses
legitimate and fairly well documented API used by Outlook itself. The
whole reason for its existence is that the API (Extended MAPI) has a
very steep learning curve and is not useable from VB/VBA/.Net.
To prevent a virus from hijacking Redemption, you can customize the dll
so that it doesn't even look like the original library - all Class GUIDs
and names stored in the registry to identify Redemption can be changed.
Using Redemption as a virus payload is also impracttical given its size
(500kB for the distributable version).
A virus writer would be much better off either using an SMTP engine
directly (there are literally dozens if not hundreds of open source
libraries that let you send a message to an SMTP server) or using
Extended MAPI directly (less likely given who 90% of the virus writers
are).
There are always ways to write a virus, but the virus writers (just like
everybody else) use the path of least resistance - it was easy to use
Outlook Object Model, security patch made that much harder, so the virus
writers switched to easier alternatives - there were no new viruses of
any significance after MS patched Outlook that use Outlook Object Model.

-----Original Message-----
From: z_coder [mailto:bz@...]
Sent: Wednesday, July 16, 2003 10:39 AM
To: outlook-dev@yahoogroups.com
Subject: In My World Redemption Is A Security Risk :-)


If this wasn't holding up my project, I'd be rolling on the floor in
hysterics. Since I can't laugh about it yet, I hope somebody else
gets a chuckle out of it.

I recently completed my first Outlook application. It's an internal
application using Outlook 2000 with Exchange 5.5 (soon to be 2000).
I informed my supervisor that I wanted to purchase Redemption so my
users wouldn't get the annoying security warnings. Not understanding
the documentation, she saw it as a possible security risk. She
consulted with our network security person. He's been researching
this for three days. Since it's impossible to prove a negative, he
was unable to find any information implicating Redemption as a
security risk, so he declared it a security risk and said we couldn't
purchase it.

When I attempted to explain what it does and doesn't do, his eyes
glazed over. He believes that if the DLL is installed on all of our
systems that somehow an incoming virus can hijack it and use it to
replicate itself undetected. Even though I told him it does not
change the security settings of Outlook, he isn't convinced. He also
seems to think that somehow this DLL is going to hitch a ride on an
outgoing email and wreak havoc throughout the world. This is not by
any means the first time I've used a DLL to bypass system warnings,
but because this one deals with Outlook security it's perceived as
being in some way evil and prone to exploitation.

After you finish having a good laugh over the absurdity of this,
would someone please explain in painfully detailed and simplistic
terms why this DLL is not going to bring on the destruction of the
world as we know it? None of my explanations are sinking in at all.

Thanks to all. Great info on this list.

BZ



--------------------------------------------------------------------
Unsubscribe: mailto:outlook-dev-unsubscribe@yahoogroups.com



Your use of Yahoo! Groups is subject to
http://docs.yahoo.com/info/terms/