Is Outlook Express immune to this or does it execute VB script too?
If you have VBS installed (Windows Scripting Host) and you execute the attachment you will be in big trouble. This applies to all Windows mailers, whether it be Eudora or Communicator or whatever. AFAIK, the only mailer that automatically executes VBS is Outlook. The real culprit here is the power that Microsoft apps (Outlook in particular) give to VB Script. On the one hand, it's nice that Microsoft gives companies workflow management capabilities over e-mail through the use of a generic scripting service (VBS lets you do some pretty neat things with client-side scripting). On the other hand, this is way too much power to be providing to an Internet-connected user base. The Java sandbox model is much more appropriate for that specific context, given that the basic (non-NT) Windows PC doesn't have any concept of system security. Even JavaScript is much less harmful, but that's mostly because it has a failry limited command structure, not because its inherently "more secure." I think that Microsoft really needs to evaluate their security model for mail in general. The simplest approach would be to do Zones like they have for Web content, where mails from certain sites are "trusted" and mails from other sites have varying degrees of distrust. Determining "trust" with e-mail is hard though. Do I "trust" somebody in my Address Book, even though that's where most of these viruses are coming from? Maybe users should disable whatever Scripting Host services they have installed. This isn't entirely possible since a lot of Microsoft apps and services depend on Windows Scripting Host in order for them to even function (the Windows Update service requires it, for example). Obviously not everybody can do this. Firewall filters that cull VBS attachments are another option, but of course the same problems show up with EXE attachments (or with LNK attachments as we saw with Eudora last week). AppleScript attachments for Mac users could easily be just as deadly given the access they have. The only reason they're relatively safe is that nobody wants to waste time writing scripts that only affect 10% of the user base. And of course, any of the Unix mailers will gladly accept malicious attachments too, so as a platform it's certainly no safer (although if you're running a limited-rights account you won't be able to do as much damage by running an untested attachment than if you run a highly privileged account; I'm sure nobody here does that, right?). It's just very hard to make e-mail secure, unless you're doing virus scans on every message at every way-station. In the meantime, don't open unknown attachments, and don't run Outlook. -- Eric A. Hall ehall@ehsco.com +1-650-685-0557 http://www.ehsco.com