Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00


                                            `You may read this story online at:  
Email encryption problems should be solved in Sonata  
If you're using a free Mac email application, you inherently have a   
lack of secure encryption as Andrew Jung, a computer science student   
at Camosun College (Victoria BC, Canada), recently discovered. Jung   
was using Outlook Express 4.5 on the family iMac when he came upon   
what he described a "disturbing bug."  
Jung attempted to use the "Change Current User" menu item of Outlook   
Express to access his personal email account (three separate email   
accounts were on the family Mac) when he realized he'd forgotten his   
password. He clicked "Cancel" was returned to the account selection   
"I selected my step father's account, typed in his password, and got   
a message saying that his password was incorrect," Jung says. "I try   
again and again. No go. Then for the heck of it I looked up my   
password for my account, tried it, and got it. I did the procedure   
again over and over, and I can reproduce it every time. Whatever   
account I click and then cancel, that is the password for all the   
The situation can be reproduced this way:  
Open Outlook Express and at the user account dialog select "New User."   
In the settings type in any password you want.  
Select change user from File.  
Select the newly created account, then click "OK."  
Click cancel at the password prompt.  
Select the user's account you would like to break into, and click "OK."  
Type in YOUR password for the new account and you're in.  
DON'T try this at work or to access anyone's email account without   
permission. This was for "demonstration purposes" only.  
MacCentral contacted the Microsoft Macintosh Business Unit at Microsoft,   
and Product Manager Irving Kwong confirmed the problem. He says Outlook   
Express doesn't encrypt mail data stored in the application - but that   
the problem isn't unique to Microsoft's free email application.  
"Encryption functionality of mail data does not exist in any free   
Macintosh email application, as this level of security is best executed   
at the operating system level," Kwong says. "Outlook Express' password   
protection between multiple users on the same computer is not secure.   
The password merely acts as a padlock on users' personal preferences."  
So what is a secure solution? Kwong says it's coming with the next ramp   
of the Mac OS, codenamed Sonata.  
"You may remember Sonata's new multiple user environment being   
demonstrated at the WWDC," Kwong says (check out our story at "We have been   
working on support for Sonata's multi-user functionality for Outlook   
Express and demonstrated this technology at the WWDC. This is the   
first offering of system-level security for multiple users sharing a   
Macintosh and is the best solution for true support, as it ensures   
password and data security. For Outlook Express customers and   
Macintosh users looking for a password secure solution for multiple   
users sharing a computer, we suggest using the upcoming version of   
Outlook Express with Sonata. The combination of Outlook Express and   
Sonata is a secure solution for Macintosh users doing email from the   
same computer. "  
Sonata is due in the second half of the year.