[NT] NoHTML Built-in Outlook 2002 Feature Protects Against Malicious Code

From: support@securiteam.com
Date: 12/18/01 

From: support@securiteam.com
To: list@securiteam.com
Date: Tue, 18 Dec 2001 16:35:59 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  NoHTML Built-in Outlook 2002 Feature Protects Against Malicious Code
------------------------------------------------------------------------

SUMMARY

This article describes a new feature that is added to Outlook 2002 in
Microsoft Office XP Service Pack 1 (SP-1). This feature allows individual
users to set Microsoft Outlook to read all non-digitally-signed e-mail or
non-encrypted e-mail in plain text format.

This change also allows system administrators to use policies to lock down
users to read all non-digitally-signed e-mail or non-encrypted e-mail in
plain text only.

Digitally signed e-mail or encrypted e-mail is not affected by this update
and cannot be modified by a system policy. Digitally signed e-mail or
encrypted e-mail is read in its original format.

DETAILS

Enable the "Read as Plain Text" Feature:
WARNING: Using Registry Editor incorrectly can cause serious problems that
may require you to reinstall your operating system. Microsoft cannot
guarantee that problems resulting from the incorrect use of Registry
Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys
and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and
Delete Information in the Registry" and "Edit Registry Data" Help topics
in Regedt32.exe. Note that you should back up the registry before you edit
it. If you are running Windows NT or Windows 2000, you should also update
your Emergency Repair Disk (ERD).

To enable the "Read as Plain Text" feature, you must make the following
additions to the system registry:
1) Click Start and then click Run. In the Open box, type regedit.
2) Navigate to the following registry key:
   HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Options\Mail
3) On the Edit menu, point to New, and then click DWORD Value.
4) With the new DWORD selected, type ReadAs Plain.
5) Double-click to open the new value. In the Value Data box, type 1 and
then click OK.
NOTE: "Read as Plain Text" is turned on and the BodyFormat property is
locked at 1. (Help says its read/write.) Any attempt to set it to another
value will result in an error.
6) Repeat steps 3 through 5, but instead type EnableLogging.
7) Click OK and then close the registry.

Changes That Users Will Notice
 * The setting applies to the preview pane as well as open messages.
 * Pictures become attachments to avoid their loss.
 * The object model (custom code solutions) may behave unexpectedly,
because the note is still in Rich Text or HTML in the mail store.
 * Digitally signed messages are not altered.

ADDITIONAL INFORMATION

The original article can be located at:
 <http://www.microsoft.com/technet/support/kb.asp?ID=307594>
http://www.microsoft.com/technet/support/kb.asp?ID=307594

The information has been provided by <mailto:secnotif@MICROSOFT.COM>
Microsoft Product Security.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages