MS Outlook/Outlook Express Preview Pane Security Issue

From: Jeff Uslan (jeff_uslan_at_speakeasy.net)
Date: 03/26/04

  • Next message: Shaun Colley: "phpBB2 2.0.8 privmsg.php SQL injection patch (critical)."
    To: <jeff_uslan@speakeasy.net>
    Date: Fri, 26 Mar 2004 10:49:10 -0800
    
    
    

    FYI

    Just a reminder that if you are using anything but Outlook 2003. The HTML
    injection issues and other such exploits with just viewing the preview pane
    have mostly been taken care of in the older versions but issues are still
    popping up. If you want to use the preview pane I would recommend Outlook
    2003 it has a greater security model and the preview pane will not execute
    any HTML code or download any HTML embedded pictures unless you actually
    tell it to on an e-mail by e-mail basis.

    I believe some of these features will also be added to Outlook Express with
    the release of XP SP2, but until then I'd steer clear of the preview pane on
    older Outlook versions.

    If your curious why you don't want embedded HTML pic's downloaded
    automatically, this is a confirmation method used by spammers to verify you
    received their e-mail and that your e-mail address is valid.

    Regards,

    Jeff Uslan, CISM, DHS
    Chief Information Security Officer
    Absolute Computer Security Consulting
    jeff_uslan@speakeasy.net
    * 805.498.3568 office
    * 805.218.3182 cell
     


  • Next message: Shaun Colley: "phpBB2 2.0.8 privmsg.php SQL injection patch (critical)."

    Relevant Pages

    • Re: trouble opening Outlook express attachments
      ... Start Outlook Express. ... Click the Security tab, click to clear the Do not allow attachments to be ... Another way to help protect yourself from email viruses infecting your computer ... if you use Outlook Express is to disable the Preview Pane. ...
      (microsoft.public.windowsxp.general)
    • [NT] Buffer Overflow in Microsoft Internet Explorer
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... This vulnerability ... the target visits a web page or views an HTML email message. ... * Microsoft Outlook and Outlook Express ...
      (Securiteam)
    • RE: MS Outlook/Outlook Express Preview Pane Security Issue?
      ... but setting security does do a lot. ... MS Outlook/Outlook Express Preview Pane Security Issue? ... >>Outlook and Outlook Express even when latest patches are installed? ... to facilitate one-on-one interaction with one of our expert instructors. ...
      (Security-Basics)
    • RE: MS Outlook/Outlook Express Preview Pane Security Issue?
      ... The biggest problem I saw with the preview pane is it could be tricked ... Outlook of any version then you are at risk. ... MS Outlook/Outlook Express Preview Pane Security Issue? ... Attend a course taught by an expert instructor with years of ...
      (Security-Basics)
    • Re: Outlook converts my HTML email to text
      ... I've been following Outlook security issues for nearly 10 years now. ... Potential vulnerabilities are addressed with the occasional security patch for IE or Word, although we could all wish for those to come faster. ... If you know of an instance in the past 5 years when an HTML message by itself caused an actual -- not a theoretical -- problem on a system running a fully patched, current version of Outlook, I'm sure we'd all be able to learn something from it, but I don't recall such a case. ... The default in Outlook is to render HTML-formatted e-mails in the Restricted Sites security zone, and the default for the Restricted Sites security zone is at its High settings level. ...
      (microsoft.public.outlook)